Within our industry, we often hear the term ‘DevSecOps’ mentioned when discussing modern application development (MAD). DevSecOps is a methodology that not only promotes the unification of development and operations but also involves introducing security earlier in the software development lifecycle. Terms like DevOps and DevSecOps are often misused by organizations. We commonly find organizations using DevOps or DevSecOps in titles for individuals or teams when, in many cases, the role is focused on integrations or CI/CD. DevOps and DevSecOps are concepts that should be adopted by the whole organization; not a role for an individual or team to execute.
It is not enough to acquire tools and integrate them into our processes, we must mold the organizational culture into an agile environment. To achieve that, the way we measure performance needs to be revisited. We can no longer measure a developer on speed of delivery, we need to measure based on what is delivered and how it impacts the organization. For example, a developer who delivers a feature quickly but only works for that particular codebase is not as agile as the one that takes a little more time to deliver the feature but creates code that can be reused for multiple projects. Our objective is to increase revenue, productivity, and intangible benefits (e.g., employee and customer satisfaction). With that in mind, we need to define the required workflows that can help us achieve those objectives, determine what tools will enable us to follow that workflow, and create a social system that will allow us to use those tools and execute the required workflow.
The definition of the workflow is one of the most important things. The majority of workflow problems are related to processes, not people1, yet most of the time, we blame the people. Once we have defined the required workflow, we must build a social system that enables it. This social system needs to take into consideration the existing capabilities, skillset, organizational structure, and motivation within the organization, while also defining what gaps exist in these areas and how to resolve them. The performance of an organization depends largely on the performance of people1.
A social system includes everything related to the performance of human beings, how information flows, how decisions are made, the motivators, necessary training, the organizational structure, decision-making processes, and so on. It is basically how people are organized and how to optimize the use of people’s talents and abilities to achieve an atmosphere of continuous improvement. People must focus on what really delivers value and on what is essential to have a continuous workflow without the loss of time, effort, or value to the organization.
We do not seek to change the way people think, but rather influence the way they behave, in their feelings, way of thinking, and normative behavior.
DevSecOps is a culture, where the goal is to add value in an agile and continuous manner. Failure is part of the job. If you don’t fail, there is no innovation. There are hundreds of cases where people failed and caused huge losses, but at the end of the day, they created something new, something innovative that resulted in large profits.
To successfully embrace the DevSecOps culture within the organization, we must aim to align our developer, security, and operations teams to a common organizational goal. As such, we need to define key performance indicators (KPIs) to measure the efficacy of our program and these KPIs need to account for the following internal processes:
- App design
- Secure coding
- Code build
- Threat modeling
- Deploy software
- Security and configuration validation
- Risk assessments
Having an automated tool that can assist in multiple KPIs is very important because it provides certainty, scalability, visibility, and speed. Checkmarx One, our comprehensive application security platform, fits perfectly in DevSecOps environments, providing the speed, visibility, and scalability that developers need and the accuracy that security expects. Checkmarx One can help measure and track DevSecOps KPIs, such as:
- Policy compliance
- Remediation rate
- Number of defects in production
- Triage time
- Average build time
- Merge time
- Number of bugs by severity
- Percentage of modeled artifacts
- Number of deviations
- Sources of information external to the organization
Do not just integrate tools. Focus on the human side, provide tools that enable people to excel, and provide the necessary KPIs for the organization to have a continuous flow toward its goals.
1Lawrence, M. (2022). Lean Leadership Skills, Lean Culture & Lean Management [lecture]. Udemy.Com. https://udemy.com