SKILupDay

Yes, it should be part of it, otherwise you're just creating another silo #DevSecOps #DevOpsInstitute #SKILupDay

YES!!

Absolutely. But it gets more attention if you call if DevSecOps :-)

100%

I'd say that you can't say you're doing Continuous Delivery if you really can't release your code.

not agree though as correctly doing #DevOps means different thing to different people. May be security is not part of it and next best thing to be focused on. #DevSecOps

Not really. static code scanning, dynamic code scan and Container scan needs to be mandated with thresholds managed by the CISO's and also not taking the control from the engg teams. If there is no thresholds, developers can push it to prod by mistake/error

Yes I would BUT DevOps didn't have a very good record of bringing security peeps to the party - for me, it's the opportunity to rightsize the effort that was neglected and sometime, hopefully, it'll fade away. But it's a big topic and there's still a lot of learning

Yes, but it is important to measure

yes but. Only if teams agree security is part of value process. Compliance needs also often call for specialized experts and audit

and that includes security requirements in the backlog and treated as equal with features #SKILupDay#DevSecOps

Great response, @bealhelen

@TinyCyber with Digital transformation and cloud journey security must be part of the process and it cannot be left out or cannot be a after thought.

Thanks Anshul :-)

Yes, but "Continuous Monitoring" is essential!

@vishnube needs to be more than just scans. Teams have to understand why that process matters and where. Too easy to set scan for passing

@vishnube agreed. Often teams feel like new feature overweighs security checks. We’ve done two releases without sec fixes because. Welll. FEATURE!

Shift left of the Security paradigm, ensuring that Security is integral day zero participant in the full process, embedding in teams and participating in the release cycles #DevSecOps #DevOpsInstitute

(edited)

as individual worries about the code from start till the delivery of value, let's have similar empathy to the security as well :) #SKILupDay #DevSecOps

cultural integration of your fullstack team to create value

Bringing security to the DevOps party through cultural change and shifting security left into the value stream and DevOps toolchain

You can't actually deploy anything to production without doing at least minimum security hygiene. But it was not explicitly called out early on...

Security is everyone's responsibility thereby requiring every role, team and function to develop core security skills

adding security through the SDLC and not just as a release end activity

Bringing the Security team part of the operations reduces the risk at greater level by providing the control and visibility across the organisation.

Finding the model to effectively collaborate with other stateholders

fun is not secure. Business value today depends on effective security

to build the mindset that everyone is responsible for security and ensuring it as a continuous process

Security is a fundamental part of DevOps

Implementing DevSecOps gives biz & Tech a chance to validate their security & compliance against their organization goal and will give an opportunity to continuously improve on their goals around security to avoid hefty penalties as result of audit, legal& compliance

More adoption now to open source components and cloud adoption, security becomes inevitable and security cannot be an after thought for the engineering teams.

Security built in as something as automated like breathing.

Absolutely like breathing. But more like exercise. Still have to understand why

more like yoga. Movement and breath need to happen together to create balanced processes

Integrating security with policy-as-code which is a very nice way to join both worlds and ensure escalation by exception #DevSecOps #DevOpsInstitute #SKILupDay

Engineering talent constraints that understand security. Overcoming it is more about removing toil from the talent you have,

There are so many! It's either going to be the exponential rise in threats or the cyber security shortage in the market

the idea within the InfoSec world that they shouldn't be black ops, that they will give up capability in a distributed event.

Cooperation culture

Security team not wanting to do it :-)

Culture around security responsibility

ensuring the delivery teams are aware of emerging security threats

@savinderpuri How do you fix that?

How do you go about removing toil?

@bealhelen Got the CIO to tell them - my way or the highway! Easy, peasy!!

to address this resistance, once the new approach is considered and understood, there is significantly less resistance (at the individual security professional level).

@BealHelen Got the CIO to tell them - my way or the highway! Easy, peasy!!

I would say implementing CI/CD. In order for DevSecOps to be successful, one cannot expect new DevOps processes and tools to adapt to old methods of security.

@savinderpuri OOh! A mandate!

Policy based pipeline (security as a policy) with control to security teams so that no code is pushed to prod without their sign off.

@dayshaitpm basics first, understand your attack surface and risks, then threats. Most problems ate old stuff