Blue by Default

How do you build an organization so security is the default, not the afterthought?

The rise of attacks demonstrates an ever increasing need to protect ourselves because critical, interconnected systems are controlled by software. Security must “shift left” and be embedded into the software supply chain from the start.

As Aubrey Stearn says, “How do you become blue by default?”

Aubrey Stearn (@auberryberry), is a DevSecOps practitioner, guru, and frequent conference presenter. She is also a contributor to the recently published book Epic Failures in DevSecOps, edited by Sonatype’s Mark Miller.

Aubrey points out that she “Doesn’t work in security, but is part of security.” 

Her session, Blue By Default – Extract The Value From Security Investment, begins by observing that the cadence of DevOps is well established. Yet, security moves much faster and is influenced by external factors. We can’t do anything to slow security down, so we have to be prepared by having it embedded into everything we do. But, how do we get there?

It requires a cultural transformation based on trust. Development needs to know security wants to work with them, not against them. Security needs to know development is building security into everything they do, working with a security mindset. Operations has to trust development to follow the policies and procedures to protect the applications.


Often trust is compromised because good intentions are followed by bad execution. As Aubrey states, “If you make my life hard, I will cut corners and do stupid *&!*@!”

As a real life example, she told a story of having to use two laptops at one company. She couldn’t do the work she wanted to do on the company laptop due to a company policy prohibited cutting and pasting into the email app (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: