| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
|---|---|---|---|---|---|---|---|---|---|
| Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
| QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
| DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | Payment gateways | ||
| Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | Identity Providers | ||
| Page Builders | Packages | Security tests | Web engines | Analytics | |||||
| Open source | API test frameworks | Databases | Proxies | ||||||
| Proprietary Code | Unit tests | ||||||||
| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
These are the individuals or teams of people that are needed to write, build and deploy software.
- Software engineers
- QA engineers
- DevOps team
- Package maintainers
- Individual engineers
- How do we help our software engineers see security as a "skill" not a burden?
- Package maintainers are a high profile targets.
- What security controls can we suggest that don't slow down devs?
- Security awareness training needs to be ongoing, not once a year
- Help devs understand that finding security issues early saves them significant time later
- Secure Code Training
- Security chanpion mentoring
- Peer code review
- Threat modeling