Shift Left/Application Security Story:
Download Page

You find here the most recent update of the Shift Left/Application Security poster. It comes now in two flavors (see below picture) in order to include different views on DevSecOps.

The purpose of having two slightly different Application Security poster is to provide food for thought when discussing and propagating Application Security because there are many different angles to look at it.

  1. Take the version on the left in case you don’t like DevSecOps:
    “Continuous Hardening” is seen here as important driver for realizing Application Security. DevSecOps is only mentioned in relation to DevOps scenarios, so that it almost disappears from the story in favor of “Continuous Hardening”. This makes the Application Security story generic and more acceptable. This has a limiting effect on DevSecOps, hence the notion “Narrow DevSecOps” was coined to show this effect.
  2. Take the version on the right if you think that DevSecOps is important:
    “DevSecOps” is seen here as driver for realizing Application Security. A DevSecOps like mindset, collaboration and hardening is also very useful in other development scenarios, even in the most classical Waterfall approach, hence the term “Open DevSecOps” to show the difference.

Dowload the pdf version which you find suitable and use it as poster or email it to others who might find it interesting (creative commons byncnd 4.0 license).

Shift-Left, Security by Design and DevSecOps OR Continuous Hardening
The difference between both versions is only slight as shown above. It is based on the equivalence between “DevSecOps” and “Continuous Hardening”, which itself is the answer to the question “and how can we achieve the final purpose of DevSecOps”, which is to build and run secure software.

“Continuous Hardening”
Version Download

“DevSecOps”
Version Download

The overarching theme of the poster is about identifying the most important elements which foster or inhibit the propagation of proactive security. It is not about specific security technologies but about what makes people and organizations tick when it comes to implementing Application Security.

It does not contain anything new what an experienced IT practicioner wouldn’t already know. It just depicts on one page the realities and circumstances of what security and technology practitioners experience on a daily basis in the IT trenches.

Its value is to serve as mental map because it is about a complex topic. It contains the absolute minimum one should understand in this area on the highest level. It provides a common language and several perspectives in order to guide anyone with the desire to understand and discuss the state of Application Security in organizations.

DevSecOps seems to be important to achieve this goal, however, it is not yet a broadly accepted notion and has many critics, which is the motivation to have an alternative version in order to open up the discussion for other opinions on this topic.

Author: Roberto Di Paolo
2019/4/7, last update 2019/4/19, ©ACROSEC Inc., All Rights Reserved.