From an organizational point of view, a perimeter-based security model is easy to establish and maintain: a dedicated team is responsible for security controls. It is the team's duty to maintain the configuration, oversee the activities and take all required actions to operate the security devices.
With DevSecOps or Zero-Trust, such a model is difficult or impossible to maintain. Either there is no longer a classic perimeter, or delaying updates to security controls results in obstacles to the rollout of new product versions due to the speed of the project.
DevSecOps aims to integrate security into every stage of the software development lifecycle, package the software with security controls, and roll them out. Security no longer is an obstacle but a first-class citizen enabling quick but secure deployments.
While this sounds good in general, it also means that responsibilities must be handed over to the software developers as they must implement security controls early. This goes against the old adage that security must be handled by trained personnel only. However, there are undeniable advantages to involving the application developers in implementing security rules: they have in-depth knowledge about the application and easily understand the most problematic areas. Your existing, dedicated security team becomes the guardian of the overall level of security in accordance with compliance requirements. This dedicated team prescribes the guidelines and oversees what security controls are in place. Ideally, your operating platform automatically enforces adherence to these rules.
- With DevSecOps, two types of teams are required:
- A dedicated security team that is responsible for
- security controls.
- training of project team members.
- oversight of what security controls are in place.
- maintaining and implementing the newest security features of Airlock Microgateway.
- Trained project teams that can implement security controls to secure web applications into every stage of the development lifecycle.