While DevOps is forging boldly into the future, security is still trailing behind in many organizations. So, it’s important that we understand how to apply notions of (traditionally static) security into environments that are built to foster continuous development. I, for one, would like to raise the torch to the fledgling category of DevSecOps and learn how it is successfully implemented by industry leaders. In the first of a series of interviews with DevSecOps community leaders, I chat with DJ Schleen, DevSecOps Advocate at Sonatype.
Helen: I think that the market is light on shared DevSecOps reference architectures to help the community learn and grow. Do you agree and what can we do about it?
DJ: There are a lot of missing pieces out there, and I think it’s because nobody really knows where to go with it. If you do a search for DevSecOps reference architectures, you’re going to see that infinity logo with a bunch of locks around it, which doesn’t really tell you much. I’ve created this one, but the community does need to share. I think it’s because people don’t really know which community they’re a part of; are they part of Secure DevOps, SecDevOps, OpsSecDev? I think there’s confusion. So you might see some security reference architectures, but I don’t know if they’re really taking into consideration flow across the whole technology value stream.