While people often say you cannot fight what you can’t see, I say you cannot change what you are not aware of.
Last year, I spoke to a CTO who asked me about vulnerability assessment. I told him yes, it’s important to be aware of the vulnerabilities you have. Still, it shouldn’t make everyone put down their tools, and rush to fix every one of the vulnerabilities found.
Why? Ask yourself, what has changed? Has the risk changed? No, the risk in production was already set when you deployed it. What has changed is the awareness of the risks! I said I’d take this opportunity to incite a change in mindset.
See my blog about Top Strategy Targets The Hearts, but it suffices to say that top strategy changes minds, middle strategy reduces opportunities, bottom strategy removes the means.
I said we should take this opportunity to drive the likes of Immutable Infrastructure, Shifting Common Sense to the Left, Automated Cloud Governance. However, the journey starts with the awareness of maturity, and the DevSecOps Maturity Assessment is the first step!