Transcript
Platt: My name is Mario Platt. We'll be talking about DevSecOps, not the tools, the other bits, because DevSecOps is really not just about automation. It's mostly about enabling communication. I'm the strategy director at HYSN Technologies, who have the practical-devsecops.com courses. I'm also the head of InfoSec for a FinTech company. I have my own consulting business. You can find me on Twitter with, @madplatt.
DevOps Principles
The best way to start thinking about DevSecOps is to look at DevOps first. At the end of the day, we're trying to secure DevOps. That's what people came to call DevSecOps. There's a pretty well accepted number of principles in DevOps that are usually called CAMS: Culture, Automation, Measurement, and Sharing. Culture is really about breaking down barriers in silos and everything that supports that objective. Without it, other practices usually fail. Measurement is about measuring the activities in CI/CD, and also whatever practices we add from a process perspective in terms of how we identify what needs to be addressed from a security perspective. Sharing, about sharing tools, best practices among teams in the organizations. Finally, automation.
Developing Culture - Assumptions
This is relating to Schein's model that is covered in "Accelerate," the book by Dr. Nicole Forsgren. Developing culture in this model comes down to three different things: assumptions, values, and artifacts. Assumptions is hard, because you can't really touch them, most often. You need to be an organizational anthropologist to try and understand how the organization came to be, where it is today, and what it is that you can do now, on the present. There's three elements. There are three different ideas that I like to use ..
Support the originator by clicking the read the rest link below.
