The presentation discusses the challenges of implementing DevSecOps and shifting left in organizations. It emphasizes the importance of planning and fitting security into the CI/CD process, as well as effective communication between security and development teams.
- Challenge #1: Starting in the right way by planning the approach and understanding the aim of DevSecOps
- Challenge #2: Fitting security into the CI/CD process and communicating effectively between security and development teams
- Importance of understanding the long-term goals and considering the impact on future DevSecOps processes
- Emphasis on efficiency and automation in DevSecOps
- Advice to do research and look for other solutions to DevSecOps challenges
The speaker mentions organizations that have rushed to implement DevSecOps without a clear understanding of the aim and long-term goals, resulting in issues with automation and efficiency. They stress the importance of planning and considering the impact on future processes.
Abstract:DevSecOps is the push for security to fit into the success DevOps has created. Since 2015 we’ve been working with 100s of companies on the integration of DevSecOps into software development processes and have seen the troubles, the successes, and the same patterns coming up again and again. Therefore, in honor of OWASP, we’ve created a Top 10 list of challenges that DevSecOps will need to overcome to truly fulfill its promise and make our lives simpler.Let’s all repeat to ourselves: “DevSecOps isn’t simple. DevSecOps isn’t hooking in a few APIs into CI/CD. DevSecOps is about giving precise, usable security data, when and where it’s needed.”Note that in this presentation we very much focus on DevSecOps achieving the same promise as DevOps, i.e. the ability to deliver usable, actionable security within the DevOps or CI/CD pipelines such that the risk to the business is reduced. This means the ‘Sec’ in DevSecOps needs to provide value within the operation and timeframe that DevOps works at. This is a common problem seen in many DevSecOps rollouts.