,
12 tweets,
9 min read
Read on Twitter
Listening to @djschleen of CVS Health discuss Automating Security in DevOps (DevSecOps) at #RMISC #RMISC2019
If you're not doing Value Stream Mapping (en.wikipedia.org/wiki/Value-str…) for your software, but you're doing DevOps or other lean software dev, start. – @djschleen at #RMISC #RMISC2019
Tools need to be replaceable in your workflow; don't lock yourself into specific vendors' tools without a path to replace those functions easily – @djschleen at #RMISC #RMISC2019
OpenSource Security Management (really, 3rd-party component security management) is essential to get a handle on. You need to know the risks of components you're including in your software – @djschleen at #RMISC #RMISC2019
Container Vulnerability Analysis; there are great reasons to use containers, but you need to know if your containers have outdated, vulnerable components – @djschleen at #RMISC #RMISC2019
It's important to respond to the tools, languages, frameworks, etc. that your developers are actually using – @djschleen at #RMISC #RMISC2019
Use SAST sensibly -- big/complex apps can take a while to scan in entirety, and that can break DevOps processes. This is easier to deal with on greenfield apps – @djschleen at #RMISC #RMISC2019
Your devs need access to security people/resources that have technical dev knowledge. They can't fix e.g. SQLi if someone can't explain how it works and how to avoid it – @djschleen at #RMISC #RMISC2019
Companies like Google have thousands of devs committing straight to master through use of testing, feature flags, keeping commits small, and other disciplines. If something breaks, it's swarmed to fix, supported by automated tools – @djschleen at #RMISC #RMISC2019
Understand the Three Ways from Lean/DevOps — Flow, Feedback, and Experimentation – @djschleen at #RMISC #RMISC2019
Beware of having conversations that trip on Conway's Law (en.wikipedia.org/wiki/Conway%27…), and let devs be experts at development – @djschleen at #RMISC #RMISC2019
