Cultural context is crucial for DevSecOps success

How to adopt a DevSecOps methodology: Start by taking a look at culture

Mike D. Kail
© Shutterstock / LongJon

The major barrier between you and a DevSecOps approach isn’t technology. It’s company culture. In this article, Mike D. Kail explains how companies can successfully transition to a DevSecOps methodology.

Thousands of data breaches occur each year, largely a result of source code and application-level vulnerabilities. This past year, we witnessed the massive Equifax data breach, which occurred due to a vulnerability in Apache Struts that the company failed to patch, along with the WannaCry ransomware that relied on a flaw in Windows code to infect computers. Yet, overall approaches to application security continue to lag behind other next-generation security solutions.

Unfortunately, these types of attacks will continue until organizations integrate application security into the software development lifecycle, a trend many in the industry refer to as “shifting left”, and what I call DevSecOps. Similar to DevOps, which core tenets involve collaboration, automation, measurement and sharing, DevSecOps aims to drive greater collaboration between DevOps and SecOps teams though automatic and continuous code analysis and vulnerability scans. As a result, both teams receive greater visibility into all aspects of the security tool chain, therefore reducing an organization’s overall risk exposure.

SEE MORE: Common sense DevSecOps tips for developers

DevSecOps starts with a culture shift

Today, the biggest barrier to DevSecOps is culture, not technology. Traditionally, security teams work separately from the development teams as they don’t often speak the same language. Security teams are often associated with fear, uncertainty and doubt, whereas development teams are more concerned with delivering new features and functionality at an extremely high velocity. To successfully transition to a DevSecOps methodology, both teams must be willing to make application security an integrated strategy and continue to drive security awareness for developers.

One organization that has made a successful transition to DevSecOps is the Dana Foundation. After moving to the cloud three years ago, the company realized its traditional Waterfall approach to development would no longer keep up, and at the same time, would challenge the company’s ability to maintain a strict security posture. It found DevSecOps not only enabled a leaner software development cycle, but offered continuous security monitoring and assurance at the same time. As a result, the company enjoys more efficient security testing as well as a unified software development process that integrates DevOps methodology with security.

Even though developers may at first be hesitant to incorporate security into software development for fear that it might interrupt their process, automation can be employed to seamlessly integrate security measures into every step of development. It’s also important to consider having the CIO or CISO lead by example and demonstrate the benefits of DevSecOps to not only individual security and development teams, but the executive team as well.

The upsides to DevSecOps

Automation is a key component of DevSecOps, and its ability to allow teams to take a continuous approach to security is one of its many advantages. Cytobank, a cloud-based biomedical research platform, was able to free up its developers and security teams to focus on more strategic initiatives as a result of employing this type of methodology. At the same time, the company ensured alignment with necessary, but often complex, regulatory and compliance standards required by its leading pharmaceutical customers.

Another upside to DevSecOps is its ability to identify vulnerabilities and defects early on in the application development process, increasing overall visibility into a company’s security posture.

While hackers have long enjoyed the advantages of speed, automation and sheer force of will, DevSecOps flips an organization’s security from the defensive to the offensive. Only by integrating a more automated and constant approach, will companies be able to mimic the behavior of hackers, and therefore, begin thwarting their attacks.


Mike D. Kail

Mike D. Kail is the Chief Technology Officer and a member of the Founding Team at

Follow him on Twitter @mdkail

Inline Feedbacks
View all comments