I agree, DevSecOps or DevOps is as individual as are the companies that follow this path.
What I was asking, is how many of us deal with the changes required to support DevSecOps. What I mean by controls would depend on what standards, or processes you are implementing. Our security strategy is guided by the NIST Cybersecurity Framework, and the framework does apply to what our company is doing.
I just don't hear much about other companies struggling with making security "visible", which is the need from a DevOps perspective, as well as supporting developers in their efforts to create secure code.
As a high level example, here are some of the implementation strategies we are using:
Security Mavens - training development leads to understand the role of security and how that applies to their discipline. How does secure code benefit a developer (less unplanned work, less stoppages in the pipeline, etc)
Security as code: developers and our App security teams are using OWASP and other guidelines to scan code (static scans, dynamic testing (pen testing), Open source scans and dependency evaluations)
Securing the tools that support the CI/CD pipeline - SAML authentication using our corporate directory, segregation of duties, least privilege for jobs, and automation
Automation of cloud processes: app scans, build scans, removal of access to console and locking down access to any cloud environment
This is a small sampling of the activities we have in place or in development however, we struggle to get security integrated into the pipeline to close the feedback loop. Areas we are attempting to improve our communication is automating JIRA tickets for IP vulns, cloud scans, and logging alerts.
Does that help?
What are you doing, what level of effort is underway? Is this an isolated process or is it hitting your entire company? One line of business? All lines of business? Is it a coordinated effort?
Let me know if that helps.
Thank you,
Chris
