Tips for boosting the “Sec” part of DevSecOps

2021-02-17 08:31

"In my experience, this is due to the 'I'm from Security and I'm here to save you' mentality that continues to pervade the security industry, and the only way to overcome this is with a big bucket of humility," he noted.

"Security has not actually spent the last 20 years doing a good job of 'security things' and we do not have a strong position to say that we have all of the answers. I know that it sounds relatively simplistic, but it really is a case of taking the path of the beginner's mind and working with developers, operators, and DevOps staff to learn their perspective and then apply domain-specific security knowledge."

Here's another of Arlen's tips for pushing developers to prioritize security: stop talking about security!

"If there's a thing that, as a security person, you'd call a 'vulnerability,' keep that word to yourself and instead speak the language of the developers: it's a defect," he pointed out.

"Organizations need to stop treating security as some kind of special thing. We used to talk about how security was a non-functional requirement. Turns out that this was a wrong assumption, because security is very much a function of modern software. This means it needs to be included as you would any other requirement and let the normal methods of development defect management take over and do what they already do," he noted.

"There will be some uplift requirements to ensure your development staff understands how to write tests that validate security posture, but this is generally not a significant problem as long as you've built in the time to do this kind of work by including the security requirements in that set of epics and stories that fit within the team's sprint budget."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/ZQ0-T22b3p8/

#devsecops #SEC