It is heretical to state the truth. But DevSecOps is just another empty buzzword. At best for most firms it is an ‘aspiration’ of the rainbows and puppy dogs they wish to embrace. In reality DevSecOps – Development-Security-Operations, on IT projects using Agile-Scrum does not exist on most projects. It is Yet Another Buzzword or YAB. Most firms and projects are not Google or Netflix. The vast majority of firms and projects have nothing approaching DevSecOps, and in many cases they don’t need DevSecOps. They don’t have the following:
- -A long lived product, for instance google maps, or amazon.com features sets, or a netflix genre
- -Without a long-lived product you cannot have a long-lived IT delivery and support team
- -Clear product requirements and a compelling future product road-map funded and supported by the Business making dev-ops a long-term necessity
- -A mature understanding and implementation of Agile-Scrum. In fact the overwhelming majority of firms do not really understand these concepts, nor how Agile Processes and Engineering impacts ‘DevSecOps’ teams the culture and organisation at large
- -Any true comprehension of tooling, automation and testing including security testing (specialist skills)
- -Data models that are mapped, understood, optimised and clean
- -Security SMEs at various levels of the OSI stack, involved on teams (specialist skills)
- Many have distributed GDAD models (geographically distributed agile development) with Indian or other offshore locations. Agile does not work very well with GDAD, this is a factual data-point which I have correlated across many studies and projects.
DevSecOps is not easy and is a long-term effort and investment which must reflect the reality of the project or product, the dev-ops model being used by the firm, its culture, organisation and skill set.
What is missing from the buzzword is the reality that development/coding is quite distinct from operational management which can be very different than security of the application-database-network-perimeter-subnets and code and other repositories. It is possible of course to cross-train engineers to know about and deal with dev-ops and security issues. But this means training, a long term view and a long term product or project. In reality, most firms throw a build deployment over the wall to Operations and say ‘there you go, make sure it does not fall over’. Security may or may not have been involved in the delivery process.