DevOps

help speak in the universal language of
Rugged DevOps: speed of delivery.
“There should be a really big shift
for security people, moving from an
approver and requester relationship with
DevOps guys to more of a facilitative
and partnership relationship,” says
Prendergast, “where developers and
operations are helping with security
and learning along the way, and
security is able to mentor and continue
to pass responsibility to the DevOps
guys, because automation is making it
possible to remove the human element
from lot of processes.”
As Edwards explained in his OWASP
talk last year, security would do well to
learn from many QA professionals who
have embraced their role as toolsmiths
and mentors within the DevOps value
chain. As toolsmiths, they do their best
to develop a toolset that enables as
much self-service help as possible. And
as mentors, security should be helping
to identify security champions who
can lift some of the everyday security
mitigation workload off the security
team’s shoulders, allowing them to
focus on more strategic work.
Wickett related a story about how
cheaply a security empire building
can be won. He explained that Ken
Johnson, while at Living Social, ran an
internal capture-the-flag, bug-finding
competition. The prize was a specially
designed, very limited-edition t-shirt.The
program was simple but effective.
“That’s a unique way to get people
interested in security,” he says. “It helps
you identify people in your organization
who you can tap in the future and
whenever the winners wear the shirt,
people see it and are more aware of
security.”