There are many books and articles on how a project must be led. In the Agile Zone, you’ll find many articles related to how to handle projects, organization, teams, products, etc.
But, there is a subject that is often poorly covered, or covered too late, application security. If for example, you look at the Safe framework, you have a lot of actors from the most business to the most functional, but no word about the contributions of security experts! There is DevSecOps, but unfortunately, this concept is much less widespread than DevOps. I would say, to be sarcastic, that you have to be in a company sincerely concerned with DevOps and security to hope to find DevSecOps.
DevSecOps in a Few Words
If we were to summarize DevSecOps, we could say that it is the DevOps as we know it in addition to:
- A mutualization/industrialization of technical means and user rights management.
- A set of good security architecture practices (container isolation, data and exchange encryption, use of secure API gateways).
- Automated security analysis.
- Automatic management of security updates.
- Automated audits.
You may also like: Authentication and Authorization: Mastering Security.
When to Focus on Security
We then realize that security teams can be integrated into DevOps projects. One could also deduce that the security teams can at least be consulted during:
- The appearance of a new project.
- The emergence of a new technology.
- The appearance of a brand new architectural pattern.
Let’s All Speak Together!
But all this is nothing without the wild imagination of the chief thinkers who came up with the concept of BizDevOps. No irony on my part — the subject is serious and interesting, but you’ll notice the lack of security. You would think that everyone is jealous and wants their own DevOps, but this is mainly a reflection of the lack of consideration given to security teams. To better increase communication between teams and security coverage, we need to be asking ourselves:
- Why don’t the Biz’s talk to security about any new projects?
- Why wouldn’t security be involved in Vendor studies?
- In short, why don’t all the people involved in one project talk to each other?
We could then have a fairly simple organization, where security teams are involved in every step of the process. In short, an organization where everyone talks to each other.