The Human Side of DevSecOps
-
Upload
jules-pierre-louis -
Category
Software
-
view
94 -
download
0
Transcript of The Human Side of DevSecOps
© 2016 VERACODE INC. 1© 2016 VERACODE INC.
The Human Side of DevSecOps
© 2016 VERACODE INC. 2
• @tojarrett• Over 20 years in
software development and management
• At Veracode since 2008• Grammy award winner• Bacon number of 3
About Tim Jarrett
This talk assumes automation.
© 2016 VERACODE INC. 4
DevOps: transformation or tragedy?
h/t @petecheslock, DevOpsDays Austin
© 2016 VERACODE INC. 6
Culture clash revisited
Credit: Gene Kim, IT Revolution
© 2016 VERACODE INC. 8
Why desiloing Security is hard
Source• Cory Scott, LinkedIn Director Information Security, Information
Security Talent Pool Research, BlackHat CISO Summit 2015.
© 2016 VERACODE INC. 9
Consider the theory
© 2016 VERACODE INC. 10
Consider the theory
Development work products Security
Release velocity starved
© 2016 VERACODE INC. 11
Theory of constraints for security in software development
Identify
Exploit
SubordinateElevate
RepeatRemove low value work from security team, shift upstream where possible
Minimize changes requiring security review
?
Enter Security Champions!Security Champions to the rescue
Pick the right people Start strong Empower,
within limits
© 2016 VERACODE INC. 14
How to pick the right people
• Just developers• Brand new• (Too) Junior• Already in a scrum role
© 2016 VERACODE INC. 15
Start strong
• Start with formal training in security fundamentals
• Reinforce with eLearning• Use CTFs and other
opportunities to learn in the wild
• Set guidelines for common activities
© 2016 VERACODE INC. 16
Empower, within limits
• Security grooming within guidelines
• Security review guidelines• Know when, and how, to
escalate
© 2016 VERACODE INC. 18
Measuring and managing
• Baseline security maturity• Code review certifications• Individual and team goals
© 2016 VERACODE INC. 19
Security champions: the conscience of development.
IMPROVE
5 steps to achieving
secure DevOps
© 2016 VERACODE INC. 22© 2016 VERACODE INC.
Questions?Ask in the webinar or
tweet to @tojarrett