A great way to improve is to bypass "passing" altogether! Many tools and processes can now be setup such that the DevOps or engineering teams can directly get results. This can happen a number of ways:
* Direct access to the tooling, so they can run their own test
* Scheduled, repeatable tests which give results directly to the team
* APIs or services that teams can invoke to get tests or results, including as part of a CI/CD pipeline
That's Great advice I definitely agree. It's important to bridge the gap between Dev Teams and Security so both sides are on the same page and moving left together. Inserting scans in the Software Development Lifecycle and providing visibility can help significantly. Do you have any advice for what's worked, doesn't work well, or just tips and tricks for people implementing this process now?
At what point in the process of finding a vulnerability and passing to the DevOps team to help patch and remediate, do you see room for improvement?
A great way to improve is to bypass "passing" altogether! Many tools and processes can now be setup such that the DevOps or engineering teams can directly get results. This can happen a number of ways:
* Direct access to the tooling, so they can run their own test
* Scheduled, repeatable tests which give results directly to the team
* APIs or services that teams can invoke to get tests or results, including as part of a CI/CD pipeline
That's Great advice I definitely agree. It's important to bridge the gap between Dev Teams and Security so both sides are on the same page and moving left together. Inserting scans in the Software Development Lifecycle and providing visibility can help significantly. Do you have any advice for what's worked, doesn't work well, or just tips and tricks for people implementing this process now?