Celidor
  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact

a DevSecOps framework

15/9/2018

0 Comments

 
DevSecOps is a new way of working as described in my blog "What is DevSecOps? And Why is it needed?" As I was developing the training course DevSecOps Hands-on I realised I needed a DevSecOps framework encompassing the elements making up DevSecOps, which I then used to define the topic areas of the course ​at a high level:
Picture
DevSecOps framework © 2018 Paul Schwarzenberger www.celidor.co.uk, may be used with acknowledgement
The DevSecOps Framework shows the various aspects which together encompass effective DevSecOps within an organisation, spanning application security, infrastructure security and security operations.

to see more on culture, organisation, tools and training as applied to DevSecOps, click on the "Read More" link .......
Culture – it's essential that senior management of the organisation emphasise the importance of security not only in words but also in actions. Product Owners leading agile sprints need to prioritise implementation of security features, and technical controls to mitigate risk.

Organisation – A key principle of DevSecOps is to embed security expertise within each Application Development and DevOps team. In the case of application development, this is often best achieved by appointing security champions, for infrastructure teams this may well be a security specialist or an infrastructure engineer with a particular interest in security. The DevSecOps approach to security operations is a Virtual Security Operations Center (SOC) made up predominantly of security specialists across the organisation.

Tools are an important element of DevSecOps and will be covered in a future blog post, these range from AppSec tools for application security, DevOps tools for infrastructure security, and Security Orchestration, Automation and Response (SOAR) for security operations

Training options are broad and ideally an organisation will implement all of them:
  • Paired programming
  • End of Sprint Demos
  • Mentoring
  • Online training
  • Instructor led training

Application Security training should be tailored to the particular programming languages used by the organisation.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Paul Schwarzenberger is a Cloud Security Architect and Engineer

    Archives

    April 2025
    March 2025
    October 2024
    September 2024
    August 2024
    July 2024
    May 2024
    March 2024
    October 2023
    September 2023
    February 2023
    January 2023
    December 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    January 2022
    November 2021
    September 2021
    July 2021
    March 2021
    July 2020
    June 2020
    February 2020
    December 2019
    November 2019
    October 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    November 2018
    October 2018
    September 2018
    August 2018

    Categories

    All
    Cloud Security
    DevSecOps

    RSS Feed


Contact us via email at [email protected] 

© 2020 Celidor Limited. All Rights Reserved.

Celidor Limited

Company Number: 08870661


  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact