Benjamin Lieberman – Director

All software systems exist in an insecure state, which creates the need for a way to conduct software attack surface analysis. This is because any useful system must connect in some way with the outside world and therefore contains at least one point of interaction with that world. These communication paths accept data / instructions […]

Migration from one code management system to another is a non-trivial exercise.  Most of the time the team wishes to maintain code history, branch structure, team permissions, and integrations. This blog post investigates one such migration from Bitbucket to GitHub for a large health maintenance organization. Due to growth and acquisition over time, the organization […]

The Canary Deployment Pattern, or canary release, is a DevSecOps deployment strategy that minimizes risk by targeting a limited audience.  As with all deployment patterns, the goal is to introduce the newly deployed system to the users with as least risk and in as secure a manner as possible.  As noted below, the motivation of […]

Secure software practices are at the heart of all system development; doubly so for highly regulated industries such as health-care providers.  Multiple regulatory controls are required for the custodianship of patient and customer data, creation of secure software systems, governance of development environments, and ensuring proper management of audit information. As a best-practice it is […]

Blue/Green Deployment Pattern The goal of any software development program is to release system changes into production.  There are many ways to safely and securely deploy software into a production environment.  In most cases these patterns follow a similar strategy of limiting exposure of the released software changes to the overall user audience.  This is […]

Secure Software Development Understanding security policies and how they apply to development practices is key to delivery of secure software.  Unfortunately, most development teams do not have a clear understanding of security implementation.  This may be due to several factors, but a common theme is that security professionals speak a different ‘language’ from developers (i.e. […]

Security threat assessment models are an important tool of an overall security and compliance program.  In order to create an effective set of security policies, it is necessary to understand the types of threats, their likelihood of occurrence, the impact of a breach/incident, and how the business can mitigate or control against these threats.  There […]

Security Incident Management Incident Management can be defined as “effectively managing unexpected disruptive events with the objective of minimizing impacts and restoring normal operations” (1). For security-related incidents involves all of the steps prior, during, and subsequent to an information security incident.  This may have consequences far beyond the restoration of normal service.  For example, […]

The Product Owner plays a particularly important role in DevSecOps and release coordination. In this final blog post on DevSecOps and release coordination, we will explore the Product Owner persona. So far we have met the Release Coordinator, Security Architect, and the Operations Coordinator.  Together with these other three key members of the release team, the […]

DevSecOps Reference Architecture When approaching a complex DevSecOps implementation, it is often useful to consider a Reference Architecture as a starting point.  As illustrated in Figure 1, the automation activities can be broken up into three major areas: Continuous Integration (CI), Continuous Deployment (CD) and Continuous Compliance (CC).  Each of these areas encompasses a separate […]

The Operations Coordinator plays a key role in DevSecOps.  In my previous post, DevSecOps and Release Coordination, I introduced the idea of four key responsibilities in the DevSecOps mediated release management process. The idea is to consolidate the validation and approval steps from a “gated” process involving many approvers, and shift the actual work of […]

In my previous post, DevSecOps and Release Coordination, I introduced the idea of four key players in the DevSecOps mediated release management process. The idea is to consolidate the validation and approval steps from a “gated” process, and shift the actual work of validation earlier in development. In this post, we will explore the role […]