Application security tools are being leveraged. After each commit, the code is automatically scanned and
            tested for vulnerabilities. Moreover, an analysis of open source components also takes place. Although
            this is a very good thing, security professionals are not yet part of this equation.

            Security professionals are starting to raise the alarm on the DevOps movement. Fast delivery should also
            include security. Welcome to DevSecOps!




                                                          DevSecOps





                                                The DevSecOps Manifesto


            “Leaning in over always saying “No”
            Data & Security Science over fear, uncertainty, and doubt
            Open contributions & collaboration over security-only requirements

            Consumable security services and APIs over mandated security controls & paperwork
            Business driven security scores over rubber stamp security
            Red & Blue team exploit testing over relaying on scans & theoretical vulnerabilities
            24x7 proactive security monitoring over reacting after being informed of an incident

            Shared threat intelligence over keeping info to ourselves
            Compliance operations over clipboards & checklists”

                   DevSecOps.org


            What Does This Means?


            Leaning in:

            Security  professionals,  especially  cyber  defenders,  should  lean  in  and  build  relationships  with
            development teams. Explain the why of a situation and how it can be addressed rather than just saying
            no.

            Data & security science:

            Similar to how businesses operate, our decisions should be based on data and analytics. We must have
            metrics, KPIs, and models that inform our decisions, the actions we take, and the advice we provide.


            Open contributions & collaborations:





                                 70