Posts by this Author

Security threat assessment models are an important tool of an overall security and compliance program.  In order to create an effective set of security policies, it is necessary to understand the types of threats, their likelihood of occurrence, the impact of a breach/incident, and how the business can mitigate or control against these threats.  There […]

Security Incident Management Incident Management can be defined as “effectively managing unexpected disruptive events with the objective of minimizing impacts and restoring normal operations” (1). For security-related incidents involves all of the steps prior, during, and subsequent to an information security incident.  This may have consequences far beyond the restoration of normal service.  For example, […]

The Product Owner plays a particularly important role in DevSecOps and release coordination. In this final blog post on DevSecOps and release coordination, we will explore the Product Owner persona. So far we have met the Release Coordinator, Security Architect, and the Operations Coordinator.  Together with these other three key members of the release team, the […]

DevSecOps Reference Architecture When approaching a complex DevSecOps implementation, it is often useful to consider a Reference Architecture as a starting point.  As illustrated in Figure 1, the automation activities can be broken up into three major areas: Continuous Integration (CI), Continuous Deployment (CD) and Continuous Compliance (CC).  Each of these areas encompasses a separate […]

The Operations Coordinator plays a key role in DevSecOps.  In my previous post, DevSecOps and Release Coordination, I introduced the idea of four key responsibilities in the DevSecOps mediated release management process. The idea is to consolidate the validation and approval steps from a “gated” process involving many approvers, and shift the actual work of […]

In my previous post, DevSecOps and Release Coordination, I introduced the idea of four key players in the DevSecOps mediated release management process. The idea is to consolidate the validation and approval steps from a “gated” process, and shift the actual work of validation earlier in development. In this post, we will explore the role […]

The ultimate goal of all software development is the secure software release of the system to a user-accessible production environment. However, the road from code to production is often a long and perilous one. To reduce the apparent risk associated with a production release, many organizations place “gates” at various points along the release path. […]

In my previous post on Cloud Resources – Policy and Practice, I referenced the “shared security model” adopted by all cloud providers. In this post, we will dive deeper into the differences and consequences of sharing the responsibility for securing computing resources, applications, data, and networks. Whether your organization is extending into cloud-based resources or […]

The Release Coordination Challenge Release Day.  There are few more terrifying words in the development team lexicon.  This is the moment of truth; will our efforts be for nothing or will we out eke out another production release?  And so many things can go wrong; have we missed critical requirements, did we failed to test […]

Cloud computing is now ubiquitous throughout the software development industry.  There are many cloud service providers offering everything from ‘bare-metal’ virtual servers to complete server-less computing platforms.  The speed by which computing resources can be reserved and instantiated is a major contributing factor to the success of DevOps, where repeatability and automation is central.  However, […]