INTRODUCTION

DevSecOps as a set of principles, and a newer one at that, does not have any inherent processes. These principles provide underlying guidance around the tools and practices within DevSecOps, but they do not provide step‐by‐step processes for how to work. Jayne Groll, CEO of DevOps Institute, emphasized this point by saying, “There are no processes which are inherent to DevOps.” In fact, many of the processes that DevOps practitioners rely on are based on ITIL. However, as you look to apply DevOps principles to how you work, you must look for opportunities to automate, empower, and focus on collaboration.

When looking at the processes related to DevSecOps, you must determine how to apply DevSecOps culture and principles to the processes of security management. Fundamentally, DevSecOps processes are:

• Lightweight
• Automated
• Trustful
• Measured
• Driving ownership and accountability
• Transparent
• Empowering
• Engendering of psychological safety
• Focused on developing a learning culture

If you integrate these principles into existing processes and find processes that enable them, you will build DevSecOps into everything you do.

UNDERSTANDING PROCESSES AT SCALE

When considering processes for an organization, the size and the maturity of an organization are key determinants. As organizations become larger, more advanced processes are needed to align the component parts. This, however, does not mean that processes need to be burdensome or slow things ...