Adopting the SDL may be an evolution of an existing development security journey or it may be the beginning of a new journey for securing development practices.
Implementing the 10 security practices of SDL is a journey of continuous improvement so the most important thing to do is to get started somewhere and keep improving as you go.
This continuous journey encompasses changes to culture, strategy, processes, and technical controls as you integrate security knowledge and practices into DevOps processes.
Culture and Strategy
Successful workloads must do what they are supposed to do, be reliable and available when needed, and must not allow unauthorized people to abuse them or the data they use.
Security teams must partner with development and operations teams who must collectively value all of the se outcomes and work collaboratively to jointly provide them.
Security Practices and Controls
Implementing technical controls is where security becomes real and attackers get blocked, detected, and remediated.
The 10 practices should be applied across all development activities and prioritized to rapidly reduce business risk while having the least impact on business operations.
Processes
Processes integrate culture and technical controls into people’s daily work to make it real and sustain outcomes over time. DevSecOps processes must be:
- Comprehensive – apply security across the full lifecycle of development
- Continuously applied and improved – to improve workload security, people’s knowledge and skills, and the process of development itself
- Pragmatic – blending the best of ‘waterfall’ development and iterative continuous improvement, including definition of a complete minimum viable product (MVP) meeting the most important requirements for development, operations, and security goals.
As you get started on your SDL journey, keep in mind that:
- Integration is critical - Security practices and tools should be seamlessly integrated into your existing development goals, metrics, processes, and tooling.
- Shift Left – Focus on catching security issues early in the process while it is cheap and easy to do so (during design, during coding sessions, etc.) rather than late in the process where changes are difficult and expensive.
- Continuous incremental improvement – because there is no wrong place with security and the job will never be ‘done’, you should focus on establishing a north star of the ideal end state, getting started somewhere, continuously making incremental progress, and continuously prioritizing based on what you learn along the way (about attackers, your processes, business priorities, and more).
- Accelerate using Microsoft learnings and resources - Microsoft published guidance based on our learnings and practices to help you with building a strategy, culture, and technical controls for implementing a continuous SDL approach to DevSecOps.
For information on a Microsoft Unified engagement to help with planning this journey, see the Infrastructure and Development Security Datasheet.