What is DevSecOps..?
Lee Bristow
Human AI Alliance Author | Safe, Ethical, and Transparent AI is Innovation | AI Governance | ISO/IEC 42001 Lead Implementor and Auditor | Key Note Speaker.
What is DevSecOps?
The term “DevSecOps” places information security into the original operating model of “DevOps”.
DevOps itself refers to the collaborative operating team of software developers and IT operations staff.
DevOps is common practice the world over. The trouble, though, is that it was built for agility, speed and reliability – not security. And we don’t have to look too far to see the plethora of security breaches all around us.
The advent of DevSecOps looks to address this weakness. By adopting this new operating model to identify issues in the build cycle, you can lower attack risk and improve the strength of your entire enterprise.
DevSecOps requires an attitude shift first, followed by the supporting tools and frameworks to sustain it. The attitude shift often starts with management, but it can implemented at any level to begin with.
The steps to DevSecOps are to first address the governance layers, then the documented processes – and finally, the people.
STEP 1: GOVERNANCE
Adopt a security model (ISO27001/2 or NIST 800/53r) and begin defining your overarching controls. Develop and design your information security policies, incident response plans, business continuity plans and coding standards. These policies and plans are living documents that need to be signed, approved and adopted at board level annually. In turn, the board needs to hold the executive to account on the adoption and implementation of these standards. The individuals tasked with implementation should be the CEO, CIO and CISO or the CFO, CIO and CISO.
STEP 2: PROCESSES
The successful implementation DevSecOps requires changes. These are best communicated through documented processes implemented manually and then integrated into an automated workflow. The newly formulated processes also need to link to your external vendors’ software (or system) development life cycle (SDLC) documentation.
STEP 3: PEOPLE
Ensure everyone receives information security training across the whole business. One of the biggest attack surfaces is the number of applications in an organisation.
STEP 4: TOOLS – MANAGE APPLICATION RISK WITH PROCENSUS
To assess application security intelligently, start with governance, people and process – then automate the repetitive tasks. Procensus is a production risk management platform that provides you with ongoing assessments for effective, proactive and risk-reducing results.