DevSec is a suite of techniques that enable developers to self-service on most security tasks. DevSec does not solve all security problems, rather it plugs high-accuracy automation into the right development spots to solve issues with a low cognitive burden.
Tools that support DevSec come in a few forms:
- Tools that detect build/coding flaws:
- Composition analyzers, that look for known vulnerabilities in libraries.
- Static Analyzers, that look for coding flaws or code smells in individual files or traced between code and libraries.
- Tools that get security results from applications as they are tested:
- Integrated analyzers, that watch inside of applications to extract security and/or performance information.
- Tools that monitor and/or defend production applications:
- Application Security Monitoring, a technique for observing and tracing security flows within an application.
DevSec fits into agile styles because its automation enables teams to get an act on specific security results during any sprints.
DevSec fits into team topologies because the tools can often be provided and managed by an enabling team, freeing developers (a stream-aligned team) from the cognitive burden of always knowing and worrying about security.
You can do DevSec by adding automated security tooling into your regular development flow and making sure that results can be seen when they matter.
When automated tools are in place, the important step is people looking at and acting on results. The value is in the remediation and fixing of any findings. Setting up a ceremonial tool whose results will be ignored is not DevSec.