Starting with implementing a DevSecOps culture
In the previous section we already mentioned the NIST guide to secure containers. That guide starts with something non-technical: a mindset. The first advice NIST gives is ‘Tailor the organization’s operational culture and technical processes to support the new way of developing, running, and supporting applications made possible by containers.’
Why would we need to change the culture in the way we do IT? Because with cloud, cloud-native and containers the way of doing software development changes drastically. Developers and operations might be less concerned with traditional IT processes such as patching and upgrading systems. We want to integrate security in the builds of the applications, including the way applications utilize the underlying infrastructure without having to worry about the physical infrastructure or even the virtual machines. Let software take care of it, but then the software must be programmed, configured...