You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 2019/en/src/0xb1-next-devsecops.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,8 +3,8 @@ What's Next For DevSecOps
3
3
4
4
Due to their importance in modern application architectures, building secure
5
5
APIs is crucial. Security can not be neglected and it should be part of the
6
-
whole development life-cycle. Scanning and penetration testing on a yearly basis
7
-
are not enough anymore.
6
+
whole development life-cycle. Scanning and penetration testing yearly are not
7
+
enough anymore.
8
8
9
9
DevSecOps should join the development effort, facilitating continuous security
10
10
testing across the entire software development life-cycle. Their goal is to
@@ -15,10 +15,12 @@ In case of doubt, better refreshing the [DevSecOps Manifesto][1].
15
15
16
16
|||
17
17
|-|-|
18
-
|**Understand the Threat Model**|b|
19
-
|**Understand the SDLC**||
18
+
|**Understand the Threat Model**|Testing priorities come from a threat model. If you don't have one, consider using [OWASP Application Security Verification Standard (ASVS)][2] and the [OWASP Testing Guide][3] as an input. Involving the development team may help to make them more security-aware.|
19
+
|**Understand the SDLC**|Join the development team to better understand the Software Development Lifecycle. Your contribution on continuous security testing should be compatible with people, processes and tools. Everyone should agree with the process so that there's no unnecessary friction or resistance. |
20
20
|**Testing Strategies**||
21
21
|**Achieving Coverage and Accuracy**||
22
22
|**Clearly Communicate Findings**| Contribute value with less or no friction. Deliver findings in a timely fashion, in the tools development teams are using (not PDF files). Join the development team to address the findings. Take the opportunity to educate them, clearly describing the weakness and how it can be abused, including an attack scenario to make it real. |
0 commit comments