Security Is Everybody's Job (Part One)

Throughout the series, we will discuss weaving security through DevOps in effective and efficient ways. We will also discuss the ideas that security is everybody's job, it is everyone's duty to perform their jobs in the most secure way they know-how, and that it is the security team's responsibility to enable everyone else in their organization to get their jobs done, securely. 

We will define DevOps, 'The Three Ways', AppSec, and DevSecOps. We will get in deep on the many strategies we can adjust security activities for DevOps environments, while still reaching our goals of ensuring that we reliably create and release secure software.

In summary; We will discuss how to make security a part of our daily work. It cannot be added later or after, it needs to be a part of everything.

But let's not get ahead of ourselves, I have many more posts planned where I will attempt to sway your opinion my way.

Tanya Janca, also known as SheHacksPurple, presenting her ideas in Sydney Australia, 2019. Artwork by the talented Ashley Willis.

The main articles in this series will be public and freely available, but the sub-articles and links may be behind the SheHacksPurple.dev paywall. If you find this series helpful, please consider supporting the author by paying the $7 subscription fee, the equivalent of a fancy latte.

Before we get too deep into anything I'd like to dispel some myths. Look at the image below. This is how *some* security professionals see DevOps. (Slide credit: Pete Cheslock)

This slide's author, Pete Cheslock, is highly intelligent and experienced, this mention is not meant to insult him in any way. The slide is social commentary, it is not literal. That said, many people I've met truly feel this way; that DevOps engineers are running around making security messes where ever go, and that we (security professionals) are left to clean up the mess. I disagree with that opinion.

Luckily for me, my introduction to DevOps was at DevSecCon, where they introduced me to this image. Below you can see the security team teaching, providing tooling, and enabling the magical DevOps unicorns in doing their jobs, securely. This is how I view DevOps; the security team enabling everyone, working within the confines of the processes and systems that all the other teams use. 

This series will be loosely based on a conference talk which I have delivered at countless events, all over the planet, 'Security is Everybody's Job'. You can watch the video here.

In the next article, we will discuss what Application Security is and why it's a problem for our industry.