A Cybersecurity Engineering Strategy for DevSecOps

The shift from waterfall and long-increment development and delivery to accelerated approaches such as DevSecOps demands an agile yet disciplined approach to assuring cybersecurity. Current approaches focus on “big bang” assessments at major milestones which, for a product undergoing rapid, continual change, amounts to taking a snapshot of a door that is closed, reinforced, and triple bolted, and assuming all is well. But turn your back and the door is likely to be opened a few seconds later to let in an electrician or bring in some new furniture or an appliance. How can you know whether to trust the electrician, or the work they do, or the materials they use? Will connecting that new dishwasher blow a fuse? Is there a bug, maybe a powderpost beetle, living in that end table? Similarly, seconds after a security assessment is complete, a bug fix or software update comes along. Now what?

Continuous approaches to cybersecurity have been developed and piloted in DevSecOps environments, but these generally focus on only a subset of essential components and processes. Assuring cybersecurity requires an integrated strategy that incorporates agile processes, methods, and decision aids to address security of the whole product as it evolves through its life cycle. This webcast will present a strategy for cybersecurity engineering in DevSecOps environments.

What attendees will learn:

• the scope of a cybersecurity engineering strategy for DevSecOps
• the challenges of applying the strategy to integrate cybersecurity into DevSecOps
• the criticality of sharing information with direct and indirect stakeholders


#DevSecOps #cybersecurityengineering #SoftwareDevelopment

@Software Engineering Institute | Carnegie Mellon University