Many security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.
Similarly, security groups believe that policy enforcement is their biggest (only?) lever… “If we can just update the policies to be more consumable/relevant/context aware/etc and get developers to pay attention, then magic will happen.” But, policy enforcement rarely moves the needle and it creates a tense relationship between development and security that can do more harm than good.
This talk is a step-by-step framework for going from wherever you are now to getting on the path of DevSecOps
cultural transformation. It addresses the mindset shift concerns for all relevant audiences. It addresses the mechanics of getting started and tracking progress. It’s adaptable to any environment regardless of industry, technology, or maturity. Most importantly it’s been proven in a highly diverse environment at Comcast.