We know that security plays a role in DevOps, but we’ve been having a hard time inserting ourselves in the conversation and in the process. How can we get the two sides of developers and security to better understand and appreciate each other?



Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Sumedh Thakar (@sumedhthakar), president and chief product officer, Qualys.

Thanks to this week’s podcast sponsor, Qualys

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

Got feedback? Join the conversation on LinkedIn.

On this episode of Defense in Depth, you’ll learn:

  • It’s debatable whether the term “DevSecOps” should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that’s redundant.
  • Security is not an additional process. It should be baked in. It’s an essential ingredient.
  • But should it really be seen as “embedding” or rather a partnership? Developers and operations operate as partners.
  • Instead of dumping security tools on developers and just demanding “implement this” security needs to go through the same transition development had to go through to be part of “Ops”.
  • As DevOps looks forward to what’s next, how can security do the same?
  • Security is unfortunately seen as an afterthought, and that’s antithetical to the DevOps philosophy.
  • Security is an innate property that imbues quality in the entire DevOps effort.
  • Security will slow down DevOps. It’s unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed.
  • Business needs to specify the security requirements since they were the ones who specified the speed requirements. That’s how we got to DevOps in the first place.