The Struggle of DevSecOps: Takeaways from DevSecCon Singapore 2019
According to Gartner, DevSecOps is becoming one of the hottest topics. But how many IT practitioners understand it? No, it is not DevOps itself; it doesn’t talk about how to shift from the traditional waterfall dev to scrum-based agile development. Nor is it a pure security topic. So, how would a DevSecOps conference differ from the usual security and DevOps events?
In February, I found out. I attended DevSecCon in Singapore. The attendees and speakers were split between security and development professionals, so it was a really good mix between these two camps. Let me share three takeaways from the sessions I attended (with some selected quotes from developers at the conference, as well):
Dev culture change
“Every dev should take security training.”
“IT security is the responsibility of everyone.”
They also said that, while developers usually don't prioritize security, they really do need to fit into the security world. The developers introduced several challenges with securing apps and explored how they can leverage security in their culture or style. The overall sentiment was in favor of infusing security teams into their projects. Someone even suggested: “Security teams should be in customer meetings as early as they can, so that they won’t need to go back later to find the challenges.”
Security culture change
“We security professionals should try to be technicians, not just pointing fingers at developers.”
“I feel that security teams are not good at automating processes. They tend to default to manual processes.”
“We suggest security teams start by building a relationship with development teams.”
These three comments suggest that security practitioners can and should be part of development teams. I would say the struggle the security teams shared was the other side of the coin: security staff want to know how they can be better advocates for DevOps projects. They know they shouldn’t be a blocker for development and that they also need to implement some of the toolchains or processes DevOps uses. This is why “Shift left” – the idea that seemed to be a big topic in RSA Conference SFO 2019 as well – was mentioned widely at this event. It is necessary not only because security professionals want to elevate their value, but also because they see it as the only way they can adapt to the digital business era.
Talent
“Organizations tends to hire more developers, while forgetting to hire security people. As a result, scaling security teams becomes an issue.”
“Lack of application security talent is the root cause. Most of those who apply for app security positions are network security people.”
Another issue that was highlighted was the shortage of resources and talent. As you can see from these comments, application security positions are not easy to fill. Security teams struggle to scale while their organizations focus on accelerating development to fulfill business needs. Of course, toolchain and automation should fill this gap by making the security team’s job scalable and faster. I felt that should be just the first phase. In the long run, both DevOps and security jobs should be simplified enough so that both DevOps and security talent can do both roles.
***
The culture within this space isn't easy to change, but everyone knows it must. It was interesting to see how speakers from both security and development teams had common themes, struggles, and suggestions. The shared idea: it's about how developers and security people unite as a single team with the same goals. The good news is that many toolchain vendors and solution providers now focus on this simplified approach. It's a kind of democratization of software engineering technologies, as well as security solutions. So, we are all moving toward this direction.