Dear DevSecOps working group members,
Below you can find a short update on the call from last Thursday regarding
Pillar 6 - Measure, Monitor, Report and Action.
- The sub-group discussed the possibility of translating theDevSecOps documents.
- Sam to discuss with Josh and decide which language would best serve the DevSecOps community by translating.
- The timeline for the Pillar 6 document was discussed:
- A first complete draft of the document to be finalized by end of 2022
- Document to go out for peer review in January 2023
- Document to be published before RSA 2023, in April 2023.
- Regarding Pillar 6 - Brainstorming document:
- The purpose is to define the 3 KEY questions:
- What should be measured (what are the metrics)
- How should they be measured (what are the best practices, recommendations, etc.)
- How should these metrics and defined KPIs be consumed?
- Important to set as early as the Intro section WHAT exactly will be measured and WHAT is the value of these metrics.
- Need to tie all 6 pillars together and make sure that the language used is similar and all the terms align
- Examine things from the financial perspective also:
- Demonstrate delivery against business case
- Security Risk Mgmt
- Detection & Response
- Compliance metrics
- Operational Performance for Security
- Action points:
- All authors to read through and review existing DevOps papers in order to have a common language
- Decide which categories and metrics to focus on and measure
- The 'WHAT' to measure questions answers to the 'WHY measure' question also.
- Sam is to create a table in order to improve and organize the 'WHY' column along with a 'Comment' column ( @Sam Sehgal)
- All other authors to add their comments in the respective place.
Next working group call:
Thursday, 30 June,
Core group call, 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT / 17:00 CET
Kind regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------