2. LinkedIn.com/in/LarryMaccherone
Only 21% of [companies] believe
that their organization's present
culture and practices support
collaboration across development,
operations and security.
~Freeform Dynamics
(IT industry analyst)
6. LinkedIn.com/in/LarryMaccherone
Dev[Sec]Ops Results
• Dramatically faster time to market
happier customers more revenue
• 5x lower rate of failures caused by changes1
• 96x faster recovery from downtime failures1
It’s scary to QA and Security, but “moving fast and breaking
things” leads to dramatically lower rates of customer
experienced defects and vulnerabilities
1Puppet’s 2017 State of DevOps Report
18. Build security in
more than bolt it on
Rely on empowered engineering teams
more than security specialists
Implement features securely
more than security features
Rely on continuous learning
more than end-of-phase gates
Build on culture change
more than policy enforcement
DevSecOpsManifestoComcastSDL
GuidingPrinciples
19. We, the Security Team…
Recognize that Engineering Teams…
• Want to do the right thing
• Are closer to the business context and will
make smart trade-off decisions between
security and other risks
• Want information and assistance so they
can improve our security posture
Pledge to…
• Lower the cost/effort side
of any investment in
developer security tools or
practices
• Assist 2x as much with
preventative initiatives as
we beg for your assistance
reacting to security
incidents
Understand that…
• We are no longer gate keepers but rather tool-smiths and advisors
26. Many DevSecOps tools
are just DevOps lipstick
on a
traditional tool pig
DevSecOps tools talk
Tomorrow 12:30-1pm
Woodrow Wilson A
27. LinkedIn.com/in/LarryMaccherone
What’s
next?
• DevSecOps tools talk tomorrow
12:30-1pm – Woodrow Wilson A
• Read about the Trust Algorithm
https://www.devsecopsdays.com/articles/
trust-algorithm-applied-to-devsecops
• Connect with me
LinkedIn.com/in/LarryMaccherone
• Rate the talk in your app
• Questions?
Notas do Editor
Add a step to the threat modeling row for how well they are doing it.
Risk driven.
We need a way to tie into the org leadership to get their input on what they want to do next. This visualization is fine, but we need an engagement model for execs and other management layers.