"Tools & Techniques from building a DevSecOps culture at Mozilla"
For the past decade, security teams at Mozilla have sharpened their tools and improved their techniques to mature the security culture of the organization, and dramatically reduce vulnerabilities and risks. In this talk, Julien shows how Mozilla approaches DevSecOps and shares lessons learned from that journey.
Speaker:
Julien Vehent, Firefox Operations Security
Talk language: English
About the Speaker:
*********************
Julien Vehent is a French computer security engineer who leads the Firefox Operations Security team at Mozilla. He specializes in web applications security, cloud infrastructure, cryptography and risk management. He is the author of “Security DevOps”, published at Manning in 2018.
13. Centralized
Distributed
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A
Sec A
Ops B
Dev B
Sec B
CISO
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
Centralized security orgs are often too
far from devs & ops to be impactful
Distributed security orgs have better
impact but worse strategy & coordination
14. Embedding
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
The hybrid embedded model distributes engineers from a central security org into
dev & ops teams. Managers of those teams have direct influence into the work of
the embedded engineers, but security strategy & coordination is centralized.
15. Embedding works both ways: Security Champions
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
Champions are engineers from dev & ops teams who are treated like security team
members and have direct access to all the resources of the security org.