Common mistakes when implementing DevSecOps


DevSecOps is a leading-edge approach to product development. But what do you need to know to shift security successfully to the left? Avoid these six most common mistakes and look forward to a digital future in the fast lane.

Common mistakes when implementing DevSecOps

Mistake Tip
Not enough stamina Where expectations are too high, disappointment is almost inevitable. DevSecOps is a long road and there are no short cuts.
Top-down approach DevSecOps cannot simply be decreed by management. As with any change in behaviour or awareness, you need structural adjustments and continuous change management that pays particular attention to cultural factors.
Unstructured approach First identify the risks, prioritise action points and set realistic interim targets. Problem areas and sticking points between development and security are the ideal place to start. Eliminate overbearing security processes wherever possible.
Failure to recognise the benefits of DevSecOps Use storytelling and incorporate every improvement into the backlog in the form of a security story, similar to user stories. This allows you to plan implementation and, most importantly, makes it visible to all stakeholders; creating transparency and trust. Documenting changes of role and determining expectation on both sides is vital to clear communication so the team understands its responsibility.
Poorly automatable security tools Ensure that everyone has the tools to do their job. Automation is also gaining ground in security tools, managed via script or api. Graphical user interfaces can make it easier to get started but are not suited to automation.
Exclusive focus on analysing code Application security testing can identify known angles of attack and weaknesses at an early stage. Web application firewalls are still a must, however, as an additional line of defence against novel or unknown types of attack. In DevSecOps architectures, this function is increasingly being performed by tools such as the Airlock Microgateway. Its security model ensures that the only requests that actually reach the application are those that the developers have explicitly classified as valid.

Roman Hugelshofer, Managing Director Application Security, Member of the Executive Board, Ergon

“United and aligned, Agile and DevSecOps achieve their common goals of short deployment cycles and the best possible customer experience.”

Roman Hugelshofer Managing Director Application Security, Member of the Executive Board, Ergon

Interested in more?

Digitisation projects
Change makers
Tech trends

Order now
header image SMART insights 2021