Atlassian, which provides a wide range of software development and collaboration tools, has an important message for agencies looking to build DevSecOps initiatives: Don’t just think about the tools.
“In general, there are three pillars of DevSecOps: people, process and technology,” said Ken Urban, Public Sector Evangelist at Atlassian.
“We can build the processes, and we can implement the technology pretty easily,” he said. “But in reality, none of that actually matters if nobody’s using it. You can’t force people to change their mindset.”
That is why Atlassian says culture is the number one success factor in DevSecOps.
“A healthy DevSecOps culture will not only change the way people think about security, but it will also promote good communication and collaboration,” Urban said. “It will show you how successful you can be if you work together as a team.”
Urban identified four key attributes of a good DevSecOps culture.
1. Effective Communications
“When people talk about DevSecOps, they often focus on improving communications between developers and the security team. But organizations need to foster open and transparent communications at every layer of management, from the top down,” Urban said.
In particular, developers can benefit from understanding how their work fits into the larger mission – and why particular security constraints are important.
“Good healthy communication means staying as open and transparent as you can be without compromising that security,” he said.
2. Effortless Collaboration
In the same manner, collaboration needs to extend beyond any one DevSecOps team, because no project is the result of just one team’s efforts. Urban points to the space program in the 1960s as an example.
The effort to land Apollo 11 on the moon “was more than just one team at NASA – it was the entire agency working together to solve a problem. In fact, it included many teams across industry and academia as well,” Urban said.
“Now, if you take that and you look at DevSecOps, can you succeed if you don’t include security or compliance in your collaboration? Probably not,” he said.
3. Secure Flexibility
In DevSecOps, developers always need to be ready to change directions quickly and easily. But agencies can only create an open and flexible DevSecOps environment if their tools are open and flexible.
“That flexibility needs to be provided in the context of good security,” Urban said. “For example, with the Jira suite, you can create cross-team collaboration and still configure the tools to maintain a high degree of security roles, retaining autonomy and flexibility for your team,” he said.
4. Seamless Integration
“Agencies must think about how their application development and project management tools support the culture they want to develop,” he said. “In particular, to support communications and collaboration, they need to select tools that integrate seamlessly.”
Atlassian’s suite of products allows for seamless integrations as well as deep integrations with other tools for release, monitoring, deployment, automation and alerting.
“What you want to do is look at what tools are going to accelerate your transformation and improve the pace of development – and help you develop more secure code,” Urban said.
This article is an excerpt from GovLoop’s recent guide, “Agencies Build Foundation for DevSecOps Success.” Download the full guide here.