This is the first in a many-part blog series on the topic of DevSecOps. Throughout the series we will discuss weaving security through DevOps in effective and efficient ways. We will also discuss the ideas that security is everybody's job, it is everyone's duty to perform their jobs in the most secure way they know how, and that it is the security team's responsibility to enable everyone else in their organization to get their jobs done, securely. We will define DevOps, 'The Three Ways', AppSec and DevSecOps. We will get in deep on the many strategies we can adjust security activities for DevOps environments, while still reaching our goals of ensuring that we reliably create and release secure software.
In summary; We will discuss how to make security a part of our daily work. It cannot be added later or after, it needs to be a part of everything.
But let's not get ahead of ourselves, I have many more posts planned where I will attempt to sway your opinion my way.
Tanya Janca, also known as SheHacksPurple, presenting her ideas in Sydney Australia, 2019. Artwork by the talented Ashley Willis.
The main articles in this series will be public and freely available, but the sub-articles and links may be behind the SheHacksPurple.dev paywall. If you find this series helpful, please consider supporting the author by paying the $7 subscription fee, the equivalent of a fancy latte.
Before we get too deep into anything I'd like to dispel some myths. Look at the image below. This is how some security professionals see DevOps. (Slide credit: Pete Cheslock)
This slide's author, Pete Cheslock, is highly intelligent and experienced, this mention is not intended to insult him in anyway. The slide is social commentary, it is not literal. That said, many people I've met truly feel this way; that DevOps engineers are running around making security messes where ever go, and that we (security professionals) are left to clean up the mess. I disagree with that opinion.
Luckily for me, my introduction to DevOps was at DevSecCon, where they introduced me to this image. Below you can see the security team teaching, providing tooling and enabling the magical DevOps unicorns in doing their jobs, securely. This is how I view DevOps; the security team enabling everyone, working within the confines of the processes and systems that all the other teams use.
This series will be loosely based off a conference talk which I have delivered at countless events, all over the planet, 'Security is Everybody's Job'. You can watch the video below, or click here to see it in YouTube.
In the second article we will discuss what Application Security is and why it's a problem for our industry.
If you want to continue to develop your skills, check out WeHackPurple Academy’s NEW course, Application Security Foundations taught by yours truly! There is also a lot of awesome content to subscribe to for only 7$ a month!