In the DevSecOps community there is a lot of focus on making things easier for developers and helping their motivation. I believe they are often only sympthomatic fixes.
From various conversations, I’ve learned that the developer’s motivation to improve security is a wide spectrum. It is the hope of many that by somehow igniting a spark into the developer groups that security will increase by magic. Appointing Security champions, security guilds, adding easier tools to find and fix more security issues is all the rage.
I believe the real issue is usually about not signaling the right priorities in the backlog. Too often in DevSecOps intiatives initiaters act like Jean-Luc Picard from Star Trek and say “Make it so”.
The backlog is a continuous stream of dev, sec, ops “todos”, and it is damn hard to know what to pick first. Of course if it’s a very urgent security issue in production then noses get aligned. And I applaud the initial initiatives to improve “security hygiene” on fixing code bugs surface by tools.
The problem arises when “everything” is considered important and urgent. DevSecOps is about making tough choices on what to do first with a finite amount of resources: Do I favor a new feature over security maintenance? Or do I give the team space to solve security issues?
I’ve lived through a similar discussion around Dev and Ops, this discussion was hard several years ago, but ultimalty we saw there was a competitive advantage in getting to production faster and keeping things stable. Security still feels a different beast right now, it too often is seens as a sink of time not creating value. Yet like an insurance, when you need it, it was often worth the investment.
Finding the right balance between dev, sec, ops … and business tasks in the backlog is the real DevSecOps problem, and it’s a hard one.
Related, I therefore personally don’t like the term, developer first: a backlog is where everyone screams “developer first”, “operations first” , “security first” . The additional challenge is to also make it “business first”. I would like to stress “additional”: teams are more and more often operating autonomously. That definitely helps in motivation but they should keep aligning with the business. Sometimes business needs to agree fixing some technical debt takes priority, sometimes security has to agree some business features take priority. If you succeed at having this conversation as adults where everybody is heard and weighed in the conversation you will have a lasting DevSecOps culture.
Do yourself and the team a favor and elevate the discussion of DevSecOps to the prioritisation of the backlog while still considering developer motivation.
Help Hans !