2. Need for DevSecOps
• Full StackOverflow Development
• DevOps accelerate the speed of development
• Security controls from Security Specialists non-scalable
• Security must be primary concern of development team
3. What is DevOps
• A new role?
• Partnership/communication/empathy between Dev and Ops
• CI/CD Tools?
• Automation?
• Self Service?
• Techniques like feature flags or traffic shaping?
• Move fast and break things?
• Culture change( systems thinking, continuous improvements?)
4. DevOps IS
• Empowered engineering teams
• Taking ownership of how the product/application
• Performs in Production
5. Mature DevOps Practices
• Develop in TRUNK
• No long lived branches
• Short branches – code review, release changes, security scanning
• Dead end release branch OK
• Feature behind flags, toggles, traffic shaping
• Automated validation, automated push to prod
6. What is Dev[Sec]Ops
• Thinking of security as a primary concern
• Empowered engineering teams
• Taking ownership of how their product/application
• Performs in production [including security]
7. Dev[Sec]Ops Manifesto
• Build security in
• more than bolt it on
• Rely on empowered engineering teams
• more than security specialists
• Implement features securely
• more than security features
• Rely on continuous learning
• more than end-of-phase gates
• Build on culture change
• more than policy enforcement