Helping companies in establishing strong security foundations, increasing security coverage and reducing operational burden.
Foundations
Startups and other growing companies must often focus their resources into developing their core business and thus usually lack roles dedicated exclusively to security. Most of the times, those companies are aware of security risks but need specific direction that may be missing even after filling some security compliance or technical roles. However, they are in an ideal situation to set up efficient and scalable security foundations to avoid critical incidents, protect their customers and reasure investors.
With modern security practices and tooling, missing a dedicated security organization is not an impediment for having a strong security posture. If the company is able to put the right solutions in place, engineering teams will be able to leverage them to safely deliver secure products while maintaining autonomy during the development process.
Having those foundations in place will also allow a smaller security organization to have a larger impact in the future. Security roles will be able to use their expertise to improve the tools that are already embedded in the processes of the company instead of having to start from scratch in a company that has already grown without them.
I can help your company identify its main security risks and define processes and tools that integrate security into the engineering workflow in order to mitigate them. I am able to take part in both the governance and technical aspects of the implementation.
Beyond engineering, I can also advise your company in other aspects of corporate security.
DevSecOps
DevSecOps is the software engineering practice that merges security with DevOps.
To achieve agile development cycles, engineers must be self-sufficient in developing and operating software. This means that they should also have sufficient security resources, knowledge and responsibility to address most of their security needs independently.
Central security organizations are valuable in order for strong security resources, knowledge and responsibility to exist in the company. Under DevSecOps, it is their responsibility to create and maintain resources such as policies, guidelines, tools and managed services that engineering teams can leverage to take ownership of their own security without requiring significant effort or the same level of security expertise.
Entrusting software security to the same engineers that develop and operate the software ensures that vulnerabilities are resolved faster, incidents are handled effectively and software is developed by people who are actively engaged with security.
Implementing DevSecOps in its security processes, a company will increase the efficiency of its engineering teams and improve software and infrastructure security while reducing overhead in its security organization by decreasing time spent in security operations, communicating with engineering teams and establishing ownership.
DevSecOps practices can be implemented incrementally through gradual automation and sharing of responsibility between engineering teams and the security organization.
Using available open-source products and tools, DevSecOps can be successfully implemented on a limited budget. Investing in selecting the appropriate solutions and integrating them into existing workflows through small custom developments will save your company money due to low upfront costs and no recurrent subscription fees.
I can help your organization assess which processes can be tackled first and actually manage implementation of both the governance and technical aspects.