How to Move Through the DevSecOps Maturity Model

Making the cultural shift to DevSecOps starts with evaluating your progress on a 4-stage maturity model.

istock 1306258127

Products and platforms are key to fully integrating security not just into the application pipeline, but throughout infrastructure, operations, supply chain, and beyond.

But products and platforms alone aren’t enough. Many organizations have realized that taking full advantage of the agility and responsiveness of the DevOps approach means integrating security as a shared responsibility throughout the entire IT lifecycle.

Outdated security practices can undo even the most efficient DevOps initiatives.

The evolution of DevSecOps—development, security, and operations—reflects the need to integrate security through culture, automation, and platform design.

Effective adoption and integration of DevSecOps requires an organization-wide cultural shift. It also requires automating as much as possible. Of course, all of this can’t—and shouldn’t—happen overnight. Effectively moving from DevOps to DevSecOps requires a purposeful transition through a maturity model.

What stage is your organization at? 

“Members of the Dev, Sec, and Ops teams have been doing their jobs in the same way for a long time, and DevSecOps likely represents a significant change in all those processes,” writes Lucy Kerner, Director, Security Global Strategy and Evangelism at Red Hat.

Organizations should evaluate their progress in a 4-stage maturity model:

  • Beginner – Everything is manual, including developing applications and the systems that will run them, as well as maintenance.
  • Intermediate – Standardization on a chain of tools that will implement everything as code, including infrastructure as code, security as code, and compliance as code.
  • Advanced – Scaling existing automation and using cloud technologies such as Kubernetes, containers, and public cloud services, to achieve DevSecOps at scale.
  • Expert – Adopting best practices developed by organizations such as Netflix and Google where everything is API-first in a cloud-native environment. Those organizations have fully automated development pipelines, continuous delivery practices, shorter development cycles, and increased deployment frequency. That involves leveraging technology models such as serverless and microservices and taking advantage of artificial intelligence and machine learning.

Using open standards and cloud-native technology helps organizations avoid lock-in and paves the way for future growth. But cloud-native technologies don’t lend themselves to static security policies and checklists.

“Old security practices must be replaced by more agile and flexible methods so that security can iterate and adapt to the fast-changing environment,” writes Red Hat Solutions Architect Mike Calizo.

The path to maturity

Security must be continuous and integrated at every stage of the app and infrastructure life cycle. Organizations should step back and consider the entire development and operations environment. This includes source control repositories, container registries, the continuous integration and continuous deployment pipeline, API management, orchestration and release automation, and operational management and monitoring.

It's not likely to be an easy journey and there may be missteps along the way. But each step along the way brings an organization closer to achieving the goals of continuous development and deployment of secure applications. Ultimately, organizations will be able to successfully deploy security as code, enabling security that is built in, not bolted on.

To learn more, please click here.

Copyright © 2021 IDG Communications, Inc.