As the head of products on my fourth startup, I have had a front row seat to the emergence of DevSecOps. There are some that define DevSecOps as the process of secure coding practices; however, I’d suggest a more holistic definition. In my experience, the DevSecOps team is responsible for three things – software development of the core application, management of the infrastructure platform that runs that application, and providing security for both the core application and the infrastructure platform to protect client data.
DevSecOps Talent is Scarce
SaaS-based startups are at the bleeding edge of DevSecOps since most have small engineering teams that must wear all three of these hats simultaneously. As a result, hiring becomes a major challenge since rarely do you find people with this rare combination of skills. Usually the company ends up optimizing to engineers who are great at coding or managing infrastructure, but are not as strong in security expertise.
A recent search of LinkedIn shows over 46,000 open DevOps jobs – – evidence that this position is both in high demand and hard to fill. DevOps teams have addressed some of this hiring problem through a suite of tools for development (GitHub, JIRA), release management (Jenkins), deployment (Kubernetes) and monitoring (Datadog, PagerDuty). But where are the tools for security? Given the lack of security expertise amongst most engineers and what’s at stake for the organization and their customers, it’s time to add security tools to the DevOps toolbox.
Automate & Demystify Security
This was the impetus to starting Tugboat Logic. We challenged the assumption that managing your security program was something that could not be automated and demystified with technology. We looked at the security tasks that typically get thrown on engineering teams, and we strove to do two things – demystify them and automate them so these teams can address them quickly and get back to their day jobs. How often has your DevOps or engineering team been given the pleasure of writing an InfoSec Policy for sales to give to their customers? Or respond to a 450-question security questionnaire ? Or even worse yet – be tasked to get your company SOC 2 or ISO 27001 certified? Unlike operations, which is a familiar extension of development, security is a dark art for most engineers. This uncertainty leads to wasted hours learning best practices, and lost sales from failing to pass the customer’s security due diligence phase.
A Tool for DevSecOps
Wouldn’t it be great if they made tools for you for these things? Well they do – it’s called the Tugboat Logic Virtual CISO Platform. It is like JIRA for security. The best part is you don’t have to go on LinkedIn or hire expensive recruiters to find this help, just go to www.tugboatlogic.com and let our technology provide the expert guidance and automated workflows to knock out these tasks confidently, quickly and painlessly. It’s time people started making tools for DevSecOps people too – and the solution is available today.
PS: You don’t have to make a tradeoff between speed and security. Download The Enterprise DevSecOps Playbook for practical tips on integrating security into your SDLC and start building better, more secure apps, faster.