"The Other SaaS: Security as a Service" -- J. Paul Reed (@soberbuildeng) #readingToday
Virtue has even turned the concept of security itself into a "product" that, as CISO, he is the product manager for. Everything from vulnerability scanning, penetration testing, and audit compliance is now tracked via the Agile sprint process. Signoffs, previously destined for the end of the release, have now been incorporated into the organization's Agile definition of "done," and so must be obtained to clear the sprint. "I'm delivering secure applications and I'm delivering a successful audit; so it's easier to interact with the other teams if we model it in the way they're already working," Virtue said. Virtue said the shift in how Texas.gov addresses its security needs has resulted in faster response times for addressing security issues: "In many cases, we're catching issues before they get released, because we're embedded in the development process," Virtue said. As an example: developers will discuss new technologies they want to use, like NoSQL for instance. Security team members then add a story to the sprint to research the current state-of-the-art security practices on those technologies and provide strategies to protect Texas.gov's systems and citizens' assets.
J. Paul Reed - DevOps in Practice