Over the last few years, more and more Salesforce teams have been moving away from org-based development towards DevOps, so they can collaborate more easily, manage multiple workstreams, and deliver projects quickly and incrementally. Ultimately, DevOps enables teams to get more value out of Salesforce for their businesses.
As DevOps has become more familiar to the Salesforce ecosystem, some teams are beginning to wonder about DevSecOps — a concept that has been trending in the wider world of software development.
What is DevOps?
To understand DevSecOps, we have to begin with DevOps itself.
DevOps is a set of processes and tools that teams use to streamline their development workflows. But the fundamental problem that DevOps aims to solve is related to people. Specifically, DevOps is designed to break down the silos in which developer and operation teams work. For example, in the world of Salesforce development, DevOps helps to bridge the divide between developers and admins. It brings teams together so everyone can play a part in the development and release process, end to end.
For some, DevOps is just another word for release management, but it really describes a more specific approach, characterized by close collaboration, agile development, and shorter release cycles. DevOps helps you:
- Get finished work to end users sooner
- Tighten the feedback loop and encourage user-driven development
- Debug releases more easily
High-performing Salesforce teams release faster to deliver more business value. Survey results show DevOps has a positive impact on businesses, both in terms of time savings and faster rates of delivery. Of those surveyed, 52% of respondents are now able to deploy in less than one hour. Elite and high-performing teams are forging ahead with high-frequency releases, short deployment times, and low change failure rates as a result of implementing DevOps processes. Teams who haven’t made the switch to DevOps yet are at real risk of losing out on the clear financial benefits and increased business agility achieved by establishing a high-performing DevOps process.
What is DevSecOps?
If DevOps is about bringing together the people, processes, and tools for development and operations, DevSecOps emphasizes the need to make sure security isn’t left out. It’s important to note that DevOps best practices already enhance security dramatically, and there’s a sense in which DevSecOps is really just DevOps done well. But it’s also true that many businesses still have people, processes, and tools for security that are siloed away from DevOps. Breaking down those silos creates greater value and accelerates team pace.
In the context of Salesforce, DevSecOps really means two things:
- Making sure all the people whose roles involve developing, maintaining, and protecting the business’s Salesforce environments can work together seamlessly, enhancing security as a result.
- Making sure admins, developers, and other leaders in InfoSec (Information Security) and Compliance are educated on, contribute to, and reinforce the security protocols of the organization through use of DevOps tools and processes.
By placing security at the heart of the DevOps practice, not only can organizations innovate faster and release more often, they can more mindfully and intentionally follow best practices for security and compliance.
Our DevSecOps playbook
Although Salesforce offers world-class tools and processes to help organizations on their digital transformation journeys, great security and collaboration depends on people. In our experience, many teams are new to the ideas presented in this eBook, and that’s OK! In fact, some of the best DevSecOps processes we’ve seen have started with assembling a great team of cross-functional roles — and learning about best practices together. But first – who should have a seat at the table?
Designing your center of excellence
Certainly, Salesforce architects, admins, and developers are instrumental in starting your DevSecOps initiative off on the right foot. Ultimately, responsibility for the success of the Salesforce platform lies in the hands of this core team, but it doesn’t stop there. Ideally, you will have a clear, well-documented process and expectations for how to test new features, how to ensure they align with security requirements, and how you will ultimately release to users and get them trained.
In addition to this core team, there are several other advisory roles that are important to include in a solid DevSecOps practice: InfoSec, Cybersecurity, and Compliance. Each of these roles offers different lenses into the threats your organization might face and how your systems might be vulnerable to potential breaches or data exfiltration by employees. According to the Identity Theft Research Center, there have been more than 12,000 data breaches since 2005!
In many companies, InfoSec and Compliance are handled by different teams, and sometimes there’s a dedicated Security or CyberSecurity team that monitors and protects all their systems. Some smaller companies may blend these concepts together in IT.
Whatever your company’s size, making an organizational commitment to security requires that all of these roles are informed and involved when your team is architecting and designing solutions. It’s vital that InfoSec and CyberSecurity advise your Salesforce administrators and developers who aren’t security experts, and Compliance should also be involved to ensure that all regulations — global and local — are being taken into consideration early on.
With these key contributors to DevSecOps identified, the next step is to reinforce this commitment to security by establishing a DevOps Center of Excellence (COE), a clearly defined group of people who have accountability, responsibility, and governance around security needs. The core team should include the key roles above, and the COE should advise other system stakeholders and executives about upcoming changes to help reinforce policies across business lines. These stakeholders may include representation from shared services like marketing and operations, individual lines of business, and executives that need to be in the loop about the roadmap for security.
Building trust through learning and collaboration
Once you’ve identified who will manage, advise, and oversee your DevSecOps COE, it is important that they learn about and understand the breadth and depth of security features available on the Salesforce platform — as well as what the formal security policies of the organization require. If you’re kicking off a newly minted team, this is a great opportunity to host a DevSecOps workshop.
The DevSecOps team should host regular forums for the COE to discuss the cross-functional nature of security and its impact, as well as develop a future-looking roadmap of items that need oversight and planning. This group can be a great forum for creating feedback loops about what’s working, what’s not, and what’s coming next. Through a solid cadence of communication and trust-building, the DevSecOps COE will become instrumental in demonstrating the good-faith effort to follow security practices, and creating an organizational mindset that encourages everyone to take individual responsibility.
Establishing your DevSecOps charter
Once your COE team is established and everyone is educated on the security options and requirements of the organization, it’s important to start with a clear charter for the group so that everyone is clear on what DevSecOps represents, and what the intent of your work together is. Creating a security-conscious culture requires vigilance on the part of all employees, as well as strong leadership, careful planning, and open and transparent communication across the organization.
Your company likely requires all employees to take regular security awareness training, so they understand how to handle extra sensitive PII (personally identifiable information) and PHI (protected health information). DevSecOps adds an additional operational dimension and a number of questions your COE should be prepared to answer and audit regularly:
- What are the security requirements we must follow?
- Where are the most risks in our development process today?
- What are we doing to address these risks?
- What’s on our roadmap that might create new or different risks?
- How are we proactively planning for and monitoring these risks?
- What threat models do we face?
DevSecOps is all about embedding security into the development process from the beginning and engaging the team throughout every step of the cycle. In the past, we have seen some business stakeholders deprioritize security or treat it as an afterthought, given the choice between using budget on new features or addressing risk. But it’s important that your COE understands the goal is to shift from a reactive security posture to a proactive one that is constantly evolving alongside your business.
Develop more effective DevSecOps processes with Silverline
Security should feel like a partner to the business instead of an obstacle, and collaborate throughout the development process to ensure usability isn’t unduly impacted by security requirements. Silverline’s Salesforce DevOps services ensure that security isn’t forgotten as we empower optimized, scalable, and reliable development operations, continuously improving your DevOps processes as Salesforce improves their developer and deployment automation tools. Learn more about how we can help your organization.