The DevSecOps Manifesto is a set of principles that outline how security should be integrated into the entire software development lifecycle (SDLC). The manifesto was created by the DevSecOps community in 2013 and is still evolving today.
The following are the key principles of the DevSecOps Manifesto:
- Leaning in over Always Saying “No”: Security should be seen as an enabler rather than a blocker. Security teams should be willing to work with development teams to find ways to implement security without slowing down the development process.
- Data & Security Science over Fear, Uncertainty and Doubt: Security teams should use data and evidence to make decisions, rather than relying on gut instinct or fear. This means investing in security tools and processes that can collect and analyze data about security risks.
- Open Contribution & Collaboration over Security-Only Requirements: Security teams should collaborate with development teams and other stakeholders throughout the SDLC. This means sharing security information and working together to find solutions that meet the needs of everyone involved.
- Consumable Security Services with APIs over Mandated Security Controls & Paperwork: Security teams should provide security services that are consumable by development teams. This means using APIs and other tools that make it easy for developers to integrate security into their workflows.
- Business Driven Security Scores over Rubber Stamp Security: Security teams should focus on measuring the security of their products and services in a way that is meaningful to the business. This means using metrics that measure the impact of security risks on the business, rather than simply checking boxes on a checklist.
- Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities: Security teams should use a combination of red teaming and blue teaming exercises to test the security of their products and services. This means actively trying to exploit vulnerabilities, rather than simply relying on scans and other automated tools.
- 24×7 Proactive Security Monitoring over Reacting after being Informed of an Incident: Security teams should continuously monitor their systems for security threats. This means using a variety of tools and techniques to detect and respond to threats as quickly as possible.
- Shared Threat Intelligence over Keeping Info to Ourselves: Security teams should share threat intelligence with each other. This means sharing information about known vulnerabilities and attack vectors, so that everyone can be aware of the risks.
The DevSecOps Manifesto is a living document that is constantly evolving. As the security landscape changes, the manifesto will need to be updated to reflect the latest best practices.
The DevSecOps Manifesto is a valuable resource for organizations that are looking to adopt a more secure approach to software development. By following the principles of the manifesto, organizations can improve the security of their products and services, while also reducing the time and cost of development.