DevSecOps specialist group: Strategy
Read about the strategy of the DevSecOps specialist group.
Introduction
The term ‘DevSecOps’ refers to the application of security principles and practices throughout the ‘DevOps’ life cycle of application development and system operations.
Historically technology security has often been an afterthought of application development, focused only at the end of a development life cycle. For classical ‘waterfall project’ approaches, this was acceptable, as the rate of change was low.
However, with ‘DevOps’ development practices introducing concepts such as ‘continuous delivery’, this pace of change has dramatically increased. As such there is now a drive to ‘shift left’ the implementation of security and related governance to earlier in development and ultimately consider it as part of every aspect of the software development life cycle.
Topics
The DevSecOps specialist group focuses on technologies and practices that support this approach to security and application development. Including but not limited to:
- Software development life cycle
- Continuous Integration / Continuous Delivery (CI/CD)
- Automated testing - including Static Application Security Testing
- Container technology security - including runtime technologies (Docker et al) and orchestrators (Kubernetes, Mesos, Swarm et al)
- Serverless application security
- Network security technologies - including stateful packet filtering, application firewalling, intrusion detection/prevention, VPNs and denial of service protection
- Logging and event management (SIEM et al)
- Automated security governance and policy enforcement
- Data security technologies at rest and in transit - including encryption, key management, disaster recovery and resilience technologies
- Identity, authentication, access management and protection technologies
- Security within the software development life cycle
- Infrastructure control plane security (i.e. security of IT platform management tooling itself, not just the applications)
Across any IT environment, be it on premises or hosted private cloud environments through to hyperscale public cloud environments (AWS, Azure, GCP et al).
Engagement Approach
These topics will be covered through events of the following format:
- Introduction to topics - Seminars (1-2 hours)
- What is devops? DevSecOps? How is the software development life cycle changing?
- What is CI & CD, what are the common tools - like git, jenkins, etc.
- What is agile vs scrum methodologies, compared to traditional approaches
- What is cloud - private vs public vs hybrid
- Technology spotlight - Seminars (1-2 hours)
- Single vendor / focus
- Technology demonstrations from vendors
- Security process and practice - Seminars (1-2 hours)
- Governance, control, audit, compliance
- Workshop / Interactive (hands on, ½ day to 1 day)
- Deep dive workshops, facilitated through a vendor