Why Your Business Needs to Evolve to DevSecOps Right Now

Prabhath Karanth
January 31, 2022

“The ideal conditions for making things are created when machines, facilities, and people work together to add value without generating any waste” believed Kiichiro Toyoda, the founder of Toyota.

Indeed, this scenario is what processes like Agile and DevSecOps demand as well. Both Agile and DevSecOps demand a cultural shift, a change in mindset, and are driven by cross-functional collaboration across the organization. 

However, despite their similarities, they are vastly different in their underlying approach. If you’re trying to decide which process is better for you, the answer might not be as simple as choosing one over the other.

The differences between Agile and DevSecOps

The primary difference between the two approaches boils down to just one - the implementation of security measures.

Agile focuses on developers, delivery, and product management, while DevSecOps emphasizes testing, automation, and integration of security right from the beginning of the development pipeline with the right tooling. The balance between managing the security risk associated with the change and seamless developer experience which enables them to immovate at a rapid pace is critical. 

But they are not mutually exclusive. Although they do differ in their approaches, they beautifully complement each other to achieve common goals of faster turnarounds, better customer experience, and speedy deployment. Ultimately leading to helping businesses innovate and release features at the pace that the market and customers demand.

Evolving from Agile to DevSecOps

When Agile emerged nearly two decades ago, it did break down some of the silos of the Waterfall method. But not enough. There was still the need to find the right balance between speed of delivery, stability of applications, and security, which gave rise to DevOps. 

“Instead of IT operations and software development being siloed off from each other, DevOps breaks down the traditional boundaries that previously existed between them in order to achieve Continuous Integration and Continuous Delivery (CI/CD) of quality software features and applications to end-users,” explains Barbara Ericson of Cloud Defense in her blog.

DevOps, then, is clearly an improvement over Agile with its focus on team collaboration and prioritization of automation. 

If you’ve already implemented DevOps in your organization, DevSecOps might not be shockingly different. The difference is that DevOps teams iterate their way to the finish line, and security is left to the end of the development pipeline. DevSecOps, however, seeks to shift security left in the SDLC.

Think of DevSecOps as the “premium package” among approaches. It keeps automation, delivery, and customer experience as its goals but with a security-first mindset. It strikes the perfect balance between speed and safety without compromising security posture, which can lead to heavy financial and reputational repercussions in business. 

Sounds too good to be true? The approach might be ideal, but its implementation has its challenges.

What is the Purple Book Community?

The challenges that DevSecOps pose can only be solved by initiating a cultural and mindset shift. People need to be enabled to adopt DevSecOps in its true spirit. This is where the idea of the Purple Book Community came about. 

The Purple Book Community comprises top security thought leaders and practitioners. Initially, it brought together 29 industry experts together to write a comprehensive book about DevSecOps, AppSec, and product security concerns, best practices, and case studies. This book will be offered free of charge for the benefit of the broader community. The community is composed of seasoned security executives that understand the need to accelerate product innovation without compromising security posture.

How can the Purple Book Community help?

The book, as well as any other content that the community creates, provides actionable guidelines and playbooks to show how businesses can steadily add robust layers of security by adopting DevSecOps. It helps companies accelerate their processes by learning from practitioners who have been there and done that. The content of the book will be kept current by leaders who will write blogs and publish podcasts regularly. 

Cybersecurity challenges are evolving every day to become more sophisticated. It’s important to have equally sophisticated experts on your side to decode the threats and keep your business safe. And the Purple Book Community is built to do just that.

As Poornaprajna Udupi says in this chapter of the Purple Book, “Processes can be strong enablers. Yet it is important to be mindful of the business state while attempting to implement any processes within the software security framework. A carefully formulated framework to implement key processes is therefore essential to the ultimate success of the security posture of any organization. ”

The Purple Book Community acts as your support system and guide as you figure out your business framework and implement those key processes to fulfill the promises of DevSecOps.

Participate in the community!

The community meets twice a month to talk about the latest developments in the industry, network with each other, share best practices, decode major attacks, and build long-lasting bonds. To know the latest updates and participate in events, check out the community’s LinkedIn page.

Prabhath Karanth
Senior Director of Security Compliance & Assurance, TripActions