Red Team the Culture with DevSecOps — A look at what it is

This article is a follow up to my earlier blog about what it means to be a DevSecOps engineer, as I did promise an article expressing how I feel about the term.

Both are quite the buzzwords in the security and software industry now, if you have them in your resume or skillset, you’re all set. But do you really know what they really mean? Is it a playbook? Is it a practice? Is it a mindset? Or is it a culture transformation?

Skip to the end if you just want my main point; else, continue reading about what I found.

Being a modern user of technology, and also to view what others are saying about it, I went to ask Google…

The 2 searches were ‘devsecops’ and ‘devsecops meaning’, and they returned results with similar links:

google search for “devsecops”

google search for “devsecops meaning”

We all know how much we trust Wikipedia so I’m just gonna let it be.

According to DevSecOps.org, “The purpose and intent of DevSecOps is to build on the mindset that “everyone is responsible for security” with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.”

If you read further down the blog, it is referred to as a transformation:

CSO Online says, “DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.”

According to ZDnet, it represents a mentality and approach involving culture and infrastructure shift:

SANS institute has a “DevSecOps Playbook” which argues that “DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.”

DevSecCon refers to it as “the practice of building security into development processes.”

SumoLogic has many articles on, and references to the word “DevSecOps”. The first one mentioned it as the “philosophy of integrating security practices within the DevOps process. DevSecOps involves creating a ‘Security as Code’ culture with ongoing, flexible collaboration between release engineers and security teams” but then continues to express that “a cultural and technical shift towards a DevSecOps approach helps enterprises address security threats more effectively, in real-time.”

It also quoted DevSecOps.org that ‘the purpose and intent of DevSecOps is “to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.”’

TechBeason says it is a “culture thing and a people problem”

TechBeacon also wrote about the 6 best practices for DevSecOps and that it is a “rubric”.

NewContext.com defines “DevOps is the combination of software development and operations disciplines in order to emphasize communication, collaboration, and cohesion between the traditionally separate developer and IT operations teams… DevSecOps melds security into the DevOps function. There are two commonly agreed upon definitions of DevSecOps: culture and tools — or a combination of both.”

blog.sqreen.io says “SecDevOps (also known as DevSecOps and DevOpsSec) is the process of integrating secure development best practices and methodologies into development and deployment processes which DevOps makes possible.” and further says “to apply it correctly, changes to tooling, processes, and organizational culture are necessary. ”

Coveros.com titled the article as “DevSecOps Means More than Just Automation, It’s a Mindset” and emphasized that “while automation is certainly important, it’s just as important (if not more important) to build the mindset that ‘everyone is responsible for security’”.

To paraphrase Stackify.com, it writes that DevSecOps is a new movement to solve this security problem which requires everyone to always be thinking about security implications of what they are working on.

BONUS! (not in Google search result):

On DevOps.com, Shannon Lietz says it is “culture hacking” and a “transformation”:

On similar topic, I’ve also seen DevSecOps certifications and training courses spring up:

• https://devopsinstitute.com/certifications/devops-practitioner-certification/devsecops-engineering-dsoe/
• https://www.itsmacademy.com/DSOE
• http://aspetraining.com/resources/blog/devsecops-101

Can I be certified to hack a culture? Can I be certified as a cultural transformation engineer? Can I be certified as a DevSecOps Engineer?

While it is important to equip and certify engineers with the right toolset and skills, keep in mind the focus must about the transformation that starts from within the organization and it involves everyone (especially the top management). Where can I get the certification for making this phenomenon happen?

For me, the definition is clearly a cultural and transformational shift in mindset more than anything else.

It is a mean to an end; not quite the end.

The tools and playbooks we see today are products of those who have been educated and are implementing DevSecOps. Organizations should not focus only on using the tools, and should never start with using the tools first. Do not fall into this trap of (forcefully) implementing the practices without embracing the mindset change. Organizations that only focus on the tools and practices tend to fail, and they wonder why they fail. DevSecOps is not just about automation with Dev + Sec + Ops tools. The equation does not make sense.

Understand the true meaning of DevSecOps and what it requires of the culture before using the DevSecOps tools. Similar to learning a martial art, where mastery of the discipline is not complete until the understanding and incorporation of both aspects of the martial and the art. Learning the martial without the art can only lead to disaster like a loose cannon.

Thus, let us start this transformation by communicating with each other, and focusing first on the people; then the processes; lastly the tools.

Did your organization get it right?

I am fortunate enough to be born into a company undergoing the DevSecOps transformation — thanks to my previous mentor and manager. She definitely helped shape my mindset and attitude towards this. This article expresses how I feel, how I see, how I understand from the current landscape. It does not represent any organization’s opinions.