Technologia: Before getting into the heart of the matter, it might be a good idea to review the basic concepts of DevOps. In broad terms, it is a movement specific to IT engineering whose goal is to combine software development (in English Development) with the administration of IT infrastructures (in English Operations). So, to put it simply, to facilitate cross-functional collaboration in order to increase efficiency. Is that right?
Julien Dort: Yes, the goal of DevOps is to deliver software as quickly as possible while ensuring that it is qualitative, secure, meets the customer's needs and does not jeopardize the company's IT infrastructure. To achieve this, DevOps relies on five main pillars: "company culture", i.e. communication between teams; "empowerment of people", ensuring that employees understand and have the tools to do their job, etc.; "automation", which is the best known component and which effectively aims to automate as much as possible; "lean", whose objective is to optimize processes by limiting any type of waste (time, resources, skills, etc.); "metrics", the pillar of the "business case", which is the most important aspect of DevOps. Finally, the "sharing" pillar aims to promote the transfer of knowledge, feedback, etc., in order to enable an evolutionary transformation of the company. This is to enable a scalable transformation to the size of the company.
T: Now that the basics are clear, let's talk about DevSecOps
Julien Dort: DevSecOps is used to emphasize a point already present in DevOps, security and compliance. Many companies have invested time and money in their transformation to DevOps, but with hindsight, the community realized that by ignorance or by forgetfulness, the security and compliance aspects were not included in this transformation. At the end of the development process, the software was delivered faster, but the security and compliance teams vetoed it. So back to square one, wasting time... not really DevOps after all. DevSecOps clearly focuses on security and compliance, without forgetting the rest.
T: In concrete terms, what does this mean for the teams?
Julien Dort: Often, the main point is communication. For example, we can tell the development teams who the security specialists are that they can contact for support. We also need to train them and encourage them to ask security questions upstream. We also need to work on the side of the security and compliance teams to address the need for training and prevention. More generally, we need to make sure that everyone in the company is aware of the importance of security and compliance throughout the development cycle.
T: Security and compliance, what's the difference?
Julien Dort: Compliance is the regulations imposed by governments or recognized organizations. Compliance is a way of encouraging companies to do security.
T: Is the creation of the DevOps Institute part of this logic?
Julien Dort: In a way, its goal is to create a community of people in all the fields impacted by DevOps. The goal is to generate mutual aid, presentations, feedback and training on aspects specific to DevOps. For the training aspects, the people who wish to give the trainings must be officially certified by the institute, precisely to guarantee the maintenance of the practice and its conformity to the stated principles. Every year, the institute offers new training courses, such as the DevSecOps Foundation course, which is new in 2022. Therefore, the materials and exam for the DevSecOps Foundation course are currently only in English. A French translation may be available at a later date depending on the success of the certification.
T: Who is the DevSecOps Foundation training for?
Julien Dort: Preferably to people who have a basic knowledge of IT and who work in this field. Be careful, this is not a training to become an expert in cybersecurity, but to have a good understanding of security and compliance. Without going into too much detail, I would say that the DevSecOps Foundation training allows you to have a good understanding of the landscape of cyber threats, to know how to protect against them, to identify who in the company needs to be involved, to take stock of where the organization is and the progress to come, to address automation, compliance and also to know how to spread all these concepts within the company depending on its size.
T: Is the certification permanent?
Julien Dort: No, like most IT certifications, it is valid for 2 years. To renew it, there are two methods, either retake the exam after two years, or accumulate points that you earn by attending webinars, conferences, etc. The goal is to ensure that the certified person stays current in their knowledge.
To go further:
DevSecOps Foundation: security strategies and benefits for your organizationContact us
To learn more about our new services or to talk to us about your skills development needs, contact Cyrielle Renard at 514-380-8237 or by email: crenard@technologia.ca.
