Speaker

Larry Maccherone

Larry Maccherone

DevSecOps Transformation

Raleigh, North Carolina, United States

Actions

Larry Maccherone is a thought leader on DevSecOps, Agile, and Analytics.

At Comcast, Larry launched and scaled the DevSecOps Transformation program over five years. In his DevSecOps Transformation role at Contrast, he's now looking to apply what he learned to guide organizations with a framework for safely empowering development teams to take ownership of the security of their products. Larry was a founding Director at Carnegie Mellon's CyLab, researching cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. Larry has also served as Principal Investigator for the NSA's Code Assessment Methodology Project which wrote the book on how to evaluate application security tools, and received the Department of Energy's Los Alamos National Labs Fellow award.

Larry firmly believes in learning by doing so in his spare time, he is the author of a dozen or so open source projects one of which gets a million downloads per month.

Contact Larry on his LinkedIn page: https://LinkedIn.com/in/LarryMaccherone

Area of Expertise

  • Information & Communications Technology
  • Media & Information
  • Real Estate & Architecture

Topics

  • DevSecOps
  • DevOps
  • Agile
  • Cultural Transformation
  • Software Engineering
  • Application Security
  • Security
  • IT Security
  • web security
  • api security
  • Cloud App Security
  • Information Security

Transformation Blueprint for Developer-Centric Application Security

The traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products and involved fundamental changes to mindset, terminology, tools, metrics, roles, and practices. The cloud-native and DevOps movements similarly disrupted traditional IT Ops.

Now it's security's turn, but here's the rub.

NIST, SANS, OWASP, PCI, etc. provide lists of candidate application security practices, but the items in the list are unprioritized, target security specialists, and fail to specify adaptations needed for a developer-first approach. Attempting to shift these practices left without proper consideration of modern development practices and priorities is a recipe for frustration, resistance, and false starts.

You will come out of this workshop with a Transformation Blueprint for accomplishing the cultural shift to developer-centric application security at your organization. The approach is derived from the program that Larry has used to accomplish this shift for over 600 development teams. Since Larry is a developer, writing code every day, his program is perfectly suited to the way development teams really want to work, rather than how security folks assume they work.

The Impact of DevSecOps Quantified

What if I could tell you the three application security practices whose adoption would most lower risk? What if I could also quantify the impact that each practice would have on your outcomes? Imagine being able to focus your entire organization (and your limited budget) on these three things rather than have your efforts spread across dozens of practices. Imagine how different the conversation with engineering teams and budget approvers will be if you can present research that shows just how important these three things are compared to other things you could invest in.

This talk is a presentation of research that quantifies the impact that various DevSecOps software security practices have on security risk outcomes. We have data from 200 different teams in the technologically and process diverse environment inside Comcast. We've tracked this data over time as teams have adopted practices like secure coding training, threat modeling, pen testing, SAST/IAST/SCA tool usage, security code review, etc. We have then correlated outcomes like network vulnerability to not only determine which practices have the most impact but to quantify how much of an impact each has.

Patching considered harmful

The single most important thing to many cybersecurity groups is getting systems onto a patching schedule. However, one of the mantras of DevOps is "Cattle not pets" (and more recently, "Chicken not pets"). If a pet gets sick, you take it to the vet and get it "patched" up, but when a chicken is sick, the chicken farmer just disposes of it because there are already many more to take its place. Today, cloud-native applications are built to run on ephemeral infrastructure that is more like a flock of chickens than a pack of house pets but the mindset of cybersecurity professionals hasn't caught up. They still have a device-centric view of the world. They still talk in terms of IP addresses and hosts rather than in terms that are more suited to cloud-native. What's needed is an app-centric view of the world but how do you achieve that?

This talk is a discussion of a set of misconceptions, like the ongoing importance of patching, and how to adapt your cybersecurity to better align with cloud-native computing paradigms.

DevSecOps: Security at the Speed of DevOps

Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.

This talk includes guidance on the characteristics of security tools compatible with DevOps but it primarily focuses on the harder part... THE PEOPLE. This talk introduces the DevSecOps manifesto and provides you with a process model, based upon Agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.

Development Team Transformation

How do you actually get development teams to adopt new mindsets and behaviors?

There is more to it than this, but the basic approach is to:
- Leverage, rather than work against, developer psychology and development team sociology
- Hook into their desire for engineering excellence
- Define practices in terms that make sense to developers using a modern Agile/DevOps approach rather than security specialists who assume a more waterfall or "software factory" approach
- Focus on coaching and toolsmithing rather than gatekeeping, policing, or auditing
- Never overwhelm the development team by providing up-front a comprehensive list of gaps
- Rather, provide a shallow improvement ramp via incremental gap analysis where you shift into planning mode as soon as you uncover a few high-value improvement opportunities
- Get each individual development team on this improvement path
- Coach and gamify each team along it
- Create an environment of viral adoption

This talk is a walkthrough of the Transformation Blueprint framework that implements the above approach.

Godfather Security: How Security Can Make an Offer that Development Can't Refuse

There is the way development really functions and there is the way security believes development functions. In most organizations, the two don’t match.

Join Larry Maccherone for an enlightening guide - tried and tested with scaling security in 600 dev teams - that security can use to “make a deal” with engineering so the two functions align more closely. You will hear thoughts on how true Developer-First Security could look like; what practices and tools provide better risk reductions; how productivity doesn’t need to be hampered by security; and, how security can be scaled in engineering terms.

I don’t always do APPSEC TESTING, but when I do, it’s IN PRODUCTION

That’s crazy talk! ...or is it?

One revolutionary technique that has shifted the paradigm of performance testing is doing performance testing in production using canary deployments. However, the benefits of using a similar approach for App and API security testing are even more significant. Doing so assures that your vulnerability resolution fixes are relevant to and effective in a real-world environment as opposed to a not-real pre-prod environment.

This avoids the shortcomings of traditional tools -- the inaccuracy and long scan times of SAST, poor coverage of DAST and IAST tools, lack of context in SCA, and ineffectiveness of WAF. It even aligns well with movements like DevOps, cloud-native, and shifting ownership of security left from the security team to engineering.

Join this discussion to learn what revolutionary techniques are necessary to safely pull this off.

Godfather Security: How Development Can Make an Offer that Security Can't Refuse

There is the way development really functions and there is the way security believes development functions. In most organizations, the two don’t match.

Join Larry Maccherone for an enlightening guide - tried and tested with scaling security in 600 dev teams - that engineering can use to “make a deal” with security so the two functions align more closely. You will hear thoughts on how true Developer-First Security could look like; what practices and tools provide better risk reductions; how productivity doesn’t need to be hampered by security; and, how security can be scaled in engineering terms.

Larry Maccherone

DevSecOps Transformation

Raleigh, North Carolina, United States

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top