While at the conference I asked attendees point blank if they think that security and DevOps should be in couples counseling. The universal response was a laugh and then a resounding, “Yes.”
The reason couples go to counseling is because they’re not getting along. They’re not communicating. Usually, only the two people in the relationship can see what’s happening, but with the relationship between security and DevOps, everyone can see there’s a problem.
The lack of communication is stifling business productivity. Yes, DevOps may have built itself into a well-oiled machine, but without security working alongside, even at the earliest stages of development, that impressive run of fast-paced software and site updates can come to a screeching halt.
The problem stems from a lot of “old world” thinking about security. For so long security has been seen as an inhibitor, the enemy, the last people you want to speak with to get your work done. And likewise, security has held onto dated beliefs of developers, like they create code for speed of production and not security.
But the reality is developers do want to write secure code. They want to be proud of their work and they are eager to listen to security provide parameters, advice, and instruction on how to do their job better. And likewise, security has lots to learn about the production flow and speed of DevOps. They can wipe away that “inhibitor” moniker and replace it with “enabler” as they learn to insert themselves into the pipeline so as to keep operations still moving quickly, but now securely.
But none of that is going to happen until they sit down together and talk, preferably with a mediator, something like a couples counselor.
For more insight on creating a smooth DevSecOps operation, read “20 Ways to Make AppSec Move at the Speed of DevOps.”