The Trust Algorithm as Applied to DevSecOps

Apr 26, 2018 9:01:07 AM By Larry Maccherone The Trust Algorithm for DevSecOps - v03

While at RSA last week, I was interviewed by Ericka Chickowski for her piece, Trust: The Secret Ingredient to DevSecOps Success, which is about my long-used “Trust Algorithm”. I’ve been talking about it for years, but I think it’s finally time to write it down.

My personal favorite definition of DevOps is, "empowered engineering teams taking ownership of how their product behaves in production." DevSecOps just appends, "...including security." The primary goal of a DevSecOps initiative is to get development teams to make certain mindset shifts and adopt security practices into their daily activities, which simply cannot be done without healthy collaboration and mutual trust. There's the rub — there is typically a massive lack of trust between the security group and development teams, particularly at larger, more traditional organizations. It goes something like this:

Security people: “Those darn developers are cranking out crap that’s going to get us hacked!”

Developers: “Security is nothing but an obstacle. They don’t understand that we have lots of other concerns and the only ‘help’ they provide is to brow beat us.”

There are a lot of ways to explain this phenomenon, but it all boils down to the trust algorithm.

At the heart of the Trust Algorithm is this Trust Formula:

Trust Algorithm 2


  • Credibility = How well you actually know what you are talking about
  • Reliability = How often and quickly do you do what you say
  • Empathy = How much you show that you care about someone else’s interests
  • Apparent self-interest = How apparent it is that your words and actions are in your own interest

This is the first post in a series. Over the next few posts, we'll dive deep into each term of the Trust Formula and provide actionable steps (an "algorithm" if you will) for optimization so that you can use it to achieve the goals of your DevSecOps initiative.

Articles in this Series

About Larry Maccherone

Larry Maccherone - Speaker, Author

Larry Maccherone is an industry-recognized thought leader on DevSecOps, Lean/Agile, and Analytics. He currently leads the DevSecOps transformation at Comcast. Previously, Larry led the insights product line at Rally Software where he published the largest ever study correlating development team practices with performance.

Before Rally, Larry worked at Carnegie Mellon with the Software Engineering Institute (SEI) and CyLab for seven years conducting research on cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. He has also served as Principal Investigator for the NSA's Code Assessment Methodology Project, on the Advisory Board for IARPA's STONESOUP program, and as the Department of Energy's Los Alamos National Labs Fellow.

Contact Larry on his LinkedIn page: larrymaccherone