DEV Community

Cover image for DevSecOps built-up series (Part I)
ducthinh993
ducthinh993

Posted on

DevSecOps built-up series (Part I)

The enterprises’ sector has to priority security, data protection, and maturity rather than speed. Finding a way to practices DevOps culture in a high-security environment has become a new challenge for many Security practitioners.

Here is what I learned after many years in build and operating DevSecOps

Part I — DRY: Building your Security standard.

Differences Security certification standards focus on specific areas. Besides, enterprise companies often have to maintain many security certifications at the same time. For example, banking and fintech companies would maintain at least ISO 27001 and PCI-DSS standard. Some of its control rules are different but many of its would describe the same requirements. Practice and governance all of those would kill your motivation.

Trying to find overlap requirements from your security standard and create an internal control for it.

People: Saving efforts for training and helping your folks to adopt internal controls. Participants only need to focus on following to company’s requirements and reduce time to read and trying understanding a lot of security-specific terms.

Process: Single process to deploy to the organization and reduce efforts of governance. The mapping process later will help transform from internal results to industry standards

Platform: Reduce the complexity of building toolsets for execution and metrics collection. Since there are many Commercials and Open-sources products to help accelerate, practitioners often still have to spend a lot of organizing efforts to map between reports and the product’s security posture.

(to be continued…)

Top comments (0)