Common misconceptions about DevSecOps
Fri 3 Dec 2021 | Finnbar Toesland

Ever since DevSecOps has become an effective approach for organisations to embrace, there have been misconceptions around exactly what this system entails in practice. By embedding security throughout the entire software development life-cycle, IT teams are able to ensure that software is released quickly but also securely.
While on paper embracing the agility of DevOps and incorporating security into every stage of product development is a clear ambition, some companies have found the practical implementation to be extremely complex. As DevSecOps covers such a broad area of business operations, including culture, processes and behaviour, a number of misconceptions remain around this approach.
One-size-fits-all?
Successful DevSecOps initiatives are likely to share common traits and practices, however, different organisations will find there is no single uniform way to embrace DevSecOps. In part due to the fact that incorporating DevSecOps will impact virtually every part of a business, each company will need to tailor this approach for their unique goals and needs.
Following best practices for DevSecOps is a good place for any organisation to start, but by seeking to emulate the exact DevSecOps strategy of another business can prove to be an ineffective way to gain the benefits from this transition.
Buying DevSecOps
As much as it would make the transition to DevSecOps easier, it is not possible to simply buy a solution or product that can immediately make an enterprise follow the DevSecOps approach. Possessing the right technologies and tools is, of course, essential to implementing DevSecOps in the most effective way possible.
Yet, as a cultural shift is equally as important to achieve as gaining the right technology, getting the right tools is only half of the process. Just purchasing the right solutions but not spending the time establishing a collaborative culture at an organisation will mean that fully achieving DevSecOps is unlikely.
Less control
With automation playing a key role in achieving many of the benefits of DevSecOps, some staff members may have concerns around what their exact job role will look like in the future. By communicating to all employees that automation will actually enable staff to focus on more complex manual tasks and leave behind the often mundane processes of the past.
In practice, adopting DevSecOps can give staff more control over the entire software development process, as they will be the ones governing what processes are automated and which ones require a human touch.
Is agility vital?
Agility is a central part of the DevSecOps framework. It is true that DevSecOps and agility are not one and the same, but they are ideal partners for organisations that want to fundamentally improve collaboration during the software development life cycle. A focus on security at many stages of the software development process may appear on the surface to reduce agility but in reality this is not the case.
As security is embedded into the operations of all departments and staff, there is a far lower chance that a major flaws will be raised at the end of the process or after release that cause severe delays in release schedules.
DevSecOps without the Sec?
Fully embracing a DevSecOps approach means changes for not just development and operations, but also for security. While it may be the case that development and operations will be required to adopt new ways of working and operations to ensure this migration is effective, security staff will also be expected to shift their practices, too.
Collaboration is at the forefront of DevSecOps and security personnel will find themselves playing a major role in breaking down conventional business silos and work closer than before with colleagues to help make the most from DevSecOps.
Written by Finnbar Toesland Fri 3 Dec 2021