The Human Side of DevSecOps

• @tojarrett• Over 20 years in

software development and management

• At Veracode since 2008• Grammy award winner• Bacon number of 3

About Tim Jarrett

This talk assumes automation.

DevOps: transformation or tragedy?

h/t @petecheslock, DevOpsDays Austin

Culture clash revisited

Credit: Gene Kim, IT Revolution

Why desiloing Security is hard

Source• Cory Scott, LinkedIn Director Information Security, Information

Security Talent Pool Research, BlackHat CISO Summit 2015.

Consider the theory

Development work products Security

Release velocity starved

Theory of constraints for security in software development

Identify

Exploit

SubordinateElevate

RepeatRemove low value work from security team, shift upstream where possible

Minimize changes requiring security review

Enter Security Champions!Security Champions to the rescue

Pick the right people Start strong Empower,

within limits

How to pick the right people

• Just developers• Brand new• (Too) Junior• Already in a scrum role

Start strong

• Start with formal training in security fundamentals

• Reinforce with eLearning• Use CTFs and other

opportunities to learn in the wild

• Set guidelines for common activities

Empower, within limits

• Security grooming within guidelines

• Security review guidelines• Know when, and how, to

escalate

Measuring and managing

• Baseline security maturity• Code review certifications• Individual and team goals

Security champions: the conscience of development.

IMPROVE

5 steps to achieving

secure DevOps

Questions?Ask in the webinar or

tweet to @tojarrett

The Human Side of DevSecOps

Software

Transcript of The Human Side of DevSecOps

DEVSECOPS: Coding DevSecOps journey

DoD Enterprise DevSecOps Fundamentals · 2021. 6. 11. · DevSecOps, including normalized definitions of DevSecOps concepts. Other pertinent information is captured in corresponding

DevSecOps Best Practices and Considerations

DevSecOps of Containerization

The Human Side of Investing or The Difference Between ...info.hsbcprivatebank.com/...Human-Side-of-Investing... · The Human Side of Investing or The Difference Between Theory and

DoD Enterprise DevSecOps Fundamentals - AF

DevSecOps: Why security is essential · DevSecOps doesn’t happen all at once for most organizations; it is a journey. Although the DevSecOps journey is enabled by technology, the

What is DevSecOps? Pipelines...What is DevSecOps? DevSecOps is a methodology in which security is integrated into the entire life cycle of application development. Rather than being

DoD Enterprise DevSecOps Community of Practice · 2021. 6. 29. · ECMA and Army Software Factory's DevSecOps ... Project Ridgway are users of the DevSecOps ecosystem. 7. ... Continuous

DevSecOps Overview - NYS Forum Home · 11/14/2018 · DevSecOps Overview November 14, 2018 ... 3 Benefits of DevSecOps 4 How to Implement DevSecOps 5 Summary / Questions. Security

Human side nze 042613

DevSecOps SG Introduction - August Meetup

DevSecOps in 10 minutes

DevSecOps - The big picture

Enterprise Cloud Security via DevSecOps

DISA DevSecOps Enterprise Strategy · Web view2021/07/30 · A DevSecOps New World This document focuses on the DISA Enterprise DevSecOps Strategy to secure the Department of Defense

DevSecOps Journey - CSO50 Conference · DevSecOps Journey 2/28/2018. 3/3/2018 Confidential –Internal Distribution 2 Agenda • DevSecOps @ Fannie Mae o The Challenges and The Promises

Humanising DevSecOps

DevSecOps – Agility with Security...4 DevSecOps – Agility with Security In summary, DevSecOps aims to be a movement that extends all of the organisational benefits achieved through

DevSecOps Singapore introduction