Development and operations teams have already come a long way by aligning around the shared goal of delivering stable, high-quality software quickly. They’ve automated manual processes and built tools into continuous integration and continuous delivery (CI/CD) pipelines. In doing so, they’ve increased trust between groups, which is essential as these once-disparate teams tackle critical issues together.
Extending DevOps to DevSecOps requires key cultural and practical changes to integrate security into all stages of the software development life cycle (SDLC). However, development managers often see security as a training burden or blocking issue. Organizations have to remove these perceived liabilities to achieve their risk mitigation goals. One way is to position security experts within development teams—champions who convey security priorities to colleagues.
If you’re facing the challenge of transforming DevOps to DevSecOps, consider investing in a Security Champions program. When you promote Security Champions, you fundamentally form a network through which security information can flow consistently. Security Champions take on the role of “local” experts who can answer questions, recommend training, and interface with security experts to find answers to deeper questions.
How can investing in a Security Champions program benefit your organization? Here’s what Security Champions can do for you:
- Integrate security activities into your CI/CD pipelines.
- Assist with security activities throughout your secure software development life cycle (SSDLC).
- Work closely with your software security group (SSG) to provide feedback, promote tool adoption, and implement new processes.
- Help with security vulnerability remediation.
- Onboard applications into defect discovery processes and tools (SAST/DAST).
Summing it up
While there’s no simple or single way to transform DevOps into DevSecOps, employing Security Champions—if done effectively—can serve as a powerful transformational approach. Security Champions can ensure that security measures are embedded in every step of the software development process, resulting in improved time to market, and help your organization deliver higher-quality, secure code.
Join us on Sept. 13 at 12 p.m. EDT for our webinar Using Security Champions to Build a DevSecOps Culture Within Your Organization. Brendan Sheairs, managing consultant at Synopsys, will discuss the foundations of a successful Security Champions program and how to address the challenges you’ll face implementing such a program.
*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Steve Cohen. Read the original post at: https://www.synopsys.com/blogs/software-security/security-champions-devsecops-webinar/