I used a metaphor during a cloud security webinar this week to explain how SecDevOps is an opportunity to “swim security upstream”, an expression that reminded me of an aspect of being a QA Manager earlier in my career. Our software development process included an acceptance phase, which, for repeatability, we executed by running a set of automated tests through a harness. Too often basic mistakes would be found, resulting in the build being rejected and thrown back over the wall to Dev, as it was back in the days of waterfall.
These inefficiencies highlighted the need to swim quality upstream in the dev process by requiring unit tests before release engineering ran a build and handed it off to QA. Just as was the case with such quality assurance steps, so too often are application security best practices performed late in the cycle, if at all. Enter SecDevOps.