The ratio of developers to security is 1:100 or worse, according to multiple surveys. DevSecOps has raised the profile of security in IT but we still see a regular stream of serious data breaches exposing large security gaps in many organizations.

You might have heard a lot about shift left security, automated security testing in the delivery pipeline, container image scanning, and so on. These are all valuable techniques but… are we forgetting the power of collaboration, facilitation, and shared responsibilities?

By re-thinking our team structures and how they interact with security teams we can find effective, team-oriented ways to beat the negative effects of that 1:100 ratio. This is what we did with DevOps, right? The DevOps topologies catalog compared and contrast different team organization models to enable sharing of knowledge and responsibilities between dev and ops.

We need to do the same for DevSecOps and in this talk I will present a few possible approaches to bridge this painful security gap. These are conversation starters and not an end in themselves. Let’s discuss the pros and cons, and in which contexts different approaches are suitable.

Video

Slides