This 2-day workshop provides a detailed survey of DevSecOps concepts and their impact on cultural transformation.
The workshop is appropriate for anyone wanting to learn more about DevSecOps with a particular focus on technology leaders and thought leaders involved with leading/guiding DevSecOps transformations.
Material from this workshop is based on Kim, Gene, et al. The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations. IT Revolution Press, LLC, 2016. Attendees are encouraged to review this text before the workshop.
With traditional software development, the time between releases of software is usually measured in months. While this allows for stability of releases and simplified communications, it is not nearly frequent enough for companies wanting to inspect and adapt frequently. To do this, they must lower cycle time, the time between when an idea or requirement is created and the time when its benefit is realized in production. The ability to confidently develop, verify, and release software very frequently (even many times a day) is the hallmark of an agile organization. The high release frequency means companies can be experimental: an idea can be implemented in its most rudimentary (minimally viable) form and then introduced into production quickly to obtain appropriate feedback. This creates a tight hypothesis/verification loop that allows organizations to adapt their efforts instantly as the market and needs change.
To realize these benefits, organizations need to optimize teams to focus on the delivery and operation of software by constantly eliminating constraints. These constraints are typically handoffs between teams: Product Owners to Development, Development to Security/Compliance, Development to Operations, and so on. Traditionally, these are intentionally organizationally distant teams, with directly competing goals. Development wants to release software quickly with minimal red-tape. Operations wants to ensure systems remain operational, which typically means minimizing and controlling change. And Security/Compliance wants to ensure that all teams make security and compliance a first-class continuous requirement instead of an afterthought only considered in reaction to a problem.
The DevSecOps movement seeks to resolve these competing objectives by creating truly cross-functional teams that are empowered to do everything involved with creating and operation software without involving other teams. This is achieved through extensive automation of most manual tasks: building, testing, and deploying code; provisioning production and pre-production environments; and even security reviews and scans. However, implementing DevSecOps goes far beyond tools and processes. It is a cultural change involving most aspects of software development. Its scope is wide, and its impact correspondingly large. This two-day workshop will explore what “DevSecOps” means in practice, with particular emphasis on leading the transformation from a traditional software development/support mindset to one supported by DevSecOps principles. Upon completing this workshop, attendees will have a comprehensive understanding of the entire DevSecOps landscape, including:
- Why DevSecOps is important and its place in an Agile context.
- How to get started with the transformation, along with its impact on culture and organization.
- How to design and implement DevSecOps pipelines as a framework for automation.
- Driving high quality and faster turnaround through Automated Testing.
- Reducing cycle time with Continuous Integration and Continuous Delivery.
- How to measure progress and success in the transformation.
- Driving operational transformation through Infrastructure As Code concepts.
- Impact of DevSecOps on systems architecture and development processes.
- How DevSecOps effects Security and Compliance.