DevSecOps Playbook: A step-by-step guide to implementing a DevSecOps program

The DevSecOps Playbook is a flexible guide for implementing cybersecurity practices in any organization, regardless of size or expertise.

• The DevSecOps Playbook is a guide for implementing cybersecurity practices in any organization
• It is flexible and can be adapted to any size or type of organization
• The Playbook is broken down into domains of ownership, with prioritization and difficulty levels for each task
• The Playbook includes an addendum for compliance
• The Playbook is a work in progress, with ongoing collaboration and updates

The speaker realized that the Playbook needed to be flexible enough for startups without dedicated security personnel, and added a prioritization system to help organizations focus on the most important tasks first. The Playbook is constantly evolving based on feedback from collaborators and users.

We talk a lot about DevSecOps, but what do we really mean when we say that? Nobody really can agree on what it means, and if you listen to vendors it's just security tools embedded in your CI/CD processes. I believe in the original idea of a group of people with backgrounds in development, security, and operations working collaboratively together to build and deploy better, more secure applications. Based on that vision I wrote the DevSecOps Playbook in early 2022 as a list of specific steps that people from all three domains (dev, sec, and ops) can do together. The Playbook is 58 "controls" or tasks that DevSecOps teams can perform to materially affect their application environments. These tasks are very prescriptive and easy to understand and are sorted by difficulty as well as prioritized so that teams know what to do first, and what to circle back to. This presentation will walk the audience through all 55 tasks and show them how to prioritize the tasks for their specific company based on the resources that org has.