The Human Side of DevSecOps

22
© 2016 VERACODE INC. 1 © 2016 VERACODE INC. The Human Side of DevSecOps

Transcript of The Human Side of DevSecOps

Page 1: The Human Side of DevSecOps

© 2016 VERACODE INC. 1© 2016 VERACODE INC.

The Human Side of DevSecOps

Page 2: The Human Side of DevSecOps

© 2016 VERACODE INC. 2

• @tojarrett• Over 20 years in

software development and management

• At Veracode since 2008• Grammy award winner• Bacon number of 3

About Tim Jarrett

Page 3: The Human Side of DevSecOps

This talk assumes automation.

Page 4: The Human Side of DevSecOps

© 2016 VERACODE INC. 4

DevOps: transformation or tragedy?

Page 5: The Human Side of DevSecOps

h/t @petecheslock, DevOpsDays Austin

Page 6: The Human Side of DevSecOps

© 2016 VERACODE INC. 6

Culture clash revisited

Page 7: The Human Side of DevSecOps

Credit: Gene Kim, IT Revolution

Page 9: The Human Side of DevSecOps

© 2016 VERACODE INC. 9

Consider the theory

Page 10: The Human Side of DevSecOps

© 2016 VERACODE INC. 10

Consider the theory

Development work products Security

Release velocity starved

Page 11: The Human Side of DevSecOps

© 2016 VERACODE INC. 11

Theory of constraints for security in software development

Identify

Exploit

SubordinateElevate

RepeatRemove low value work from security team, shift upstream where possible

Minimize changes requiring security review

?

Page 12: The Human Side of DevSecOps

Enter Security Champions!Security Champions to the rescue

Page 13: The Human Side of DevSecOps

Pick the right people Start strong Empower,

within limits

Page 14: The Human Side of DevSecOps

© 2016 VERACODE INC. 14

How   to pick the right people

• Just developers• Brand new• (Too) Junior• Already in a scrum role

Page 15: The Human Side of DevSecOps

© 2016 VERACODE INC. 15

Start strong

• Start with formal training in security fundamentals

• Reinforce with eLearning• Use CTFs and other

opportunities to learn in the wild

• Set guidelines for common activities

Page 16: The Human Side of DevSecOps

© 2016 VERACODE INC. 16

Empower, within limits

• Security grooming within guidelines

• Security review guidelines• Know when, and how, to

escalate

Page 17: The Human Side of DevSecOps
Page 18: The Human Side of DevSecOps

© 2016 VERACODE INC. 18

Measuring and managing

• Baseline security maturity• Code review certifications• Individual and team goals

Page 19: The Human Side of DevSecOps

© 2016 VERACODE INC. 19

Security champions: the conscience of development.

Page 20: The Human Side of DevSecOps

IMPROVE

Page 21: The Human Side of DevSecOps

5 steps to achieving

secure DevOps

Page 22: The Human Side of DevSecOps

© 2016 VERACODE INC. 22© 2016 VERACODE INC.

Questions?Ask in the webinar or

tweet to @tojarrett