►
From YouTube: 7. DevSecOps
Description
Interview with an IT Agility Director
Question: What is your perspective on the importance of DevSecOps?
A
With
Duke
Energy
decided
about
a
year
into
the
DevOps
program
that
we
really
had
no
choice
but
to
turn
the
DevOps
program
into
a
deficit
cops
program,
and
some
of
that
was
just
you
know
the
conditions
change
I
mean
we,
the
security
breaches
became
or
early
threats,
became
a
much
larger
and
and
the
way
that
we
were
doing
security
or
at
least
looking
at
it
from
security
coding
practices.
It
became
obvious
that
it
didn't
really
meet.
You
know
and
didn't
fit
into
the
way
that
we
were
handling
the
rest
of
the
DevOps
program.
A
So
one
of
the
core
tenets
of
DevOps
is
the
shift
left
mentality.
You
know
where
you
want
to
be
able
to
catch
defects
as
Flora
left
was
early
in
the
process,
as
you
possibly
can,
because
the
cost
of
fixing
a
defect
actually
grows
exponentially
as
you
move
from
development
to
testing
to
deployment
phases.
A
So
the
real
objective
is
I
want
to
find
the
defect
as
early
as
I
can,
because
it's
much
cheaper
to
fix
so
as
you're
going
through,
and
you
know
finding
all
of
your
other
D,
adding
automated
testing
being
able
to
find
your
other
defects
early.
The
process
for
Duke
Energy
for
security.
Was,
you
know
a
couple
weeks
before
you
deployed,
you
would
engage
the
cyber
team
and
they
would
run
a
scan
and
tell
you
what
your
defects
were.
A
That's
very
problematic
and
it's
very
much
against
the
tenets
of
ship
left.
We
were
involved
in
one
program,
I
know
for
sure
that
they
had
a
very
large
deployment.
They
ran
a
scan
two
weeks
before
and
they
found
such
a
large
number
of
security
breaches
or
security
potential
security
breaches
in
their
code.
A
There's
no
way
they
can
fix
it
in
two
weeks,
so
they
ended
up
having
to
go
live
with
some
of
those
and
actually
fixing
those
would
have
been
as
risky
is
not
fixing
them
because
you
don't
have
time
to
run
your
full
testing
cycle
back
through.
So
that's
when
we
partnered
with
the
cyber
team
and
said
okay.
Well,
let's
build,
let's
start
to
build
these
components
into
our
tool
chain,
so
you
can
find
them
early
on
so
every
time
a
developer
commits
code.