Recently I sat down with Alan Shimel of DevOps.com and discussed security, DevOps, and how it all fits together. It was a fun conversation and I always enjoy talking with Alan and the fine folks over at DevOps.com. The entire conversation and transcript are available online, but there were a couple points that really stood out to me.
First, we discussed the major shift that security needs to make to join DevOps through DevSecOps (or whatever you want to call it). Security needs to never say “no” again. Every organization that has high performing DevSecOps practices teams has gone through the process of tearing up the security playbook of “no.” Instead, they say, “if you are a blocker, everyone in the organization is going to route around you.” In these teams and companies, security is finding a way to add value.
The second point we discussed was, what can we do in 2019 to spread the awareness and use of DevSecOps? The answer: be able and ready to instrument all layers of the stack with security telemetry to provide feedback that spans developers, operations and security teams. With democratized security data, you can multiply the effectiveness of your program. When we started DevSecOps, we did a lot of shifting left, but in 2019 we are going to see the shift right where we amplify feedback and add security observability to our systems.
If you want to hear Alan’s recommendations on how exactly to get DevSecOps working for you, then be sure to check out the entire conversation over at devops.com.