|
| 1 | +What's Next For DevSecOps |
| 2 | +========================= |
| 3 | + |
| 4 | +Due to their importance in modern application architectures, building secure |
| 5 | +APIs is crucial. Security cannot be neglected, and it should be part of the |
| 6 | +whole development life cycle. Scanning and penetration testing yearly are no |
| 7 | +longer enough. |
| 8 | + |
| 9 | +DevSecOps should join the development effort, facilitating continuous security |
| 10 | +testing across the entire software development life cycle. Their goal is to |
| 11 | +enhance the development pipeline with security automation, and without impacting |
| 12 | +the speed of development. |
| 13 | + |
| 14 | +In case of doubt, stay informed, and review, the [DevSecOps Manifesto][1] often. |
| 15 | + |
| 16 | +| | | |
| 17 | +|-|-| |
| 18 | +| **Understand the Threat Model** | Testing priorities come from a threat model. If you don't have one, consider using [OWASP Application Security Verification Standard (ASVS)][2], and the [OWASP Testing Guide][3] as an input. Involving the development team may help to make them more security-aware. | |
| 19 | +| **Understand the SDLC** | Join the development team to better understand the Software Development Life Cycle. Your contribution on continuous security testing should be compatible with people, processes, and tools. Everyone should agree with the process, so that there's no unnecessary friction or resistance. | |
| 20 | +| **Testing Strategies** | As your work should not impact the development speed, you should wisely choose the best (simple, fastest, most accurate) technique to verify the security requirements. The [OWASP Security Knowledge Framework][4] and [OWASP Application Security Verification Standard][5] can be great sources of functional and nonfunctional security requirements. There are other great sources for [projects][6] and [tools][7] similar to the one offered by the [DevSecOps community][8]. | |
| 21 | +| **Achieving Coverage and Accuracy** | You're the bridge between developers and operations teams. To achieve coverage, not only should you focus on the functionality, but also the orchestration. Work close to both development and operations teams from the beginning so you can optimize your time and effort. You should aim for a state where the essential security is verified continuously. | |
| 22 | +| **Clearly Communicate Findings** | Contribute value with less or no friction. Deliver findings in a timely fashion, within the tools development teams are using (not PDF files). Join the development team to address the findings. Take the opportunity to educate them, clearly describing the weakness and how it can be abused, including an attack scenario to make it real. | |
| 23 | + |
| 24 | +[1]: https://www.devsecops.org/ |
| 25 | +[2]: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project |
| 26 | +[3]: https://www.owasp.org/index.php/OWASP_Testing_Project |
| 27 | +[4]: https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework |
| 28 | +[5]: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project |
| 29 | +[6]: http://devsecops.github.io/ |
| 30 | +[7]: https://github.com/devsecops/awesome-devsecops |
| 31 | +[8]: http://devsecops.org |
0 commit comments