The agile security professional: Adapting to DevSecOps and SecDevOps in modern organisations

In the rapidly evolving landscape of software development, integrating security seamlessly into agile methodologies has become a critical challenge. This presentation, "The Agile Security Professional: Adapting to DevSecOps and SecDevOps in Modern Organizations," will explore innovative approaches to embedding security within agile teams, emphasizing the importance of both DevSecOps and SecDevOps frameworks.

We will begin with a high-level overview of DevSecOps, a methodology that integrates security practices into every phase of the software development lifecycle. DevSecOps emphasizes the collaboration between development, security, and operations teams, ensuring that security is a continuous, automated process. In contrast, SecDevOps refers to the role of security-focused DevOps engineers who possess a deep security background and utilize DevOps tools to build secure solutions from the ground up.

The talk will then delve into the evolving roles of security professionals, highlighting the need for both generalists and specialists within the modern agile framework. Each security professional functions as a generalist with a broad understanding of various security domains, while also specializing in specific areas such as Governance, Risk, and Compliance (GRC), application security, penetration testing, or security engineering.

To effectively integrate security into agile teams, we propose the concept of a 'primary' security contact for each agile squad or team. This individual acts as a security advisor and coach, serving as a generalist to provide guidance and promote best security practices. When faced with issues or delivery tasks that exceed their specialization, the primary security contact leverages their network within the broader security tribe to consult with specialists or bring in the necessary expertise. This model ensures that each agile team has direct access to security expertise while maintaining the agility and efficiency of the development process.

By adopting this approach, organizations can create a more adaptive and resilient security posture, addressing vulnerabilities proactively and fostering a culture of security awareness and collaboration. This presentation will provide practical insights and strategies for implementing these practices, drawing on real-world examples and industry best practices.

Attendees will leave with a comprehensive understanding of how to integrate security into agile methodologies effectively, ensuring that security is an enabler rather than an impediment to innovation and delivery.