DevSecOps – The Broken or Blurred Lines of Defense
A classic model for risk management and control is something called “The Three Lines of Defense (3ODL).”
The three lines are as follows:
Line 1: Risk Owners – Front-line staff and operational management
Line 2: Risk Oversight – Risk management and compliance functions
Line 3: Risk Assurance – Internal audit
However, with the advent of modern sociotechnical systems like Agile, Cloud Native, and Event-Driven architectures these legacy lines (3ODL) are at best blurred and at worst completely broken. With the modern patterns and practices of DevOps and DevSecOps it’s not clear who the front-line owners are anymore. Risk management and organizational compliance teams struggle to adapt to new cloud-native models such as ephemeral containers, microservices, and event-driven architecture like serverless. Most organizations’ internal audit processes today are highly toil-based and have low efficacy. This is something I have called in previous presentations “Security and Compliance Theater.”
Get started with your instance today: https://jfrog.co/35OKwXW
by JFrog
redhat openstack
