5 Myths of Adopting DevSecOps in Government Agencies
Written by Jimmy Pham and Martin Folkoff
Written by Jimmy Pham and Martin Folkoff
More federal organizations are incorporating DevOps into their software development and operations lifecycle—with security integration being a critical part of the approach. DevSecOps ensures that suitable security tools and processes are baked into the software delivery lifecycle. It holds much promise for transformational change through increased collaboration and enhanced performance among development, security, and operations teams.
What’s appealing about DevSecOps is the true realization of Agile principles to integrate quality, security, and repeatability throughout the iterative software development and delivery process.
Yet some government organizations have preconceived notions about what DevSecOps is, and the challenges they face in adopting it within their organizations. We break down those assumptions and get to the truth about DevSecOps. Here are five key myths about DevSecOps adoption—and the reality.
Myth No. 1: You don’t need Agile to do DevSecOps. It can replace Agile.
The Reality: Agile and DevSecOps are not one in the same—they need to coexist. Agile provides the fundamentals as teams embrace collaboration and constant feedback in an iterative software development process. DevSecOps picks up when Agile leaves off—providing the tools and methodologies necessary to make agile adjustments meaningful to the business.
Myth No. 2: Adopting DevSecOps means “giving up control.” With manual processes, our security and operations engineers can effectively regulate technology requirements, permissions, and access. They’ll lose that ability if we implement DevSecOps.
The Reality: Automation with DevSecOps means you’re actually gaining more consistency in terms of compliance. Instead of giving up control, you’re able to enforce the required access controls and activities more effectively than with manual processes.
Myth No. 3: DevSecOps is all about speed, letting us deploy anytime, anywhere, and in any way. In our organization, we’ll be able to quickly churn out software with continuous integration/continuous delivery.
The Reality: Velocity is just a byproduct. Quality, stability, and compliance are the core foundations that enable whatever delivery speed the business requires. DevSecOps facilitates these fundamental principles of software development with automated, repeatable processes.
Myth No. 4: We’ll need to hire all new “super” developers to implement DevSecOps. Our current teams don’t know how. From development to operations, security, and testing, it seems like developers are now responsible for every aspect of the software delivery pipeline.
The Reality: The process, methodology, and technology behind DevSecOps means your teams are more engaged with each other versus having developers be responsible for everything. There’s no need to hire new developers unless they’re unable or unwilling to adapt to the cultural shift. DevSecOps breaks down silos and maximizes transparency, focusing on team ownership and responsibility.
Myth No. 5: DevSecOps is a capability. We can simply “buy DevSecOps” and implement it across our organization.
The Reality: You can’t buy DevSecOps. It’s a methodology—a philosophy—in which cross-functional delivery teams integrate technologies and collaborate to put your processes, practices, and philosophy into action. You can buy tools, such as continuous integration and release management, to enable your DevSecOps pipeline, but it’s really your delivery teams that make it happen. They’re the ones providing value. In a cultural shift, they’re driving continual improvement.
Shedding light on these five key misconceptions can help give you a better understanding of DevSecOps practices and how they relate to your organization’s software delivery lifecycle and the overall framework for developing an effective DevSecOps adoption plan. The benefits of DevSecOps are clear: improved quality, flexibility, speed to value, increased efficiency, and potential cost savings. With the right expertise, you can put your organization on the road to a successful and enduring DevSecOps practice.
