The 4 stages of DevSecOps maturity

If there was ever a reason for companies to get serious—truly serious—about adopting a DevSecOps model, it's this recent issue of the National Law Review. In the article, "Data Breach Litigations: 2020 Year in Review," is this gut-punch of a quote: "What industries were impacted by data breach litigations in 2020? The short answer: all of them."

The longer answer, the article goes on to say, is that the number of data breaches in 2020 was more than double that of 2019, "despite the widespread adoption of cybersecurity policies and procedures by organizations to safeguard their proprietary information and the personal information of their clients, consumers, and employees." Not surprisingly, as security breaches increased, so, too, did data breach litigation.

What does all of this have to do with DevSecOps and, for that matter, Enterprise Architects?

The business wants (actually, needs) more applications more quickly than ever before. This has been true for some time, but there will likely be an uptick in demand for applications as business and customer needs shift during the uncertainty around the pandemic (and the process of coming out through the other side of it).

“When organizations think about DevSecOps, they mainly think about securing the application,” said Lucy Kerner, Senior Principal Global Cybersecurity Evangelist and Strategist at Red Hat. “DevSecOps requires a much broader strategy beyond just application security, involving infrastructure operations, security operations, people, culture, and process."

That's where DevSecOps comes in; an Enterprise Architect's role is to make sure the model gains adoption. Let's explore how.

The need for "Sec" in DevOps

Founders of the DevOps philosophy will point to security being part of DevOps from the beginning. Indeed, many companies claim to have added "Sec" to the DevOps equation but saying it doesn't make it so.

Aaron Levey, head of Red Hat's Global Security Partner Ecosystem and Strategic Partners, noted that most things being called "DevSecOps" today are not complete solutions.

[ Learn about the Zero-Trust approach to designing security architectures. ]

"The term DevSecOps has been thrown around like anyone can just sprinkle a bit of security here and there and poof … DevSecOps is magically there! Ta da! Sorry, ah, no," said Levey in his blog post, "You call that DevSecOps? Why your DevSecOps practice may be falling short."

One of the issues that many organizations have is that they just throw people and products at DevOps in the quest to establish DevSecOps.

"When organizations think about application security, they think about securing the application pipeline," said Lucy Kerner, Senior Principal Global Cybersecurity Evangelist and Strategist at Red Hat. "This seems to make perfect sense, but application security requires a much broader strategy."

Enterprise Architects are in a prime position to help achieve the balance between more applications and more secure applications. One of the most important things they can do is determine where the organization is starting from.

The 4 stages of DevSecOps maturity

Using the DevSecOps maturity model described by Kerner below, Enterprise Architects can gauge how far their companies have come (if at all) and how far they have to go on the DevSecOps path:

Beginner: Everything is manual, from creating applications to deploying them.

Intermediate: Standardization on some kind of toolchain is being leveraged to accomplish things like infrastructure as code, security as code, and compliance as code.

Advanced: Infrastructure and application development is being automated, and the organization is now looking to improve processes, scaling their existing automation, and implementing DevSecOps at scale using technologies such as Kubernetes, containers, and public cloud services. The organization is deploying apps at scale in a dynamic environment.

Expert: The organization has reached the stage where everything is API first in a cloud-native environment. The organization is evaluating or using technology models such as serverless and microservices, and is taking advantage of artificial intelligence and machine learning to make decisions about security and application development.

Moving through this model—and, importantly, not attempting to do so overnight—will help ensure that security can be woven through the CI/CD pipeline and adjusted as business and/or global conditions change, said Kerner.

Bottom line

DevSecOps success will also depend on getting buy-in from across the organization.

"There must be buy-in from the top down and bottom up, with the help of 'champions' from development, infrastructure operations, security and the business," said Kerner. "Cross-organizational training and automation, of as many processes as possible, also will be key."

Enterprise Architects are uniquely positioned to facilitate the kind of organization-wide commitment and strategy required to effectively implement the DevSecOps model and to extend it to whatever the next normal turns out to be. How will you go about guiding your organization the DevSecOps model?