reduce cost and risk.  Custom code is almost not custom these days. A developer incorporates open source frameworks, uses standardized design patterns, and orchestrates services that are already available from a vendor who doesn’t know your business and doesn’t have financial incentives to supportyou. Text “1” to @obvious if you like the first option, or “2” to @/dev/null if you prefer the second. Governance

of server names in one of the text boxes. Most of the time, there’s not enough room in the field! A hundred server names are supposed to fit in a sixty-four-character text box? What idiot built that form

asking consumer for follow-up action (phone call, return postcard, etc.) 1. Campaigns would modify text, layouts, packaging, etc. 2. Very expensive c. INTEGRATING A/B TESTING INTO OUR FEATURE TESTING

policies are expressed as code.” c. CREATE A SINGLE, SHARED SOURCE CODE REPOSITORY FOR OUR ENTIRE ORGANIZATION i. Firm-wide shared source code repository is powerful way to share local discoveries to transfer security knowledge to the teams E. INTEGRATE PREVENTIVE SECURITY CONTROLS INTO SHARED SOURCE CODE REPOSITORIES AND SHARED SERVICES i. Add mechanisms & tools ii. Add security’s pre-blessed Dependency Scanning – inventory the dependencies for vulnerabilities or malicious binaries 4. Source code integrity and code signing – all contributors should have their own key and sign all commits

track progress during a sprint. Figure 3: Example Burn Down Chart Program Backlog – Primary source of all requirements/desired functionality for the program Release Backlog – Subset of the program features the team considers relevant to building the product. The program backlog serves as the primary source for all program requirements and user stories, and the team must prioritize the contents to ensure Figure 12, the four sides of the IT Box identified in the IS-ICD include: Figure 12 IT Box (Source JCIDS Manual 19 Jan 12) As long as the program operates within these four sides of the IT Box,

f. Myth—DevOps is Just “Infrastructure as Code” or Automation: g. Myth—DevOps is Only for Open Source Software: 2. Foreword xix 3. Imagine a World Where Dev and Ops Become DevOps: a. THE CORE, CHRONIC Heroics: d. The Second Way: The Principles of Feedback 27 i. KEEP PUSHING QUALITY CLOSER TO THE SOURCE 1. In complex systems, adding more inspection steps and approval processes actually increases the

presenting https://www.csiac.org/podcast/dod-enterprise-devsecops-initiative/ DoD Centralized Container Source Code Repository (DCCSCR) https://dcar.dsop.io/ DSOP Group Workspace https://dccscr.dsop.io/dsopDCCSCR

Things, but Not When We Are Paid to Do Them  Example: AARP, Employer/Employee Relationships, Open Source Software  Observations: o “we live simultaneously in two different worlds – one where social norms

All streams of work were significantly behind schedule. Surprising discovery: only 50% of the source code in Dev/Test environments matched Prod. They fixed forward, but changes not put back into version

decisions in the normal course of work.  Let’s say that we are deciding between two different open source products for building a piece of the system and do not know enough of their impacts to make the