Getting Started in DevSecOps

April 15, 2020 By Christopher Downey

Swish Cheat Sheet

Become part of the community

Do all three

  1. Join the NoVA DevSecOps meetup
  2. Join the NoVA DevSecOps online learning community (coming soon from Swish)
  3. Join the DoD Enterprise DevSecOps Community of Practice and attend (virtually) the monthly sessions by forwarding your name and contact info to Christopher Downey ( and/or Matt Sladky at in order to get added to this distribution list.

Identify your goal

Pick just one

  1. Migrate a legacy application to the cloud
  2. Write a new cloud-native application

You can’t manage what you can’t measure.

Talk to us about measuring full stack performance of applications prior-to, during, and after migration.  (Email Matt Sladky at

Prepare yourself first

Learn from others in the NoVA DevSecOps online discussion community.

Create your braintrust and learn from them as much as you can (no less than 15-30 minutes daily). Start with:

Bite-sized lessons

  • DoD Enterprise DevSecOps training
  • Martin Fowler (explore his website to become familiar with his work; you will soon discover him all over the place on your journey)

Deeper dives

  • The Phoenix Project  (a great story that many in IT can relate to, it will provide vivid context for you – the audio version is excellent)
  • Continuous Delivery (first read Martin’s explanation, then the book) – at the very least read the first two chapters.  Chapter 2 provides critical understanding of what is meant by “configuration management” and why this is the very first thing that you have to get right.
  • Accelerate (you really want to read this as you’re moving into culture change)

Prepare your team

Be forewarned.

Technology is the easy part; people and process is much, much harder. You will need patience and perseverance.

Be proactive.

Avoid the biggest possible mistake you could make at this point: do not drop new processes on top of your team. Agility cannot be mandated.

With you team, examine everything you’re doing and ask: do we have to do it this way?  Work this question on a regular basis for a few months while learning to embrace agile.

  • YES, we do. Why so?
  • No, we don’t! What could be better?

Assess readiness.

Does your team have the necessary skills to start? Git is the foundational skill that all developers must have.

Does your team have the necessary tools to start? Or too many tools to deal with to not get bogged down?

Who on your team doesn’t have the necessary attitude? You need the right people to be successful. It isn’t uncommon to need to replace 50% of a legacy/waterfall group.

If you are migrating an application, is it the best one to start with?

It can take 9-12 months to have a team that is ready. You will need patience and perseverance.

Your Roadmap

  1. Learn to get agile right.
  2. Continuously improve your team’s skillset.
  3. Learn to push out secure code.
  4. Automate that ability.
  5. Work towards continuous ATO.

Next Action To Take

Email me directly at if you’d like to discuss your specific software development challenges.