Security impacts of sub-optimal DevSecOps implementations in a highly regulated environment

Abstract

This work presents lessons learned from a multi-year support effort of a large and well-funded software development project. The focus is on the security impacts to the DevSecOps culture, process, and pipeline. These impacts stem from faulty implementations of requirements in order to achieve a full DevSecOps environment. The faulty implementations resulted in a lax security posture facilitating potential compromise in many areas of the software development environment. We discuss each of the faulty implementations in detail and provide recommendations to avoid in future engagements. The main lesson learned was the organization's inability to strictly adhere to DevSecOps principles resulted in a dysfunctional software development environment and a reduced security posture.