We are so grateful to have had Shannon Lietz, a founding member of DevSecOps, host the UMSA WebTracks webinar in January. The subject was DevOps and security collaboration, and her message was simple: if companies let it, DevOps is going to change security for the better.

Why DevOps?

According to research provided by Lietz during the webinar, change is coming; high performing teams are being developed and incubated in enterprises to mimic the DevOps teams found in start ups. These enterprises are recognizing that software needs to keep up with customer and employee demand. Here are a few ways it DevOps can do that:

• Faster feature delivery
• Rapid value creation
• Continuous improvement
• Learn as you build LifeCycle
• Pivoting with changing customer demand
• Better, rugged software

But security is holding DevOps back…

One of Lietz’s main points during the webinar was one security professionals are familiar with – enterprise security moves too slowly. To keep up with DevOps, and society in general, security needs to become more agile. Lietz had a few suggestions for how security can match the pace of DevOps:

• Trust and verify culture
• Fewer, better suppliers
• Better automated checks
• Security APIs and Services
• Self-service built into continuous delivery
• 24×7 incident detection and response
• Measure better
• Actionable security defects

Collaboration between DevOps and security

What makes DevOps so innovative is the idea of working toward the minimum viable product (start small to keep it manageable and build forward momentum) and the value placed on learning through experimentation. Both of these tactics clash with the current security processes and ways of thinking. A large portion of webinar focused on this conflict and how security needs to change in order to support DevOps, and inevitably better itself. Here are a few high-level examples:

• Security needs to move from “approvals & exceptions” to “continuous security testing & monitoring.”
• Security needs to move from “separation of duties & limited privilege” to “behavioral anomaly detection.”
• Security needs to move from “manual audits and testing” to “automated evidence collection.”

For a detailed discussion on the ideas presented above and for more information on building a successful relationship between DevOps and security, watch Shannon Lietz’s webinar.

Thank you to Shannon and all our attendees for making WebTracks fun and educational!