This is our latest iteration on how to build a DevSecOps program. This research paper is the result of hundreds of hours of research and several hundred conversations with Fortune 1000 firms on the challenges companies face and the problems they are most interested in tackling. We go deep into covering all phases and facets of secure application development. And we did a complete reversal on the naming convention; from DevOps to DevSecOps. It became obvious during our calls that despite the idealism involved with leaving ‘Sec’ out of the title, security is getting short shifted and it needs to be called out.
From the paper:
In our 2015 work “Building Security Into DevOps” we embraced the idea that security was an equal partner and there was no reason to call out security specifically. In hindsight, this was wrong. The fact is security practitioners are having a much harder DevOps journey, and they are the ones struggling, and they are the ones who need a roadmap on security integration. Stated another way, practitioners of DevOps who have fully embraced the movement will say there is no reason to add ‘Sec’ into DevOps, as security is just another ingredient. The DevOps ideal is to break down silos between individual teams (e.g., architecture, development, IT, security, and QA) to better promote teamwork and better incentivize each team member toward the same goals. If security is just another set of skills blended into the overall effort of building and delivering software, there is no reason to call it out any more than quality assurance. Philosophically they’re right. But in practice we are not there yet. Developers may embrace the idea, but they generally suck at facilitating team integration. Sure, security is welcome to participate, but it’s up to them to learn where they can integrate, and all too often security is asked to contribute skills which they simply do not possess. It’s passive-aggressive team building!
This is a major re-write of our 2015 research work and we hope you will find it beneficial. And we wanted to thank Veracode for licensing this content. Our licensees are what makes it possible to bring this paper to you free of charge!
You can download a copy of the research here: Enterprise_DevSecOps_2019_V2.FINAL_.pdf