DevSecOps is a new way of working as described in my blog "What is DevSecOps? And Why is it needed?" As I was developing the training course DevSecOps Hands-on I realised I needed a DevSecOps framework encompassing the elements making up DevSecOps, which I then used to define the topic areas of the course at a high level:
The DevSecOps Framework shows the various aspects which together encompass effective DevSecOps within an organisation, spanning application security, infrastructure security and security operations.
to see more on culture, organisation, tools and training as applied to DevSecOps, click on the "Read More" link .......
Culture – it's essential that senior management of the organisation emphasise the importance of security not only in words but also in actions. Product Owners leading agile sprints need to prioritise implementation of security features, and technical controls to mitigate risk.
Organisation – A key principle of DevSecOps is to embed security expertise within each Application Development and DevOps team. In the case of application development, this is often best achieved by appointing security champions, for infrastructure teams this may well be a security specialist or an infrastructure engineer with a particular interest in security. The DevSecOps approach to security operations is a Virtual Security Operations Center (SOC) made up predominantly of security specialists across the organisation.
Tools are an important element of DevSecOps and will be covered in a future blog post, these range from AppSec tools for application security, DevOps tools for infrastructure security, and Security Orchestration, Automation and Response (SOAR) for security operations
Training options are broad and ideally an organisation will implement all of them:
Application Security training should be tailored to the particular programming languages used by the organisation.
Paul Schwarzenberger is a Cloud Security Architect and DevSecOps specialist