This paper is targeted at Software Developers and Managers who are looking to start a DEVSECOPS process into an established Functional Safety software development process. It will focus on the initial steps to establish a baseline process with an initial risk assessment, action plan, and feedback loop. The goal is to start small but allow for incremental improvements guided by the risk plan.
Security has become a necessary aspect of software development. Regulations such as the EU Cyber Resilience Act (CRA) require nearly all commercial software to report on security risks. Developers familiar with safety regulations may not know how to integrate a security process into their software development process. This paper will give suggestions for how to begin a security process and lay the foundation for building on that process over time. The goal is not to do everything at once, but to start with meaningful activities that can provide actionable insights to improve the security risk profile of the software.