How to Prepare Your Team for the Future of DevSecOps
May 17, 2022

Jayne Groll
DevOps Institute

DevSecOps rose to the forefront of IT transformation journeys when enterprise organizations rapidly moved their operations and development to the cloud in 2020. IT decision-makers today understand that security must be a top priority as the cloud has opened the door to new software vulnerabilities and cybersecurity threats. Leaders looking to prepare for the future of DevSecOps need to understand what will set them up for success and help harden IT security practices.

DevOps Institute Ambassadors include some of the top security experts in IT. I reached out to see how they think leaders can best prepare their teams for DevSecOps. Here are the top answers, tips and advice I received:

Helen Beal, Chief Ambassador, DevOps Institute

"The future of DevSecOps is that it becomes redundant, either part of DevOps or just how we work. You prepare your team by helping them understand that security is part of their job, learning what they need to, automating what you can, and providing the capability for continuous improvement."

Tracy Ragan, CEO and Co-founder, DeployHub

"DevSecOps covers the full landscape of hardening our cybersecurity. How you prepare determines where you are in the ecosystem. Development teams need to get serious about knowing what open-source libraries they are consuming, acting upon the data discovered in SBOMs and CVEs, and sorting out ways to expose this information so everyone is aware of the software supply chain. Testing teams will need to spend more time and money on penetration testing, while production teams focus on Chaos Engineering and respond to outages. Everyone has a new list of 'honey-dos' to better respond to the 'bad actors' in the digital world. Building a comprehensive plan is the first step for everyone."

Vishnu Vasudevan, Head of Product at Opsera

"Consider a policy-based pipeline approach that bakes security, quality and compliance gates into the software delivery lifecycle. To implement this approach, security teams need to create policies that are automatically incorporated into the CI/CD pipeline and encourage developers to source the software components (open source or otherwise) and libraries that are being used. Having a policy-based pipeline ensures every piece of code being promoted runs through a complete scan and will be stopped based on the policies set by the security team.

This DevSecOps approach allows businesses to validate their security and compliance against their organization’s goals. It will provide an opportunity to continuously improve on their goals around security to avoid hefty penalties as a result of an audit, legal and compliance. Policy-based pipelines can also help to provide visibility across different personas from development, operations team and executives on the DevSecOps KPIs."

Najib Radzuan, Principal, Digi Telecommunications

"The COVID-19 pandemic circa 2020 made most companies move into the cloud or digitalize most of their teams and operations. Hence, it also opens up vulnerabilities and more opportunities for the attacker/hacker to penetrate the newbies. Thus, people have started talking more about cybersecurity. Therefore, the DevSecOps topic is also the main topic for most IT companies now.

The organization can prepare its team with two options:

■ Create an upskilling program that sends their internal team or InfoSec/AppSec to learn about DevSecOps. They need to be vigilant by learning DevSecOps skills that automatically run all the security scans and auto-harden their environment/servers.

■ Hire a DevSecOps "champion" or DevSecOps expert who can convert the current team into a DevSecOps team."

Marc Hornbeek, CEO and Principal Consultant, Engineering DevOps Consulting

"As organizations master DevOps practices, DevSecOps becomes even more important. Accelerated continuous delivery can increase an organization’s risk profile unless security is fully integrated into the delivery pipelines. Any organization embracing DevOps and has security risks need to ensure their teams are trained on secure coding and DevSecOps practices."

Parveen Arora, Founder and Director, VVnt SeQuor

"In the recent years, we have seen a shift in the technology industry and how DevOps practices have scaled to include security into the mainstream, with dev and security teams collaborating to enable the rapid release of the secure software. To stay competitive in this digital economy, organizations are increasingly competing on time-to-market. With the growth in Agile environments, organizations need to facilitate high-speed solution delivery and secure delivery.

Traditional cybersecurity methods, i.e., having security at the perimeter, network, endpoint, data, and security checks at the final stages of the software development lifecycle (SDLC), and regular sen-test and vulnerability assessments are not sufficient anymore. DevSecOps is no longer optional, and soon, every organization will adopt this with upskilling on their workforce.

Our software developers also need to learn agile development with more security focus in the future. This is a natural evolution toward DevSecOps as a standard for software development. For those looking to break into the industry, learning a top programming language will still be highly relevant. Still, it will need to be put into practice within a security-focused development and deployment environment. Cybersecurity professionals should focus on infrastructure-as-code from an enterprise-wide perspective, which will be critical for successful business operations."

A common thread among these responses is tied to upskilling the team for DevSecOps. One way to upskill is to take DevSecOps certification courses.

Or, you can advance your skills by joining DevOps Institute for SKILup Day on Thursday, May 19, 2022, to access a full day of DevSecOps learning. Attend to network with peers and listen to practical, "how-to" sessions from leading IT security experts. Set up your DevSecOps practice for success and register here.

Jayne Groll is CEO of DevOps Institute
Share this

Industry News

September 27, 2022

DevOps Institute will host SKILup Festival in Singapore on November 15, 2022.

September 27, 2022

Delinea announced the latest release of DevOps Secrets Vault, its high-speed vault for DevOps and DevSecOps teams.

September 27, 2022

The Apptainer community announced version 1.1.0 of the popular container system for secure, high-performance computing (HPC). Improvements in the new version provide a smaller attack surface for production deployments while offering features that improve and simplify the user experience.

September 26, 2022

Secure Code Warrior unveiled Coding Labs, a new mechanism that allows developers to more easily move from learning to applying secure coding knowledge, leading to fewer vulnerabilities in code.

September 26, 2022

ActiveState announced the availability of the ActiveState Artifact Repository.

September 26, 2022

Split Software announced the availability of its Feature Data Platform in the Microsoft Azure Marketplace.

September 22, 2022

Katalon announced the launch of the Katalon Platform, a modern and comprehensive software quality management platform that enables teams of any size to easily and efficiently test, launch, and optimize apps, products, and software.

September 22, 2022

StackHawk announced its Deeper API Security Test Coverage release.

September 21, 2022

Platform9 announced the launch of its latest open source project, Arlon.

September 21, 2022

Redpanda Data announced Redpanda Console.

September 21, 2022

mabl announced its availability as a private listing on Google Cloud Marketplace.

September 21, 2022

Zesty announced a $75 million Series B funding round led by B Capital and Series A investor Sapphire Ventures.

September 20, 2022

Opsera, the Continuous Orchestration platform for DevOps, announced a free trial of its no-code Salesforce Release Management platform for fast and secure Salesforce releases.

September 20, 2022

Sysdig announced ToDo and Remediation Guru.

September 20, 2022

AutoRABIT announced CodeScan Shield.