Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How Do I Get Management to Buy into a SecDevOps Program?
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/9/2019 | 12:09:13 PM
Interesting adoption question, suggestions indicated below:
"but I'm not sure how to get started or how to present it to my upper management. Can you give me some advice?"
  1. Assess where the  Dev-Teams and Sec-Teams are (Does the Developer have security experience and expertise and vice versa)
  2. Provide training to both groups (address their weaknesses)
  3. Bring in a professional to provide guidance to that particular group who is lacking in certain areas (online training and in-person, people learn differently).
  4. Put the groups in scenarios to determine where they are in their development process
    • Have the Dev-Team engage in a quarterly or semi-annually security simulation where the managers capture stats on how the team performs
    • Bring the Sec-Team and have them address a programming problem, individually and as a group
  5. Put together information from the Mitre Att&ck info (security), CMMI (programming guide) along with OWASP
  6. Provide incentives on achieving their goals (monetary and leadership roles)
  7. Create a data-sharing model where both groups work together to cross-pollinate learning objectives, create a mentor program for both groups
  8. Meet every week to determine their progress and testing process
  9. Document this process where this is considered a framework for future HR projects (start, problems, mitigation procedures, lessons learned and development strategies)

Todd


COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13485
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
CVE-2020-13486
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
CVE-2020-13482
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.