DevSecOps Manifesto

⭕ Manifesto for Agile Software Development

We uncover better ways of developing software by doing it and helping others do it. Through this work, we have come to value:

▪ Individuals and interactions over processes and tools

▪ Working software over comprehensive documentation

▪ Customer collaboration over contract negotiation

▪ Responding to change over following a plan

While there is value in the items on the right, we value the items on the left more.

⭕ Manifesto for DevSecOps

Through Security as Code, we have and will learn that there is simply a better way for security practitioners like us to operate and contribute value with less friction. We know we must adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.

By developing security as code, we will strive to create awesome products and services, provide insights directly to developers, and generally favor iteration over trying to always come up with the best answer before a deployment. We will operate like developers to make security and compliance available to be consumed as services. We will unlock and unblock new paths to help others see their ideas become a reality.

We won't simply rely on scanners and reports to make code better. We will attack products and services like an outsider to help you defend what you've created. We will learn the loopholes, look for weaknesses, and we will work with you to provide remediation actions instead of long lists of problems for you to solve on your own.

We will not wait for our organizations to fall victim to mistakes and attackers. We will not settle for finding what is already known; instead, we will look for anomalies yet to be detected. We will strive to be a better partner by valuing what you value:

▪ Leaning in (being part of the solution) over Always Saying “No” ▪ Data & Security Science over Fear, Uncertainty, and Doubt ▪ Open Contribution & Collaboration over Security-Only Requirements ▪ Consumable Security Services with APIs over Mandated Security Controls & Paperwork ▪ Business-Driven Security Scores over Rubber Stamp Security ▪ Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities ▪ 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident ▪ Shared Threat Intelligence over Keeping Info to Ourselves ▪ Compliance Operations over Clipboards & Checklists