Clear communication channels are available for development, security, and operations to communicate with one another.
Bolstering communication between teams is what DevSecOps engineers should strive for on an ongoing basis. Keeping the communication alive can help foster collaboration and ensure voices are heard.
Version Control Systems
GitHub and GitLab are the two most common web platforms that enable collaboration through git. As a DevSecOps engineer you should be embracing the use of git for everything you do during your day to day. It helps you collaborate on projects, sharing code between one another, building a collection of code, and helps foster a vibrant community within your organization.
A great way to help encourage participation is to be active within your version control systems. This can allow you to foster collaboration, recognize excellent work, and help the conversations remain inclusive of other individuals.
- Be specific in your comments while avoiding comments like lgtm, change this, etc.
- Ask questions about the proposed questions
- Be timely in your responses
- Be respectful of different approaches
- Leave positive comments on outstanding work
- Use of positive emojis on comments
GitHub/GitLab both have a form of actions that they allow you to perform automatically based on a variety of triggers. Such as on a cron schedule, pull request, merge, etc. These can help you significantly in helping to check for code quality, security mistakes, automate deployments, and help foster a collaborative environment. Here are some examples below to get an idea of what capabilities you have within GitHub actions.
Workplace Communication Platforms
Communication is most active in workplace communication platforms such as Slack, Microsoft Teams, and Google Hangouts. One of the most popular tools to do so is Slack, so the content below will be focused on the platform of choice. Though the advise should still apply to other platforms.
To keep engagement high, the below recommendations should be kept in mind when you are performing outreach within the organization.
- Avoid jargon or technical terms based on the audience of the channel
- Avoid specific channel topics that exclude significant portions of the organization
- Setup surveys or polls to include others in decision making
- Invite as many relevant individuals as is reasonable
- Encourage participation through inclusiveness, emojis, and recognizing individuals
- Leverage integrations to your advantage to foster conversation through notifications
Creating communication channels between teams should be one of the most important tools in your tool belt. Since DevSecOps is all about collaborating with development, operations, and security teams; Communication is a vital part of the mission. Do you have the following channels in your organization?
- Security + Operations Teams
- Security + Development Teams
- Security + Operations + Development Teams
- Infrastructure as Code
- SDLC Notifications
- Pull Requests
Having channels can help not only your team but others to include everyone in the conversation. This way you can help champion efforts, streamline major changes, and ask feedback on a given approach. Are you performing the following within those channels?
- Provide notice of upcoming changes
- Ask for feedback on a given project
- Involve external teams to make security decisions
- Foster collaboration
Integrations are a great way of fostering collaboration as communications are automated to keep conversations alive. They can also help with keeping channels on topic to a given purpose especially if automated messages are on a given topic.
- GitHub/GitLab for pull requests
- AsanaJira/Trello for ticket updates
- RSS for news
- Webhook/App for deployments to your environment
- Webhook/App for alerts
Keeping the conversation alive should be a vital step in ensuring collaboration within your organization. Next we will go over how to perform security assessments.