Chapter 2. Dev-First Security
As mentioned, the security industry hasn’t been a part of the DevOps journey. As shown in Figure 2-1, security processes tend to gate the continuous process instead of merging into it. Notably, security processes are incapable of the following:
- Empowering independent dev teams
- Security is owned by a separate team, dev teams are not empowered to make security decisions, and tooling is designed primarily for auditors, not builders.
- Operating continuously
- Security processes still heavily rely on manual gates such as audits or result reviews, slowing down the continuous process.
Having security work against the business motivation of speed and independence can’t end well. Development teams must choose between slowing down, which hurts business outcomes, and circumventing the security controls, which introduces significant risk. Neither of these is a viable long-term option, so businesses must change their security practices to match the DevOps reality.
To secure the business without slowing it down, companies must adopt a dev-first approach to security.
Figure 2-1. Security gates slowing down continuous delivery process
What Is Dev-First Security?
Security programs must always start with an understanding of the risks you face. If you don’t know what you’re looking to secure or who you’re protecting yourself from, you’re likely to place your guards ...
Get Cloud Native Application Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
