What is Transformation.dev and Transformation Blueprint?
Transformation.dev is a community and Transformation Blueprint is a web application that together give you a systematic framework for transforming the mindsets and behaviors of developers and development teams.
How do you actually get developers and development teams to adopt new mindsets and behaviors?
There is more to it than this, but the basic approach is to:
Leverage, rather than work against, developer psychology and development team sociology
Hook into their desire for engineering excellence
Define practices in terms that make sense to developers using a modern Agile/DevOps approach rather than security specialists who assume a more waterfall or "software factory" approach
Focus on coaching and toolsmithing rather than gatekeeping, policing, or auditing
Never overwhelm the development team by providing up-front a comprehensive list of gaps
Rather, provide a shallow improvement ramp via incremental gap analysis where you shift into planning mode as soon as you uncover a few high-value improvement opportunities
Get each individual development team on this improvement path
Coach and gamify each team along it
Create an environment of viral adoption
How does this relate to the Agile and DevOps movements?
We borrow from and build upon the Agile and DevOps movements which, among other things, are shifting ownership of the quality of products left to the development teams building those products. After all, security is just an attribute of quality, and a vulnerability is just a particular kind of defect.
Perhaps even more so, we borrow the transformation techniques that those movements used to achieve their results for organizations, teams, and individuals.
How is this related to Digital Transformation initiatives?
We are also connected to Digital Transformation. However, while much of the content and expertise in Digital Transformation is focused on adapting business strategy to an ever more digital future, we are more focused on transforming each development team’s practices and mindset to better support whatever Digital Transformation strategy you adopt.
What's the initial focus of Transformation Blueprint?
The initial focus of Transformation Blueprint is DevSecOps, also known as Shift Left Security.
What are DevSecOps, Dev-First Security, and Shift-Left Security?
DevSecOps, Dev-First Security, and Shift-Left Security are various labels for a movement that is shifting ownership of key aspects of the security of products left to the development teams who are building those products. This movement is an acknowledgment that throw-it-over-the-wall/bolt-on/inspect-in approaches to security, while they have arguably never been very effective, have no hope of scaling with the accelerating pace of development. We need a build-it-in cultural transformation approach like Transformation Blueprint.
How is Transformation.dev different from other approaches to DevSecOps, Dev-First Security, and Shift-Left Security?
Transforming to DevSecOps, Dev-First Security, or Shift-Left Security requires fundamental shifts in mindset and practices by the development team which has been frustratingly resistant.
You might think, “We can achieve this If we can just…
… create more relevant and consumable policies”, and/or
… get better at enforcing our policies”, and/or
… implement the right metrics-based incentives”, and/or
… train our developers better on application security”, and/or
… collaborate better with engineering via an engineering security champion program.”
However, while those things are needed, the key missing ingredient is a systematic framework like Transformation Blueprint.
What you are talking about sounds highly disruptive. Why do you think security leaders, who are generally quite conservative, will get on board?
It's important to note that the role of the QA department was fundamentally disrupted by the Agile movement and the DevOps and Cloud-Native movements were similarly disruptive to traditional IT and Ops groups. The throw-it-over-the-wall way that QA and Ops was previously done was not simply shifted left to the development team. Rather, the tooling, roles, and overall approach had to be fundamentally changed in order to be accepted by the development team.
Change is always hard, but disruptions are particularly difficult when a person's domain of responsibility is drastically changed. Even when security leaders understand that their current approach is not able to keep up and is arguably ineffective, unless they can see the way forward and their role in that future, they are unlikely to embark on such a journey. The Transformation Blueprint approach has been successful at large enterprises like Comcast, Intuit, USAA, and Ford Motor Company and gives security a concrete and proven way forward.
Does it conform to NIST, SANS, OWASP, PCI, etc. standards?
NIST, SANS, OWASP, PCI, etc. provide lists of candidate application security practices, but the items in the list are unprioritized, target security specialists, and fail to specify adaptations needed for a dev-first approach. Attempting to shift these practices left without proper consideration of modern development practices and priorities is a recipe for frustration, resistance, and false starts.
So, Transformation Blueprint provides a prioritized set of practices that our community has agreed aligns with modern development approaches and is documented in terms that developers will understand.
That said, this is meant to be a starting point. Transformation Blueprint allows you to tailor the practices and priorities to your context. We offer professional services in the form of consulting and workshops that bring your engineering and security folks together to come up with a tailored prioritized set of practices specifically for your organization.
If it’s tailored to developers and my organization, how will I know if we are compliant with NIST, SANS, OWASP, PCI, etc.?
A key feature of Transformation Blueprint is that every developer-centric practice can be mapped back to one or more standards. This allows you to visualize your current compliance status and trends from the perspective of a specific standard. We don’t have all of the possible standards mapped yet for our starter set, but we’ll prioritize the ones that are most important to our community. You will have to do your own mapping for any new practices you create, but Transformation Blueprint makes this easy.