🔥 DevSecOps is no longer an “add-on”, but a must-have for business

In the RBC Trends article, I shared my experience, where we analyze why security has ceased to be “something for later” and has become part of the development itself.

Remark: according to a study by Positive Technologies, 83% of Russian corporations already pay attention to security practices when creating their own software.

In the article you can get acquainted with thoughts on the DevSecOps approach and how information security is fundamentally integrated into development.

Alexander Samsonov Security Code, Svetlana Gazizova Positive Technology, as well as my colleagues Nikolay Salnikov, Alexander Cherbunin from LANIT also share their experience.

Key thoughts that will resonate with many:

- Tools are not DevSecOps. Without processes and culture, they turn into expensive decorations

- The main resistance comes not from technology, but from people: the habit of “we write the code, and then you check it” is too strong

- It’s better to start in small steps: integrate checks into CI/CD, practice triage, gradually upgrade the team culture.

- Not “too much work”, but saving time at the start, during the process, and not at the end, when the feature is in production and there may be consequences

- The most valuable thing in working with information security: PRE-, POST-conditions, that is, a system of restrictions, assumptions when we can agree

To put it simply, in peasant terms: automation is only 20% of success. The remaining 80% is how people agree with each other and take responsibility for safety and understand what they are doing. I have attached key thoughts from myself to the post.

Read the article: DevSecOps practices: how business approaches to digital security are changing

#backroom #devsecops #paper #pmcases #vulnmanagement #specialty