, , ,

Nimmy Reichenberg recently wrote an article on SecurityWeek describing the “Three C’s” of team based application development: Collaboration, Communication and Co-Ownership. He calls this “Extending the DevOps Model“, with the premise that DevOps use Agile techniques to refine their processes, but the security team, by its very nature, slows down the process.

Nimmy Reichenberg“Security has been viewed by these teams as a bottleneck because security by nature is to add checks to the process of making changes and pushing out new capabilities.” — Nimmy Reichenberg

As I delve deeper into the DevOps mindset, this seems to be a consistent issue. The most effective way to handle this is to move security into the development cycle, from the beginning, so that it becomes part of the process, not a free standing silo, as Reichenberg refers to it.

“Instead of working in silos, if all of the key stakeholders understand and are involved in the change process from the beginning, you can ensure the proper checks and balances and provide the proper visibility from all angles”  – Nimmy Reichenberg

If we think of the DevOps process as a linear timeline, security can be pushed back as close to the beginning of the timeline as possible, making it integral to development. I’ve seen the terminology “moving left” or “shifting left” to describe the concept.

Application Life Cycle - Moving Left with Security

Reichenberg’s conclusion is “Agility is the name of the game, and it shouldn’t stop at DevOps.” You can read the complete article here: Extending the DevOps Model to Achieve Operational Excellence and Improved Security