The buzz around "DevSecOps" has persisted far longer than most tech trends, yet more than a decade since its introduction, many organizations still face significant hurdles in adopting it effectively. Engineering and security teams continue to struggle not only to reduce software risks but also to ease the persistent friction between development and security. And in many cases, these challenges have worsened. So why has progress been so difficult?
DevSecOps tends to focus on Sec or SecOps but downplays or ignores DevSec. The measure of success for DevSecOps is not the number of vulnerabilities, nor even the number of vulnerabilities fixed — it is the ability of teams to seamlessly build and deploy quality software within the guardrails of the organization’s risk posture by design. To align DevSecOps with DevOps outcomes, such as rapid and reliable software delivery, organizational well-being, and reduced burnout, we must embrace a framework designed for the realities of modern software construction. We need to put an emphasis on Developer Security, the DevSec in DevSecOps.
Snyk’s newly released DevSecOps Maturity Framework allows organizations to self-assess according to the six pillars for success in securing applications built for today’s world:
- DevOps Foundations
- Strategy and Culture
- Security Design
- Testing and Monitoring
- Response and Remediation
- Analysis and Governance
But first, it’s important to understand how we arrived here.