Professional Documents
Culture Documents
Introduction to CONTENTS
• What Is DevSecOps?
• References
ALIREZA CHEGINI
SENIOR DEVOPS ENGINEER, AZURE SPECIALIST AT S-RM
Today, most companies have implemented DevOps practices within their “security as code” culture that encourages security to be treated like
organization. DevOps provides a culture where teams can deliver reliable other software components of the SDLC pipeline.
software and updates faster. This approach presents an opportunity
Figure 1
for teams to focus on quality rather than wasting time on operations.
However, as a result, security practices are often left to security specialists
at the end of the delivery pipeline. A specialized security approach then
creates unnecessary overhead within the delivery process as unexpected
issues frequently arise at the end of delivery. Consequently, teams lose
time fixing the code and starting the same process repeatedly, ultimately
making delivery costly and inefficient.
FREE TRIAL
REFCARD | INTRODUCTION TO DEVSECOPS
that different teams are at different points down the path. The themes Continuous When development is complete, monitoring begins;
monitoring we need to constantly track the behavior of our
below are not specific activities. Instead, they are guideposts to help
applications to detect anomalies and possible
make decisions along the journey. attacks. Continuous monitoring shows insight into
the application’s security and provides feedback for
Table 1 the development team.
DEVSECOPS GUIDEPOSTS Prevent and No team will ever produce perfect code. Nor will
protect they ever detect or stop all attackers. Therefore, the
THEME DESCRIPTION best security strategies involve balancing secure
coding during development (DevSec) and runtime
Empowering Development and operations are empowered
protection during operations (SecOps).
engineering to deliver secure applications into production
teams themselves. Security experts provide support as Cloud security Despite the numerous benefits introduced by cloud
coaches and tool smiths but do not have primary solutions, there is still a big challenge from a security
responsibility for security. Ensure that tools standpoint. On the cloud, developers can create
and processes are designed for developers and resources in a couple of minutes and connect to the
operations, not security experts. This way, teams public cloud. From a DevOps standpoint, this is quite
can share expertise amongst all members of a team. interesting since most organizations need to protect
customer data and/or avoid a security breach.
Making security In many organizations, security work is hidden,
visible unknown, and untracked. In the end, the value At the same time, organizations want to utilize the
of security is often not easy to understand. In benefits of cloud solutions. Here, a DevSecOps
DevSecOps, we make small security tasks that can approach becomes mandatory, and most security
be tracked, tasked, and measured like any other decisions should be made during the design phase.
type of work. Additionally, security becomes part of It is also easier to provide isolated environments
day-to-day responsibilities, allowing security to be for developers on the cloud to try out new features
transparent to everyone. without compromising any customer data.
This prevents developers from having the space to • How do we keep security work on track?
try out new things. Therefore, DevOps teams cannot • Increase awareness about the importance of
do their job properly, which delays and negatively security.
impacts the entire SDLC. DevSecOps aims to keep • Identify potential problems.
things secure so that everyone can do their job at
their pace. Developers are the source of creativity • Make problems instantly visible.
in the software development workflow. This means • Swarm on the problem.
that the more freedom they get, the more value they • Seek the cause.
might deliver. Part of a developer's job is to try new
things out, break things, and learn from failure.
• Ensure security “findings” are designed for
easy consumption.
• Focus on providing a solution rather than
TABLE CONTINUES IN NEXT COLUMN
exaggerating the problem.
TABLE CONTINUES ON NEXT PAGE
REFCARD | FEBRUARY 2022 4 BROUGHT TO YOU IN PARTNERSHIP WITH
REFCARD | INTRODUCTION TO DEVSECOPS
THE “THREE WAYS” OF SECURITY augmentations are designed to fit naturally into the process: no extra
steps, no gates, no delays. Instead, teams cycle quickly on small
APPROACH DESCRIPTION
security tasks that are structured to be delivered by the development
Encourage a Many organizations have a security culture of blind and operations teams using the tools they already use. Let’s explore
security culture trust, blame, and hiding that prevents developers
these core practices in detail a bit later.
and operations from working with security. How do
we create a culture of security?
“HELLO, WORLD!” A FIRST STEP TOWARDS
• Empower everyone to challenge security
DEVSECOPS
design and implementation.
• Take every opportunity to make security Let’s use a straightforward example to demonstrate. Imagine that we
threats, policies, architecture, and have a web application being built by a DevOps project. All we know is
vulnerabilities visible. that the application didn’t do well on a recent security scan. There is no
• Allow everyone on the team to participate in threat model or security architecture. How should we get started with
security.
DevSecOps?
• Trust that engineering teams want to do the
right thing. 1. Analyze: Identify the next most critical security challenge
• Celebrate the knowledge gleaned from
2. Security: Implement a defense strategy
security issues rather than blaming those
involved. 3. Verify: Automate security testing
• Spend more effort on upgrading practices
4. Monitor and Defend: Detect attacks and prevent exploits
and preventive measures than vulnerability
remediation and incident response. 5. Documentation
• Plan trainings and conduct workshops to
maintain continuous security throughout all 1. ANALYZE
teams.
Do not secure everything at once. The most critical scan findings
indicated that this application has obvious SQL injection problems. The
By following these three ways, teams will see security as a concrete
goal is to make tangible progress quickly, so it is best to deal with this
output from the development process. It is a combination of security
first. First, build defenses and assurance over time in small pieces, not
features and assurance, captured in a tangible way. By applying DevOps
all at once. Create a JIRA ticket to address the SQL injection.
concepts, we can produce this concrete security continuously and
effectively as a part of standard software development. 2. SECURE
Next, look at the SQL injections to determine which parts of the
GETTING STARTED WITH DEVSECOPS
application are vulnerable. Once that is complete, we need to build
Traditionally, security has been performed as a series of massive
our defense. The best strategy to prevent a SQL injection is to use
tasks spanning all risks. For example, security consisted of writing
input validation and parameterized queries everywhere across the
comprehensive security requirements, designing a broad security
codebase. It may be beneficial to break this task up into even smaller
architecture, performing a thorough security test, etc. But agility
pieces. So fill out the details of the defense strategy via ticket(s) and
requires a risk-based approach. To accomplish security work in a
start implementing them.
DevOps organization, we can prioritize our security tasks and break
them into small pieces for implementation. 3. VERIFY
Use simple tools to ensure that non-parameterized queries are
Figure 2
eliminated from the codebase. A deployed tool can be used to warn
developers in their IDE if they violate this rule. It is also important to
automatically re-verify during CI/CD as well as perform a final check
prior to deployment.
This diagram shows how security fits into the normal DevOps
development cycle at a very high level. Notice that these security
5. DOCUMENTATION checking the code inside the application. This method is also
Now that these critical security steps are complete, it is time to document known as black-box testing, which can detect vulnerabilities like
everything. Document this process from design to completion to ensure SQL injections and cross-site scripting.
each task is visible to the rest of the team. Documentation provides • Static Application Security Testing (SAST): Unlike DAST,
insight into what has worked and what has not worked to come up with SAST focuses on the code. So the security vulnerabilities can
potential improvements. be found earlier in the development stage without running the
code. Tools like Synk can be integrated into the pipeline to scan
Once each step is complete, it is time to start in on the next security
application codes constantly. This approach is quite efficient
breach or challenge. Each time we complete a challenge, we leave
and saves time and money for teams.
behind infrastructure to make sure it remains secure. Note that we don’t
want to create a fragmented set of individual defenses, so it’s important • Container Scanning: Containers are great solutions, but they
to make good decisions over time about security architecture. can become a black box for security. So it is crucial to constantly
scan container images for vulnerabilities, malware, and other
In DevSecOps, don’t let perfect be the enemy of good. We’re looking
security measures to ensure nothing is left out of the radar.
to improve our security story on every iteration. Your first attempt
might be a partial solution with sampling instead of a rigorous defense Figure 3
and complete testing. The goal is to get this cycle running and make
measurable progress over time. Again, do not forget to create a
documentation for each implementation to ensure we set a standard
baseline for future applications.
moment to check if a small part of the software can operate as • Attacks on libraries and frameworks
expected.
• Application inventory, including all libraries and frameworks
• Dependency Scanning: Every project uses various libraries,
• Software architecture details
and sometimes external libraries are used in the project.
With dependency scanning, those libraries are scanned for In general, DevSecOps favors the use of notifications (real-time integra-
vulnerabilities to ensure the libraries are safe to use. tions into normal development and operations tools) over PDF reports.
However, for some purposes, such as compliance, PDF reports may be
• Dynamic Application Security Testing (DAST): DAST is how
generated. Notification alert team members need to know about secu-
you can test your applications for vulnerabilities without
rity events immediately through the tools they are already using as part seconds, not hours, weeks, or months. The faster you can get feedback
of their everyday job. While a single analytics system would be ideal, from the people that need it, the more secure and cost-effective your
today, you may need separate systems for vulnerabilities and threat DevSecOps pipeline will be.
events.
In the beginning, a DevSecOps pipeline will only verify a few simple
Table 4
things about the software. But over time, as challenges are addressed,
ESSENTIAL DEVSECOPS SYSTEMS you will automate verification of more and more of the security
strategies and defenses. Over time, the goal is to migrate from manual
SYSTEM DESCRIPTION
security testing to a fully automated pipeline capable of deploying
Smart alerting It is vital to design a smart alerting system when it
secure code directly into production without gates.
comes to monitoring — regardless of security or
other goals. The term “smart” here means that our
monitoring platform should raise an alert whenever CHOOSING SECURITY TOOLS AND TECHNOLOGIES
an action needs to be performed. This requires Here are a few of the attributes to consider when choosing security tools
the alerts to be designed and fine-tuned so that
and technologies to build your DevSecOps pipeline across the entire
we avoid being spammed with any unimportant
alerts. One example is getting an alert for a service SDLC. Please note that there is no one set of best tools for DevSecOps.
that is slower than usual but not slow enough to The tools you choose should match how you build software, your goals,
make a considerable impact on the whole system.
your culture, and the other technologies you use.
This incident is considered low severity and should
be investigated later, but it should not interrupt
Table 5
workflows.
Intelligent Use a platform that has implemented intelligent CONSIDERATIONS FOR DEVSECOPS TOOL SELECTION
security analysis security analysis to process the information
CONSIDERATION DESCRIPTION
constantly and identify anomalies. This makes
security monitoring much easier for security and Policy coverage First and foremost, you must confirm that the tool
DevOps engineers. One of the best examples of actually covers the risks you need it to cover. Many
this is the threat protection on Azure, a collection products have surprising shortcomings in this
of security services and functionalities. Azure area. See the OWASP Benchmark Project for help.
threat protection provides an overview of what
is happening at any time within your application. Accuracy Accuracy (eliminating both false positives and
Therefore, choosing the right platform for your false negatives) is critical. Inaccuracy means
infrastructure and configuring the right tools can humans have to fix results, which will destroy your
significantly impact security monitoring operations. pipeline. You should carefully test your tools to be
sure they accurately verify what you need.
Centralize A critical aspect of security monitoring is centralizing
security all security issues and managing monitoring. Speed You need to test whether tools are fast enough to
monitoring Especially for enterprise organizations, having a work as a part of your DevSecOps pipeline. That
birds-eye view is necessary. Without these, one may be microseconds, seconds, or minutes — but
might lose control on what is happening easily, probably not hours and certainly not days.
resulting in huge costs for the organization. On the Scale Consider the size of your application portfolio
cloud, this is called “security posture management.” and whether the tools you select can operate
As an example, let’s look at the Sentinel product from continuously, in parallel, and across the entire
portfolio. Be sure to factor in the number of people
Azure. Azure Sentinel connects to each different
you need to make that work.
solution to collect data. Then, inside Azure Sentinel,
you are notified of previously undetected incidents, Process fit It is best to verify that the tools are useful without
investigating issues using artificial intelligence and a complex installation process. When well-
other features. These help to respond to incidents meaning security folks buy tools for development
rapidly and stay compliant. and operations teams, it can cause friction if
Another example is the AWS Security Hub, which they aren’t compatible with their technology
provides cloud security posture management. stack or workflow. Engage the actual users in the
Therefore, there are still options for security evaluation process and conduct pilots to confirm
monitoring on any platform you choose. Having this they will be easy to install and use.
knowledge upfront will help to plan your security Integrations Verify that the tool integrates with the tools that
roadmap accordingly. people in your DevOps toolchain are already using.
Look for well-documented, supported REST APIs
Implementing a notification infrastructure encourages downstream and SDKs in a variety of languages, IDE plugins,
security stakeholders (developers, testers, operations, audit, webhook support, ChatOps integrations like
HipChat and Slack, notifications with PagerDuty
executives, etc.) to work closely with upstream providers (like security
and VictorOps, and SIEM integrations like Splunk.
testers) to ensure that the work is optimized for them. Your DevSecOps
TABLE CONTINUES ON NEXT PAGE
pipeline should be designed for very tight feedback loops — think
CONSIDERATIONS FOR DEVSECOPS TOOL SELECTION can improve security. Over time, you’ll build a complete security story
that will provide assurance both internally and externally.
CONSIDERATION DESCRIPTION
Security on the Security becomes a shared responsibility between 1. ANALYZE: IDENTIFY YOUR NEXT MOST CRITICAL
cloud cloud providers and companies in cloud solutions. SECURITY CHALLENGE
As the complexities of architecture increase on Why should one always focus on the most critical security challenge?
the cloud, controlling events is much easier than
on-premise architectures. The interesting thing Generally, working on anything else won’t change your security posture
about cloud architectures is that you can add very much. It doesn’t help to close the attic window when the garage
these options to your design before developing and front door are wide open. In DevSecOps, we get the work flowing
any line of code. So your solution design is already
security-proof before the implementation.
by creating small batch sizes. So, in most cases, we want to work on our
enterprise's most critical security challenge first. Still, don’t be afraid
Additionally, every resource is created by code,
and that’s how engineers can think of all security to choose a partial measure or a tiny improvement to your most critical
issues earlier on in the development process. challenge. Working in small increments makes sure we stay on track.
Cloud providers already give best practices for
various security practices such as using firewalls, When deciding what to work on next, the team looks at all the potential
network security groups, DDoS and identity
management, etc. They also provide various tools security “work” available and makes it visible. The team might add
and products to implement and monitor security new features, pay down some technical debt, make an architectural
measures. improvement, fix defects/vulnerabilities, or do something to improve
the team’s tools or practices to improve quality, security, or productivity.
DEVSECOPS CORE PRACTICES
DevSecOps takes a very agile approach to security, breaking down It’s important that the team use its threat model and security
massive security tasks into incremental improvements that are architecture to make an informed decision about the next most critical
performed as everyday development tasks. These small batches of security challenge. What is the cost to the company of certain kinds
work include continuous verification so that security builds over time of attacks? What is the cost of implementing preventive measures for
instead of repeatedly starting from scratch. those attacks? Try to use both internal and external data sources to
figure out the next thing to do that will most effectively reduce risk.
DevSecOps brings a culture of “security for everyone” to teams.
Everyone has a significant role to play in security at their organization. You may find yourself without a threat model or security architecture.
Security specialists are critical in this by mentoring, advising, and Fortunately, in DevSecOps, these artifacts are created one step at a
leading teams to ensure quality and security. time. When you’re starting out, it’s easy to identify your top challenges:
the problems that are the most likely to be found, exploited, and
Once we’ve identified the next security challenge, our normal
cause serious damage like injection, authorization problems, known
engineering process can execute on the improvement. In this section,
vulnerabilities, etc.
we explore four core practices to any DevSecOps initiative. Of course,
your DevSecOps process might be considerably more complex. See Consider all the different layers of your application stack:
the next section for more ideas, or add your own practices to this basic
cycle. Table 6
LAYER CONSIDERATION(S)
and attempting to break them that actually makes organizations more TABLE CONTINUES ON NEXT PAGE
secure. The faster you can repeat this DevSecOps cycle, the faster you
SECURITY CONSIDERATIONS FOR You’ll have to work out your own cadence for re-examining your threat
LAYERS OF THE APPLICATION STACK model. So, increasing your cycle speed will directly affect the level of
LAYER CONSIDERATION(S) security you are able to achieve. And because DevSecOps adds to your
security incrementally with continuous security verification (discussed
Cloud resources Are applications and customer data secure? Do
we have an authorization matrix in place to make below), you have protection against backsliding.
sure the right people have the right access? Are
networking configurations configured properly 2. SECURE: IMPLEMENT A DEFENSE STRATEGY
for each resource? Do we have the penetration test
Once you’ve decided on a security challenge to tackle, you’ll need to
results on public-facing resources?
choose a defense strategy. A defense strategy isn’t a single security
Network Do you have strong network security defenses in
place and monitored for attacks?
mechanism or product. A defense strategy can combine technical
security mechanisms, secure coding practices, procedural controls,
Use a risk-based approach to decide what to work on next. Be sure to supporting processes, training, background checks, and more. We are
consider whether there’s a viable connection between a threat agent, using the term “defense strategy” broadly to include anything that
attack vector, weakness, technical impact, and business impact in your you rely on to prevent a breach. Your defense strategy for a particular
enterprise. OWASP depicts this connection as follows: challenge can (and probably should) comprise one or more primary
defenses and a set of supporting defenses as well.
Figure 5
In an agile way, you have defined stories and tasks for each sprint. The
product owner is the person who defines new feature requests and also
the priority level. This usually applies to application features and not
security. In a DevSecOps approach, security is also considered a high
priority feature added to the backlog. Security specialists give consults
on what needs to be done, and all team members can participate in the
implementation, test, and delivery. This approach prevents teams from
having security silos, and security expertise is shared between all team
members from developers to testers and DevOps engineers.
Going forward, you should practice a combination of threat intelligence ticket that covers each security enhancement that you want to make,
and security research to continuously zero in on your next most critical including:
STRATEGY DESCRIPTION
Table 7
Challenge The goal is to justify why this is an important security
DEVSECOPS THREAT INTELLIGENCE, SECURITY RESEARCH,
description challenge concisely. This might take the form of a
AND SECURITY ARCHITECTURE
security story or misuse case. The description should
Threat External sources: ISACs (STIX/TAXII), OWASP, SANS, cover the elements shown in the OWASP diagram above.
intelligence BlackHat, DefCon, LASCON, DevSecCon, CISO Defense story This story should detail exactly how the defense
events, friendly peer companies, etc. should work. For technical defense mechanisms,
Internal sources: Monitor your systems for attacks the story should clearly detail how the threat is
and learn from the data. Understanding actual countered and why this defense is effective. For
attacks is a major factor in prioritizing. other defenses, how they work to provide protection
should be argued.
Security Security research should focus on challenging
research security architectures and identifying new strategic Documentation As part of the defense strategy, you should also
ways to improve security. Where possible, work with consider how to configure, operate, and use these
development to enhance the DevSecOps pipeline defenses. This guidance should be written as a
with new testing methods. tutorial to apply to end-users and operations staff,
and even indicate how developers should use
Security There is a shortage of great threat modeling and the defense effectively. It is vital to document all
architecture security architecture tools. But some interesting operations and implementations to prevent any
projects include OWASP Threat Dragon, IriusRisk, rework in the future.
and Chaos Engineering (Chaos Monkey, ChaoSlingr).
TABLE CONTINUES ON NEXT PAGE
STRATEGY DESCRIPTION
POPULAR DEVSECOPS AUTOMATION TECHNIQUES
QUESTION RECOMMENDATION
DEVSECOPS ATTACK DETECTION AND PREVENTION TOOLS
Positive or Are we able to verify that the application always TOOL DESCRIPTION
negative follows a known good pattern of execution (positive
testing? security), or will we have to resort to trying to verify Runtime RASP uses application instrumentation to add attack
that the application never follows any of the known Application detection and prevention directly to applications
bad patterns of execution (negative security)? Self Protection regardless of where or how they are deployed.
(RASP) DevSecOps projects can use RASP to achieve
Do we already You may be using a security testing tool that covers
accurate attack-blocking and the flexibility to deploy
test for it? this risk. It's critical to confirm that your tool does a
in cloud/container environments easily.
good job of accurately and efficiently verifying your
security defense. Examples: Contrast Protect, Prevoty, Immunio.
Do we already Perhaps you just need to enable a rule in a tool you're Web Application WAFs have been on the market since the early
have a platform already using. Or maybe you can use an existing tool Firewall (WAF) 2000s and have a history of complex configuration
that will allow as a platform for creating a custom rule. and spotty protection. Nevertheless, a DevSecOps
us to test this project might be able to use a WAF for basic
easily? protection or as a platform for virtual patches.
Can we test it by If we can't use a security testing platform, can we Examples: ModSecurity, Imperva, F5, Signal
writing custom create a custom test case? Sciences.
tests? Network There is a variety of network-, container-, and host-
Is there another • Network: nmap, sslyze, ssh_scan, Tenable, Intrusion level protections against attacks. Seek out products
tool on the Qualys. Detection and that can be deployed and managed as part of your
market that can Prevention (IDS/ standard technology stack.
• Cloud/container: Aqua, Twistlock, Redlock,
help test this? IPS)
ThreatStack. Examples: Snort, Suricata, Bro, Kismet.
• Libraries/frameworks: OWASP Dependency Security SIEM tools provide real-time analysis of security
Check, retire.js, Contrast Assess, Snyk, Information alerts generated by applications and network
Sonatype, BlackDuck. and Event hardware and are important to handling attacks in
Application: OWASP ZAP, Arachni, sqlmap, Burp, Management DevSecOps.
Contrast Assess, Micro Focus, CA Veracode, (SIEM)
Examples: Splunk, ELK, SumoLogic, LogRhythm,
Synopsys, Checkmarx. ArcSight.
Any security issues discovered during testing should feed into the It’s worth noting that in most organizations, only a small percentage of
DevSecOps management infrastructure described above to notify all projects are very far along in their DevOps journey. So, managing the
the people that need to know through the tools they are already using. transition to DevSecOps across an entire application portfolio is a key
part of the challenge.
4. DEFEND: DETECT ATTACKS AND PREVENT
EXPLOITS STANDARD DEFENSES AND ENTERPRISE
DevSecOps organizations recognize that you can never test yourself SECURITY ARCHITECTURE
securely, so they adopt a balanced approach that focuses on minimizing Generally, DevSecOps organizations — particularly those with large
vulnerabilities during development and identifying and preventing application portfolios — prefer standard security defenses that are
vulnerabilities from being exploited in production. While these two heavily tested for correctness and effectiveness.
activities have traditionally been separated, DevOps has brought them
together by supporting the full software lifecycle. Don’t reinvent authentication, authorization, for encryption for every
application and API you build. This reduces the amount of security
work that must be done and simplifies the organization’s security In practice, this translates to a few important strategies:
architecture. Achieving effective enterprise security architecture in a
Table 13
DevSecOps manner is beyond the scope of this document, but these
guidelines are reasonable first steps. STRATEGIES FOR SECURE, EFFECTIVE SOFTWARE MANAGEMENT
STRATEGY DESCRIPTION
Table 12
Show some Be cautious about the libraries and frameworks that
GUIDELINES FOR EFFECTIVE restraint you adopt. Stick to projects that demonstrate a solid
ENTERPRISE SECURITY ARCHITECTURE security program, evidence of security testing, and
STRATEGY DESCRIPTION effective response to new vulnerabilities.
developers to adopt open-source libraries such as Bootstrap, Angular Explode Perimeters are no longer effective at stopping
JS, OpenStack, etc. attacks, so the first step is to break up your
monolithic internal infrastructure into smaller
Although using these libraries can allow you to create software much distributed workloads.
more rapidly, what many may not realize is this convenience comes at Offload Second, take advantage of security and cost
a risk. Not all of these libraries are tested via security best practices, advantages by moving these new, smaller workloads
to virtual cloud and container infrastructure.
and some libraries are constantly providing new upgrades that need
Reload Finally, re-establish continuous security for each of
to be verified. This means that you must take full responsibility for the
your newly virtualized workloads by selecting and
security of all of that software. deploying modern protection technology at the
application, library, container, and network layers.
This strategy is very compatible with DevSecOps, as it allows for efficient WHAT’S NEXT FOR DEVSECOPS?
centralized security management with distributed enforcement for DevSecOps is still in the formative stages. The best way to get involved
speed and accuracy. is to implement DevSecOps in your organization and publish your
experiences. Here are some sources of additional information:
CREATE A SECURITY CULTURE
• The Phoenix Project
Some companies simply seem to have the ability to take security
seriously, focus, and do a great job. But others — even companies that • Microsoft Azure DevSecOps
seem to be doing all the same practices and using the same tools — are • AWS DevSecOps Blog
simply terrible at security. The difference is culture. And while culture
• GitHub's Architect's Guide to DevOps
is a difficult thing to change, there are a few key practices that have
worked in organizations and should be part of a DevSecOps program. • Integrating Security Into the DNA of Your Software Lifecycle
Table 15
Security in Make security as visible as possible. Be sure that At DZone, we foster a collaborative environment that empowers developers and
sunshine vulnerability and attack data are never used to tech professionals to share knowledge, build skills, and solve problems through
content, code, and community. We thoughtfully — and with intention — challenge
shame people. Instead, celebrate security risks as the status quo and value diverse perspectives so that, as one, we can inspire
the fastest path to learning and improving. Only positive change through technology.
when security is visible can you achieve a culture of
making informed risk decisions.
Copyright © 2022 DZone, Inc. All rights reserved. No part of this publication
may be reproduced, stored in a retrieval system, or transmitted, in any form or
by means of electronic, mechanical, photocopying, or otherwise, without prior
written permission of the publisher.