DevOps and DevSecOps pipelines are all the rage, and every day there is a seemingly increase in the number of uses of the term DevSecOps. A pure DevSecOps pipeline is ideal, but almost always unrealistic given organization-specific technical or business constraints (i.e., intra-organizational approvals, business cycles and objectives, regulatory approvals). Much like Donald Rumsfeld once said: "You go to war with the army you have, not the army you might want or wish to have at a later time." As leaders of the cybersecurity industry, we need to achieve actionable, high-quality cybersecurity solutions despite organizational imperfections. Automation of the Sec element within DevSecOps requires a delicate balance between speed and security, automation and human awareness, and great and good enough.
Define the critical processes and benchmarks involved in various automation approaches to the Sec element of a DevSecOps pipeline.
Understand the attributes of a successfully automated (fully automated or man-on-the-loop automated) Sec element of a DevSecOps pipeline, and recognize common attributes of unsuccessful Security automation practices.
Appreciate the operational, technical and financial advantages (to cybersecurity staff, projects, organizations, and user communities) of a successfully implemented automated Sec processes within a DevSecOps pipeline.
CISSP, CEH, PMP, PMI-ACP, SAFe SPC/SA, PRINCE2, AWS-SAA, FinOps,
Principal/Distinguished Digital & Cyber Technologist,
Booz Allen Hamilton