The bad guys don’t break in through the highly secure bank vault door; they attack the crumbly bricks and mortar of the vault walls. The same is true for application security. The vast majority of incidents don’t target security features like encryption, authentication, and authorization… the bank vault door. Rather, they target vulnerabilities in the “boring”, non-security parts of the code… the crumbly bricks and mortar of the vault walls.
The security function is still largely throw-it-over-the-wall at many organizations, but things are changing. There is growing awareness that you cannot prevent the vast majority of incidents with a bolt-on approach to security. You have to produce applications that are free of such vulnerabilities as they are being developed. In other words, you have to BUILD SECURITY IN.
Just like DevOps is a cultural transformation, to BUILD SECURITY IN we need a mindset shift and cultural change. We need DevSecOps.
This talk starts by introducing a DevSecOps manifesto and then a process model for achieving a “BUILD SECURITY IN” DevSecOps culture. The framework is designed to sit on top of any SDLC but it is particularly suited to Lean/Agile environments and even more so to a DevOps environment or in conjunction with an ongoing DevOps transformation.