| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
|---|---|---|---|---|---|---|---|---|---|
| Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
| QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
| DevOps team | Local tests | Libraries | Secrets mgmt | Unit tests | Webservers | USB dongle | Payment gateways | ||
| Git repos | Package Managers | Functional tests | Application servers | GPU/CPU | Identity Providers | ||||
| Proprietary code | Security tests | Web engines | Analytics | ||||||
| Open source | API test frameworks | Databases | |||||||
| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
These are the individuals or teams of people that are needed to write, build and deploy software.
- Software engineers
- QA engineers
- Individual engineers
- How do we help our software engineers see security as a "skill" not a burden?
- What security controls can we suggest that don't slow down devs?
- Security awareness training needs to be ongoing, not once a year
- Help devs understand that finding security issues early saves them significant time later
- Secure Code Training
- Security chanpion mentoring
- Peer code review
- Threat modeling