BCS MEMBERSHIP

navigation-membership-member.png

Join the global and diverse home for digital, technical and IT professionals.

CHARTERED IT PROFESSIONAL

navigation-membership-citp.png

CITP is the independent standard of competence and professionalism in the technology industry.

STARTING YOUR IT CAREER

Young Careers

Kick-start a career in IT, whether you're starting out or looking for a career change.

SOFTWARE TESTING CERTIFICATION

navigation-qualifications-swt.png

Over 100,000 professionals worldwide are certified with BCS.

ESSENTIAL DIGITAL SKILLS

navigation-qualifications-skills.png

Improve your digital skills so you can get on in today's workplace.

EVENTS CALENDAR

navigation-events-calendar.png

View all of our upcoming events.

ARTICLES, OPINION AND RESEARCH

navigation-articles-people.png

The latest insights, ideas and perspectives.

IN FOCUS

BCS MEMBERSHIP

CHARTERED IT PROFESSIONAL

STARTING YOUR IT CAREER

SOFTWARE TESTING CERTIFICATION

ESSENTIAL DIGITAL SKILLS

EVENTS CALENDAR

ARTICLES, OPINION AND RESEARCH

IN FOCUS

DevSecOps specialist group: Strategy

Read about the strategy of the DevSecOps specialist group.

Introduction

The term ‘DevSecOps’ refers to the application of security principles and practices throughout the ‘DevOps’ life cycle of application development and system operations. 

Historically technology security has often been an afterthought of application development, focused only at the end of a development life cycle. For classical ‘waterfall project’ approaches, this was acceptable, as the rate of change was low.

However, with ‘DevOps’ development practices introducing concepts such as ‘continuous delivery’, this pace of change has dramatically increased. As such there is now a drive to ‘shift left’ the implementation of security and related governance to earlier in development and ultimately consider it as part of every aspect of the software development life cycle.

Topics

The DevSecOps specialist group focuses on technologies and practices that support this approach to security and application development. Including but not limited to:

  • Software development life cycle
  • Continuous Integration / Continuous Delivery (CI/CD)
  • Automated testing - including Static Application Security Testing
  • Container technology security - including runtime technologies (Docker et al) and orchestrators (Kubernetes, Mesos, Swarm et al)
  • Serverless application security
  • Network security technologies - including stateful packet filtering, application firewalling, intrusion detection/prevention, VPNs and denial of service protection
  • Logging and event management (SIEM et al)
  • Automated security governance and policy enforcement
  • Data security technologies at rest and in transit - including encryption, key management, disaster recovery and resilience technologies
  • Identity, authentication, access management and protection technologies
  • Security within the software development life cycle
  • Infrastructure control plane security (i.e. security of IT platform management tooling itself, not just the applications)

Across any IT environment, be it on premises or hosted private cloud environments through to hyperscale public cloud environments (AWS, Azure, GCP et al).

Engagement Approach

These topics will be covered through events of the following format:

  • Introduction to topics - Seminars (1-2 hours)
    • What is devops? DevSecOps? How is the software development life cycle changing?
    • What is CI & CD, what are the common tools - like git, jenkins, etc.
    • What is agile vs scrum methodologies, compared to traditional approaches
    • What is cloud - private vs public vs hybrid
  • Technology spotlight - Seminars (1-2 hours)
    • Single vendor / focus
    • Technology demonstrations from vendors
  • Security process and practice - Seminars (1-2 hours)
    • Governance, control, audit, compliance
  • Workshop / Interactive (hands on, ½ day to 1 day)
    • Deep dive workshops, facilitated through a vendor
DevSecOps specialist group