DevSecOps与DevOps：有什么区别？

Gartner Research DevSecOpsMaturity Model forSecure SoftwareDevelopment Aaron Lord, Manjunath Bhat, Aaron Harrison 29 August 2024 DevSecOps Maturity Model for Secure SoftwareDevelopment 29 August 2024 - ID G00816070 - 24 min readBy: Aaron Lord, Manjunath Bhat, Aaron HarrisonInitiatives:Software Engineering Technologies; Build a World-Class Software EngineeringOrganization; Security of Applications and Data Software security is a top pain point for software engineeringleaders who must balance developer experience and businessgoals. This research provides a five-dimension maturity modelframework for securing software development and enablesplotting a path toward secure by design. Overview Key Findings Without an initial state and desired target, software engineering leaders and theirteams can feel lost while trying to improve software security maturity.■Cybersecurity and software engineering teams often have competing priorities,impeding efforts for cross-organization collaboration to transition to DevSecOps.■Instilling a security-first mindset in software engineering teams is challengingbecause software engineers require coaching and resources to improve their ownsecurity capabilities.■ Recommendations Identify the initial maturity state for DevSecOps by evaluating the characteristics andscenarios in this maturity model as a comparative framework.■Foster collaboration between engineering and security teams by establishing acommunity of practice (CoP) that continuously aligns shared objectives towardimproving DevSecOps maturity.■Empower software teams to achieve higher levels of DevSecOps maturity byestablishing enabling teams to provide resources, coaching and mentoring.■ Gartner, Inc. | G00816070 Introduction Software engineering leaders are experiencing more pressure than anytime previously toimprove the security of applications without disrupting flow or hindering innovation. Thereality of improving security in software engineering is a multifaceted, multiyear programthat requires cooperation from all sections of software engineering, cybersecurity,operations and architecture teams. Security in DevOps (DevSecOps) is a top issue for software engineering leaders.According to the Gartner Software Engineering Survey for 2024, lack of applicationsecurity skills is considered a pain point by close to two-thirds of software engineeringleaders.1Mixed advice and an oversaturated security market containing overlappingcapabilities ultimately lead to more confusion than clarity. How can software engineering leadership provide consistently secure software whilebalancing stakeholder concerns and business goals? This DevSecOps Maturity Model willhelp guide software engineering leaders to plot a roadmap and what strategies must beemployed to guarantee the success of adoption. This maturity model is broken down intofive dimensions, each addressing a separate domain for DevSecOps: 1.Security skills and knowledge2.Developer enablement3.Secure design and threat assessment4.Automated security practices5.Software supply chain security Analysis Identify the Initial Maturity State and Desired Targets for DevSecOps This maturity model is broken into five dimensions, each targeting a particular activitysoftware engineering leadership must improve upon to enhance for DevSecOps. Inaddition, each dimension has four maturity levels that build on the previous level. Eachstep forward in maturity must evolve software security practices in each dimension in atangible, fundamental way. See Table 1 for a summary breakdown. Table 1: DevSecOps Maturity Model (Enlarged table in Appendix) Score the Organization’s Initial DevSecOps Maturity The following sections go into the details of each dimension and what every maturitylevel entails. DevSecOps maturity is not wholly “Level 1” or “Level 2,” but is a mix thatconsists of different maturity levels in each dimension. Level 1 (Initial)■Level 2 (Developing)■Level 3 (Managing)■Level 4 (Optimizing)■ For every dimension, refer to the characteristics table and example scenarios as acomparison framework. Based on these characteristics, compare where the organizationcurrently resides for scoring initial maturity for each dimension. Keep in mind that thismodel is not prescribing a rigid methodology but a framework to inspire introspection. Security Skills and Knowledge Improving security skills and knowledge for software engineering improves securityoutcomes.2Not all secure training is created equally, and there are strategies to pursuethat makes learning more engaging and entails higher levels of knowledge retention (seeTable 2). Security Skills and Knowledge Example Scenarios ■Level 1 (Initial):When not given an official answer, software engineers who arelost or confused will search the internet for guidance on specific problems. Thatreduces their productive time and could lead to copy-and-pasted code. It isimportant for organizations to offer security training for software