The Emergence of DevSecOps DevSecOps has recently gained traction as a fusion of DevOps and security practices. At its core, it’s not just about automating security but creating a culture that yields tangible outcomes for businesses. If DevOps emphasizes software delivery performance, what then should security focus on to bolster this?
Typically, DevSecOps has been seen as automating the build/delivery pipeline. However, a more comprehensive view places it as a mindset that transcends mere security automation, reflecting a culture aiming at business value.
The challenge now is to determine which security metrics truly assist, rather than hinder, an organization’s business processes.
Drawing from the influential book “Accelerate” by Nicole Forsgren and colleagues, there are four essential principles to remember when measuring security:
Many security metrics are vendor-driven, especially those linked to DevSecOps. Businesses should be wary of this and choose metrics aligning with their security goals.
What Not to Measure: MTTF (Mean Time to Failure) Avoid the trap of measuring MTTF. Failures are bound to happen; the focus should be on metrics that enhance resilience and tackle threats.
Balancing Security with Practicality Enhanced security usually entails sacrifices, such as increased costs or friction. It’s vital to have metrics assessing the repercussions of new security implementations. These might be more time spent on tools or additional burden transferred to other departments.
Considering System Complexity The intricacies of your entire system introduce risks surpassing any single component. Such risks should factor into your security plan. This involves evaluating both short-term stresses like active incidents and long-term ones like employee turnover.
Concluding Thoughts While there’s enthusiasm to test early in the Software Development Life Cycle (SDLC), it’s pivotal to anticipate failures even during runtime. Only by comprehending incidents in production can there be a feedback loop to reinforce security. Adopting the right security metrics can pave the way for a business to thrive without security constraints.