The combined "value stream"
The value stream in creating software, is seen as the end to end process. From choosing features to build, right through to the value created when a customer first clicks/buys/subscribes as a result of your choice. Each part along the stream is slowly starting to break down silos, testers and developers are morphing into Dev-in-test, operations and developers are starting to become DevOps, product owners are, well, starting to disappear and more responsibility is being given to teams directly. The focus is around creating combined goal orientated teams, not people concerned with a single stage of the process. So how does security factor in?
Security teams as part of the process
Security typically invest in post deployment tools. We have static analysis of source code but what about Puppet, Chef, Salt. The code DevOps teams typically deploy contains all our network configuration, passwords, application servers, databases. Where is our static code analysis for this?
Gauntlt is a step in the right direction
Gauntlt is starting to put the development back into security. Being a collection of penetration testing tools i.e. SQLMap and SSLize, it puts code against the current pentesting tool suite. I'm wondering if we need to build something that will analyze server config before it ever gets deployed.