2nd Watch Debuts DevSecOps Strategy Service

The innovative cloud solution provider has expanded its services portfolio to help customers align DevOps and security practices by implementing security-as-code processes that eliminate stumbling blocks in agile software delivery.

In recent years, 2nd Watch has built out distinct DevOps and security consulting services to help customers adopt modern IT practices. The innovative cloud solution provider is now looking to guide those customers on the next phase of their digital transformation with a program aligning the two into DevSecOps practices.

The DevSecOps Assessment and Strategy service that 2nd Watch introduced Tuesday looks to eliminate the remaining stumbling blocks that are keeping enterprises from realizing the benefits of agile software development and delivery.

But DevSecOps, a security-as-code methodology, can be difficult to implement, requiring not only adoption of a technological toolkit, but a change in culture, Victoria Geronimo, product manager for security and compliance at Seattle-based 2nd Watch, told CRN.

[Related: 2nd Watch Introduces Specialized Data Analytics Practice]

The pain point 2nd Watch is seeing among its enterprise customers is that their DevOps and security teams often don’t know much about what the other is doing—or how to cooperate.

“When we send things to security, they’re on a different cycle than us. Things don’t move that quickly,” Geronimo said she hears developers often lament. “We don’t get results back in the same language that we seek.”

Security professionals not particularly versed in DevOps practices often find the same vulnerabilities over and over again, but they can’t translate their fixes into sustainable code. At the same, DevOps engineers routinely ignore “basic security things you should be learning as a developer from day one.”

And without the two working together effectively to integrate security processes into the DevOps life cycle, the speed and agility desired in releasing software is sacrificed, Geronimo said.

2nd Watch’s DevOps service was developed for customers with development and operations teams that hadn’t yet aligned; the DevSecOps service does much the same for DevOps and security teams.

The service relies on GitLab technology for building out DevSecOps pipelines, but the tools, and when they’re implemented, are less important than the processes.

“Dumping a bunch of tools at once and getting them to use them all at the beginning would be a recipe for disaster,” she said. “It’s not just getting a tool and trying to jam it in the middle of the developer’s CI/CD pipeline.”

Instead, 2nd Watch consultants go out and interview customers to understand how they work. They then provide a template for implementing security-as-code.

2nd Watch ultimately lays out a road map for when customers will train with specific tools and when they will integrate them into the software development life cycle.

While 2nd Watch is closely associated with Amazon Web Services, and has an emerging Microsoft Azure practice, the DevSecOps service is cloud-agnostic.