This was a small team of about 10 developers, a technical tester, quality assurance person and a Security Champion.
The team follows Scrum methods during the development lifecycle with sprint period of 3 weeks.
The deployment is done with the GitOps workflow, for a smooth and fast deployment to every environment.
My role in this project has been Security Champion. When the project started, that terminology was not established. So during the project lifespan I’ve come to define that role into what it is know today.
The definiton I’ve landed on is that Security Champion shall introduces security tools, best practices and educate the rest of the team members so that a security culture is established. When a security culture is established, the team is then enabled to define end execute secure practics on their own.
The establishment of a security culture consists of:
- Education of Secure Practics, such as OWASP ASVS, CSVS etc.
- Introduction of security tools, such as vulnerability scanning, security dashboards and other tools to present and prevent security vulnerabilites to traverse into production.
- Enable the team to make their own decision regarding vulnerability and security.
- Inform about the political security landscape, talk about recent security breaches around the world.
- “Shift-left” on security, it is the team responsibility to execute and implement secure execution path and environments, and they must have a fast-feedback loop regarding security. What is allowed to run in every environment, and how to configure for that environment.
My contribution to this project has been to define the Secure Development Lifecycle (SDL), and introduce security tools into the CI/CD pipeline.
I’ve created a Security Dashboard to easy the transition into secure thinking and practices.
I’ve established and contributed to GitOps way of deployment, and in this regard everything is automated. No manuel intervention is prefered. Infrastructure As Code (IaC) is a keyword here.
I’ve contributed to establish a security orianted culture, where each team members take responsibility for security and secure practices without any intervention.
I’ve contributed to establish secure and quality oriented pipelines, which is established to serve and enable the developers to work in a most fluent manner.
I’ve coached and trained the team in new tools and secure methodology, so that each member is better suited to execute secure practices beyond my own capabilites.
This solution is running on kubernetes, with micro-architecture defined for each services. Communication is between each service is done with Microsoft ServiceBus, and data is persisted to Microsoft SQL Server.
The endpoint is OpenAPI defined and accessibel outside the cluster.