The innovation of DevSecOps is putting security into the workflow of the team rather than leaving it to the end. Shifting security left is made possible by the ability to automate aspects of security testing. DevSecOps makes application security a first-class citizen in software development. DevSecOps uses a mindset of cross-functional teams creating software through collaboration and fast feedback cycles.
DevSecOps starts before code is written by using techniques like threat modeling and risk analysis to figure out who might want to attack you and what they might do. DevSecOps maps application security practices into the pipeline in order to provide feedback about the security posture of the software. By using automation, the team can maintain confidence in the health of the code.
This talk focuses on how, when, and where practices should be incorporated into a pipeline to get the most value out of your security practices. It explores what manual security work still needs to be done.
Get to know Tom.