- Pretty good introduction to DevSecOps, in the first half hour of this video.
- Short article on why we want to shift security left.
And a few thoughts and quotes I stole..ehm..gathered from people that are smarter than me:
- Teams that are doing peer reviews for all their code, are usually doing real devops (this was used to distinguish real devops against just using devopsie tools and calling it a day. DevOps is not just about tools!).
- Every time I do an architecture review (from a security perspective), I should ask myself: how do I make sure that next time I don't need to perform this? Automate it or teach a developer to do it, because security engineers can't scale to all the dev teams of any company.
- If we have embrace CI/CD, there is no option for a security gate/audit/review. Everything has to be automated, short-circled and repeatable!
