Inventory assets and their business stakes allows to define a risk-driven and pragmatic policy.
People
With proper awareness and training, employees and contractors can become the organization's first line of defense, instead of its weakest link.
Through a hands-on approach, ASF takes the team accross 3 phases: aware, involved then responsible.
Adaptive baselines
ASF baselines are designed as incremental security levels. Think of them as best-practices checklists.
Default profile is organized into foundation, intermediate and advanced levels, and described as agile stories.
Tooling and automation
ASF promotes the use of automation and tooling to delegate repetitive security checks and auditing tasks.
Default profile covers the integration into CI/CD pipelines (SAST, DAST) as well as compliance as code.
Cyber resilience
ASF advocates the principle of resilience instead of over-hardening and multiplying security layers.
System and software architecture shall take cyber-resilience in consideration.
Removing low-value/fragile parts is a way to reduce complexity and to improve resilience.
Continuous testing, including chaos monkey, backup/restore checks, is necessary to measure the cyber resilience level without waiting for real-life incidents.
Monitor and Learn
In order to measure progress on the SecDevOps journey, ASF focuses on implementing optimal dashboards within developers environments.
By sharing the same metrics and dashboards, developers and security teams leverage agile principles like transparency and shared business objectives.
Tools like Jira or Github projects can be used to implement the baselines, monitor them and continuously improve them.