DevSecOps and Secure Incident Response

A presentation at Pulumi Cloud Engineering Summit by Quintessence Anx

Let’s talk about security in an organization. Most commonly, security sits at or after the last phase of the software development life cycle (SDLC) and can make or break the decision to release into production. Unfortunately, waiting on such decisive feedback until after something has been built frequently results in needing to make changes after it’s been marked as ‘complete’, which is costly and inefficient. Instead, let’s learn from how we created shorter development cycles - instead of making Big Decisions at the very end, make smaller, iterative decisions throughout the entire journey that are easier to implement or reverse. One way to do that is by implementing DevSecOps, which adjusts the workflows of development, operations, and security so that security decisions are made on smaller scales at every phase of the SDLC. As with development and operations, even with preparation there can still be incidents - in this case, security incidents - so I’ll also be reviewing our 14 Step Secure Incident Response process, including the what and why of each step.


The following resources were mentioned during the presentation or are useful additional information.

  • STRIDE Threat Modeling Framework

    A framework to get started with threat modeling.

  • PagerDuty’s DevSecOps Guide

    PagerDuty’s DevSecOps Guide, which covers how to support DevSecOps.

  • Every Blunt End Is Someone Else’s Sharp End

    For a number of years an analogy has been used by many in the safety profession to illustrate the relationship between risk and power in organizations – the pointy stick.

  • PagerDuty’s Full Service Ownership Guide

    How to implement Full Service Ownership, or “own what you build”, and what that means.

  • Capture the Flag 101

    Basic types of Capture the Flag exercises and why they’re important.

  • PagerDuty’s Secure Incident Response Process

    Covers our generalized 14 step process for responding to security incidents.

  • PagerDuty Security Training

    Publicly available security trainings that we have done here at PagerDuty - both internally to all staff (“For Everyone”) as well as a specialized training for engineers.

  • OWASP’s DevSecOps Maturity Model (DSOMM)

    “The DevSecOps Maturity Model, which is presented in the talk, shows security measures which are applied when using DevOps strategies and how these can be prioritized. With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities. Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.”

  • Building Security In Maturity Model (BSIMM)

    “The BSIMM is designed to help you understand, measure, and plan a software security initiative. The BSIMM was created by observing and analyzing real-world data from leading software security initiatives.”

  • OWASP’s Software Assurance Maturity Model (SAMM)

    “Our mission is to provide an effective and measurable way for you to analyze and improve your secure development lifecycle. SAMM supports the complete software lifecycle and is technology and process agnostic. We built SAMM to be evolutive and risk-driven in nature, as there is no single recipe that works for all organizations.”

  • NIST’s Infrastructure Security Framework

    “The Framework offers a flexible way to address cybersecurity, including cybersecurity’s effect on physical, cyber, and people dimensions. It is applicable to organizations relying on technology, whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT). The Framework can assist organizations in addressing cybersecurity as it affects the privacy of customers, employees, and other parties. Additionally, the Framework’s outcomes serve as targets for workforce development and evolution activities”