Three Ways of DevOps in the Context of Security
Accelerating the Developer-First Security Movement
View the on-demand recording now!
Is your security team paralysed by fear of failure? Do your software engineers scratch their heads over feedback that comes days or weeks —sometimes even months! — after the code was fresh in their minds? Do the same security defects crop up over and over again?
If you answered “Yes!” to any of those questions, it’s time to take a look at the Three Ways of DevOps as they fit into the context of security. These are the principles that underpin DevOps, as described in the book The DevOps Handbook by Gene Kim, Jez Humble, Patrick Dubois and John Willis.
All DevOps behaviours are derived from these Three Ways, which are:
- 1st DevOps Principle — The Flow of Information from Development to the Customer
- 2nd DevOps Principle — The Amplification of Shorter Feedback Loops
- 3rd DevOps Principle — The Culture of Continual Experimentation to Take Risks and Learn from Failure
Looking at security through the lens of these three principles can help your organisation to create high-performing — and secure — delivery teams.
By introducing the three ways of DevOps in the context of cybersecurity, the aim of this video is to help software engineering teams to improve their security posture and gain a better understanding of cybersecurity within their organization's value stream.
This video covers the impact of the Three Ways, including:
Principle 1: Flow. Flow addresses an entire system, rather than any specific part. This principle describes how information flows through the entire system, from the original concept of a product or service up until when it’s delivered into the hands of the final customer and then, beyond that, when the service or product is finally decommissioned.
When considering DevOps security, this principle calls for factoring in all parts of the system that are linked to the products or services: For example, an email or messaging system that an attacker can exploit to penetrate your DevOps framework. Adopting this principle helps your organization to improve cybersecurity in the context of the whole system. and not just parts of the system.
Principle 2: Shorter feedback loops. The second way is the amplification of feedback loops to shorten and amplify feedback so that corrections can be made continually. Shortening feedback loops enables faster detection of security defects, while automation prevents them from reoccurring.
Automated security testing creates feedback loops that provide information to the engineer sooner, so as to fix defects earlier in the development life cycle. Other areas where feedback loops can be shortened include, for example, threat modeling of a new product or feature. Threat modeling is designed to enable engineers to identify potential weaknesses in their systems before code is written. Engineers can continue to threat model during development to quickly identify potential weaknesses as they develop new functionality.
This practice provides a feedback mechanism during design and development, which is far better than identifying weaknesses after the code has been written or even deployed to a production environment. Adopting this principle gives your organization the tools to provide early feedback on potential security weaknesses.
Principle 3: The final way is the culture of continual experimentation and learning that allow us to take risks and learn from failure. Observability is a key component of this principle. Collecting data about the performance of the system gives engineers an opportunity to observe how security-related incidents manifest within the system and allows them to take corrective action.
This third principle helps organizations to continually evolve their good security practices.
Adopting the Three Ways of DevOps into your application security practices is key to lowering risk: They can sharply increase your ability to more rapidly resolve vulnerabilities once detected.
Watch our video now to learn more!
Contrast Security is excited to accelerate the developer-first security movement with a series of DevOps videos to support organisations' digital transformation initiatives, at speed and scale.
Join your peers, Contrast customers and InfoSec industry experts.
Register on the form here to watch the recording now.
You will also have a chance to continue their learning through numerous videos from various DevOps experts, which we’ll make available throughout the year.
Host

Glenn Wilson (CISSP)
DevOps / Agile Security Consultant