The CISO’s Guide to DevSecOps

Since we are trying to understand the DevSecOps space a little better, the nature of this research is observational. We are trying to discover insights in an open-ended way so that we can eventually derive models and frameworks that can help us better understand the challenges associated with DevSecOps and be able to respond effectively. In that sense, this research is deemed exploratory. We are not yet at a stage where we have globally accepted empirical models for software security. The very nature of this problem is extremely complex. What we are trying to do here is to focus on a very specific area of that vast problem space – namely, how DevSecOps can improve software security. Historically, a lot of discussion in software security has been focused at the project level. We emphasized code scanning, penetration testing, exploratory functional testing, and so on. Today, that discussion has shifted to the program level. We are now interested in scaling up those project level security initiatives. The challenges that emerge from this are rooted in coordination, training, program management, risk, compliance, and so on. With this in mind, our research will focus on role based perspectives. We feel this is important because, in order to achieve alignment, we need to better understand these different perspectives from the project level to the program level and all the way up to the portfolio level.

Download full PDF