There's been a lot of talk about 'Shift Left' in our practices, but often security issues come up late in the CI/CD process, or they stem from vulnerability scanners that lack context about the application in use. I'm exploring the concept of Continuous Exposure Management, which seems to be the logical next step for SecDevOps and SRE practices. This approach ensures security is integrated throughout the entire lifecycle—from code repositories to cloud configurations, deployed applications, and user identities. The focus is on continuously assessing risk rather than merely identifying flaws. For those with established SecDevOps pipelines, how do you handle and prioritize security findings from various tools like SAST, DAST, and CSPM? The aim is to create a holistic view of risk instead of just counting vulnerabilities.
2 Answers
I get where you're coming from, but honestly, managing exposure can feel like buzzword bingo sometimes. It looks good on paper, but in practice, are we just piling more tools without clear outcomes? I feel like the focus should really be on learning from incidents rather than just trying to prevent issues.
It sounds like you're thinking along the right lines! Basically, your process does reflect a solid approach. It starts at pushing code, then runs all sorts of tests and scans before the PR can be merged. That's exactly what’s needed to keep security in check. The emphasis should be on making sure every tool in the pipeline contributes to a unified view of risk. If you have different teams using different tools, integrating their findings into one dashboard can help a lot.
Totally agree! It’s all about making sure everyone’s on the same page. Those tools need to speak to each other to give a clearer picture.
Very true! It’s easy to get carried away with the latest trends. Understanding what worked or didn’t after an incident is priceless.