While at RSA last week, I was interviewed by Ericka Chickowski for her piece, Trust: The Secret Ingredient to DevSecOps Success, which is about my long-used “Trust Algorithm”. I’ve been talking about it for years, but I think it’s finally time to write it down.
My personal favorite definition of DevOps is, "empowered engineering teams taking ownership of how their product behaves in production." DevSecOps just appends, "...including security." The primary goal of a DevSecOps initiative is to get development teams to make certain mindset shifts and adopt security practices into their daily activities, which simply cannot be done without healthy collaboration and mutual trust. There's the rub — there is typically a massive lack of trust between the security group and development teams, particularly at larger, more traditional organizations. It goes something like this:
Security people: “Those darn developers are cranking out crap that’s going to get us hacked!”
Developers: “Security is nothing but an obstacle. They don’t understand that we have lots of other concerns and the only ‘help’ they provide is to brow beat us.”
There are a lot of ways to explain this phenomenon, but it all boils down to the trust algorithm.
At the heart of the Trust Algorithm is this Trust Formula:
This is the first post in a series. Over the next few posts, we'll dive deep into each term of the Trust Formula and provide actionable steps (an "algorithm" if you will) for optimization so that you can use it to achieve the goals of your DevSecOps initiative.
Larry Maccherone is an industry-recognized thought leader on DevSecOps, Lean/Agile, and Analytics. He currently leads the DevSecOps transformation at Comcast. Previously, Larry led the insights product line at Rally Software where he published the largest ever study correlating development team practices with performance.
Before Rally, Larry worked at Carnegie Mellon with the Software Engineering Institute (SEI) and CyLab for seven years conducting research on cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. He has also served as Principal Investigator for the NSA's Code Assessment Methodology Project, on the Advisory Board for IARPA's STONESOUP program, and as the Department of Energy's Los Alamos National Labs Fellow.
Contact Larry on his LinkedIn page: larrymaccherone