Chapter 6 of Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations, is about integrating infosec into the delivery lifecycle:
- Infosec is vitally important, however, infosec teams:
- Are often poorly staffed
- Are usually only involved at the end of the software delivery lifecycle
- Furthermore, many developers are ignorant of common security risks and how to prevent them
- Building security into software development improves both delivery performance and security quality
- Shifting left on security
- When teams build information security into the software delivery process instead of making it a separate phase, team's ability to practice continuous delivery is positively impacted
- What does "shifting left" entail?
- Security reviews are conducted for all major features, and this review process is performed in such a way that it doesn't slow down the development process
- Infosec experts should:
- Contribute to the process of designing applications
- Attend and provide feedback on demonstrations of the software
- Ensure that security features are tested as part of the automated test suite
- Make it easy for developers to do the right things in terms of infosec
- We see a shift from infosec teams doing the security reviews themselves to giving the developers the means to build security in
- The rugged movement
- Rugged software should be resilient in the face of security attacks and threats
