Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.

Humanizing DevEverythingOps

DevOps is, at its heart, a set of principles that fits a wide-scoping need of software development, from security to containers to business operations. But how those principles fit together will naturally differ from company to company.

I had the opportunity to join Alan Shimel on his DevEverythingOps series along with Wolfgang Platz, Mitchell Ashley, Jayne Groll, and Anders Wallgren to talk about the intersection between appsec and devsecops.

“Bringing Ops into the aspect of the business you’re in, integrating groups together, that’s a sign that you’re not just having an effect on the development side of the business, but affecting the whole company,” said Mitchell Ashley, CEO and Managing Analyst with Accelerated Strategies Group.

The term DevEverythingOps acknowledges that it’s not just customers that matter, or engineers that matter, or developers that matter. Instead, I see it as a network of interconnected folks collaborating and working towards a common goal in a continuous, iterative manner. It is all of these different processes happening faster, together and all the time.

Expand the Focus Beyond Dev and Ops

If you want DevOps to work, said Anders Wallgren, Vice President of Technology Strategy at CloudBees, you have to think beyond the Dev and the Ops. The digital transformation impacts everyone within a business organization, and DevOps needs to consider the people in HR, the people in Finance, the people across the entire company and their business functions. “If you’re going to make DevOps work, you can’t just focus on Dev and Ops. You can’t change how you’re doing things if you ignore the rest of the world,” he added.

DevOps often comes down to the human aspect of teams working together to build software. There are factions who believe you can only get to DevOps through automation while other factions say you only get there through the human factor, but it is — of course — a combination of the two. However, everything done in DevOps is really a cry from humans to make sure they are counted because their roles are important, and that includes both security and the business.

“It’s a new way of approaching IT,” said Jayne Groll, CEO of DevOps Institute. However, if DevOps becomes political or acquires a religious fervor, it becomes dangerous for the digital transformation. “If it becomes really human, if we don’t acknowledge that humans are driving the transformation, I don’t think we’ll be able to succeed. It will revert back to the same old-same old.”

Coordinating the Ecosystem of DevOps

Digitizing the DevOps ecosystem so that more knowledge can be systematically provided to teams who only have a perspective of a very small part of the system is where the DevEverythingOps concept comes in. Everybody works on a piece — where does the security come in, where do you test — but rarely does anyone see the whole picture.

Human interactions in a world of COVID-19 and virtual meetings provides an example on how to coordinate the DevOps ecosystem. A kid in school is going to have synchronous and asynchronous learning processes, for example, and this concept can be used in the DevOps workplace. This relies on data organization and transparency to ensure everyone is getting the same message and effectively sharing information.

Data organization can be boring, but it is very important to keep track of your inventories. You also need a culture of transparency and inventory sharing. We’ve seen this type of cultural shift happen in the security community, where in the past, threat intelligence was done among a handful of people, but today we’ve learned that you’d make more use of your threat intelligence data if you shared it more broadly.

But how do you do DevEverythingOps? asked our moderator, Alan Shimel, CEO and Founder of MediaOps.

It can be done by making the process more efficient. A person standing on a stage giving a presentation to an audience, for example, can easily talk for a half hour or longer, and after a while, you risk losing the audience. A person who has to record that presentation and share it digitally with that same audience is now going to be more efficient in the approach because it is a different type of experience. This type of succinct sharing of information makes it easier for everyone to understand.

There also needs to be a level of trust and understanding between everyone in the process. This trust is built over time — it can’t be a one-time thing in the DevOps process where you just expect people to do things because they were told once. There has to be a culture of accountability. That will differ in organizations and within the DevOps teams, but making each member of the team accountable will create the expectation of following the processes effectively.

Silos are a major cause for not adopting DevOps and organizations not working together, my fellow panelist Ashley pointed out. Organizations outside of IT tend to be very data driven, while IT often isn’t. But if we can learn how to harness data and use it in a productive way with the rest of the business, that will help to get to DevEverythingOps.

Balancing Dev and Ops

Talking about DevEverythingOps at a high level might work, but when it is brought down to the human or team level, the complexity compounds. That’s where the notion of DevEverythingOps has trouble gaining traction. There is also a tendency to throw more on the Dev side, which could become burdensome, creating a need to balance Dev with Ops.

“We have to be honest about what we demand of our developers but we don’t want to be over demanding,” said Wolfgang Platz, Founder and Chief Strategy Officer of Tricentis. “What do you expect for a developer? I want him to be on offense, but should I expect them to be the best defender? No, somebody else has to do that because they do it better.”

There is an organizational strategy to identify the high-value contributors on the team or the overall company, but also not to devalue anyone because of their job duties. It’s important to consider the organizational design to find the right people for the DevOps team and their roles on the team. I believe DevOps succeeds when you support a truly collaborative culture where everyone has value. Ultimately, the set of principles that govern DevOps begin with the human touch and leverages the team to move to DevEverythingOps.

To see a full recording of the ‘DevEverythingOps: Tackling the Top Challenges Together’ panel, watch below.

Back to Blog
About Caroline Wong
Caroline Wong is an infosec community advocate who has authored two cybersecurity books including Security Metrics: A Beginner’s Guide and The PtaaS Book. When she isn’t hosting the Humans of Infosec podcast, speaking at dozens of infosec conferences each year, working on her LinkedIn Learning coursework, and of course evangelizing Pentesting as a Service for the masses or pushing for more women in tech, Caroline focuses on her role as Chief Strategy Officer at Cobalt, a fully remote cybersecurity company with a mission to modernize traditional pentesting via a SaaS platform coupled with an exclusive community of vetted, highly skilled testers. More By Caroline Wong