DevSecOps is a methodological approach that enables the detection or prediction of potential security vulnerabilities at all levels with the adoption of security from the beginning to the end of the software development lifecycle and beyond. In short, it is the continuous inclusion of security in the DevOps phases. In the classical approach, each task takes place in different roles, while DevSecOps allows tasks to be intertwined, just like DevOps. In this context, the DevSecOps manifesto was created and adopted.
You can reach the original of the manifesto at “https://www.devsecops.org/”. In today’s article, I will share with you what the devsecops manifesto, which consists of 9 items, wants to tell us.
1) Leaning in over Always Saying “No”: DevSecOps relies more on a close understanding of business drivers and requirements that allow for greater adaptability to solutions than was possible in the past, rather than the typical “no” approach.
2) Data & Security Science over Fear, Uncertainty and Doubt: DevSecOps focuses on Data and Security Science to think with the facts at hand, create secure and reliable computing environments, provide stronger decision making, real-world evidence and information.
3) Open Contribution & Collaboration over Security-Only Requirements: Working as a team and orchestrating software development is one of the strengths of devsecops and provides a better understanding of problems and solutions rather than focusing solely on security requirements. Therefore, effective DevSecOps requires security members of the development team to have an operational awareness of all aspects of the development process, from design, programming and testing to product release.
4) Consumable Security Services with APIs over Mandated Security Controls & Paperwork: DevSecOps understands that the modern technology world is changing rapidly and that no product can meet a need forever and takes advantage of all innovative security services and integrations.
5) Business Driven Security Scores over Rubber Stamp Security: DevSecOps recognizes that appropriate security measures are a reflection of ever-changing business needs and constantly updates itself accordingly.
6) Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities: In companies, the Red Team plays the role of an external attacker. The Blue Team takes on the role of the internal defender. DevSecOps encourages the use of real-world Red & Blue Team exercised to validate against the full spectrum of possible attack vectors (ie. including Social Engineering and other human centric threats)