Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
More than anything, DevSecOps is a cultural change for many organizations.
Question: I am the security person in a company that writes a lot of its own applications. I am thinking we need to implement a DevSecOps program, but I’m not sure how to get started or how to present it to my upper management. Can you give me some advice?
Yaron Levi, CISO at Blue Cross Blue Shield of Kansas City: Start with the end in mind. When you consider the organization’s business, risk, culture, and capabilities, what do you believe a successful DevSecOps practice should look like? Try to think about the ideal situation, the good enough situation, and the minimum bar situation, then chart a path of how to get to each stage. Think about what you will need, including people, process and technology, as well as pros and cons for each stage.
For example, an ideal situation may be that every developer is fully proficient with secure development practices, threat modeling, risk assessments, etc. A good enough situation may be where you have at least one security champion (or advocate) on each team, and the minimum bar situation is where you have a centralized application security team that supports the entire organization.
This will allow you to present options to executive leadership so they can choose what makes the best business sense for them. Make sure to explain why this is needed in terms of business risks and benefits.
From a knowledge perspective, The Open Web Application Security Project (OWASP) has a lot of great information and resources to help you on your journey. Remember that, more than anything, DevSecOps is a cultural change for many organizations — hence your biggest investment will need to be in people.
What do you advise? Let us know in the Comments section, below.
About the Author(s)
You May Also Like
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024