Our Thinking Tue 24th September, 2019
Introducing the Secure Delivery Playbook
One of the challenges our industry faces is how to move fast without breaking things. To help address that, we’re open-sourcing our Secure Delivery Playbook, which explains how we approach security within continuous delivery.
A couple of years ago, Dan Mitchell, our Operability Practice Lead, wrote about how DevOps is a constraint. At the time, he quoted Thomas (our co-founder) as saying:
“Not everyone agrees on what DevOps means, who does it, or how it’s done. There are many ways to do it depending on the context. People sometimes forget that DevOps is part of something bigger called Continuous Delivery”
I believe our industry is in a similar position today with DevSecOps. The conference circuits buzz with talks about the latest product or approach that can automate away your troubles. Many teams are looking at how to ‘shift left’ – a term that has become more about the pipeline than anything else.
Security is bigger than DevSecOps
This creates a challenge for us in helping organisations meaningfully adapt their security processes alongside Continuous Delivery. It’s a challenge because it carries assumptions about what good security looks like, and incorrectly suggests that the focus of security should be on the pipeline. That’s certainly a part of it, but it’s only one chapter in the story.
Rather than talking about tools, automation and pipelines, we want the conversation to be about how best to explicitly manage risk – and that’s bigger than what most people think of when they hear ‘DevSecOps’.
Our view on Secure Delivery
To help shape this conversation, we’re announcing the first release of our Secure Delivery Playbook. The playbook explains in detail how we’re able to strike a fair balance between delivering rapidly while maintaining high levels of security.
The playbook defines a set of principles and practices that Equal Experts recommends for delivery of secure software. It’s not just for software engineers; it is for everyone involved in delivering software. It’s also not prescriptive about how each of the practices should be adopted, but allows you to determine which practices are appropriate for you and the best way to implement them.
The Secure Delivery Playbook is a guide rather than a checklist, helping those with the most context make the right decision.
Sharing our thinking with the world
While the ideas captured within the playbook have originated from within the Equal Experts network, we’d like to see this evolve based on contributions from the wider community. We’d also like others to benefit from our playbook and use it in their own projects. For that reason, we’ve published the playbook under a Creative Commons license and hosted it on GitHub for anyone to contribute, or even fork and modify to suit their context.
We hope this contribution to the wider software engineering community helps advance our collective capabilities in addressing security throughout software delivery.
Do you like how we think about software security? Why not join us! Get in touch if you’re interested… we’re always looking for talented security professionals.