Jump to navigation Jump to content

Speaker

Larry Maccherone

Larry Maccherone

DevSecOps Transformation

Raleigh, North Carolina, United States

Actions

Larry Maccherone is a thought leader on DevSecOps, Agile, and Analytics.

At Comcast, Larry launched and scaled the DevSecOps Transformation program over five years. In his DevSecOps Transformation role at Contrast, he's now looking to apply what he learned to guide organizations with a framework for safely empowering development teams to take ownership of the security of their products. Larry was a founding Director at Carnegie Mellon's CyLab, researching cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. Larry has also served as Principal Investigator for the NSA's Code Assessment Methodology Project which wrote the book on how to evaluate application security tools, and received the Department of Energy's Los Alamos National Labs Fellow award.

Larry firmly believes in learning by doing so in his spare time, he is the author of a dozen or so open source projects one of which gets a million downloads per month.

Contact Larry on his LinkedIn page: https://LinkedIn.com/in/LarryMaccherone

Links

Area of Expertise

  • Business & Management
  • Information & Communications Technology
  • Media & Information

Topics

  • DevSecOps
  • DevOps
  • Agile
  • Cultural Transformation
  • Software Engineering
  • Application Security
  • Security
  • IT Security
  • web security
  • api security
  • Cloud App Security
  • Information Security

Sessions

Transformation Blueprint for Developer-Centric App and API Security

The traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products and involved fundamental changes to mindset, terminology, tools, metrics, roles, and practices. The cloud-native and DevOps movements similarly disrupted traditional IT Ops.

Now it's security's turn, but here's the rub.

NIST, SANS, OWASP, PCI, etc. provide lists of candidate application security practices, but the items in the list are unprioritized, target security specialists, and fail to specify adaptations needed for a developer-first approach. Attempting to shift these practices left without proper consideration of modern development practices and priorities is a recipe for frustration, resistance, and false starts.

You will come out of this workshop with a Transformation Blueprint for accomplishing the cultural shift to developer-centric application security at your organization. The approach is derived from the program that Larry has used to accomplish this shift for over 600 development teams. Since Larry is a developer, writing code every day, his program is perfectly suited to the way development teams really want to work, rather than how security folks assume they work.

The Impact of DevSecOps Quantified

What if I could tell you the three application security practices whose adoption would most lower risk? What if I could also quantify the impact that each practice would have on your outcomes? Imagine being able to focus your entire organization (and your limited budget) on these three things rather than have your efforts spread across dozens of practices. Imagine how different the conversation with engineering teams and budget approvers will be if you can present research that shows just how important these three things are compared to other things you could invest in.

This talk is a presentation of research that quantifies the impact that various DevSecOps software security practices have on security risk outcomes. We have data from 200 different teams in the technologically and process diverse environment inside Comcast. We've tracked this data over time as teams have adopted practices like secure coding training, threat modeling, pen testing, SAST/IAST/SCA tool usage, security code review, etc. We have then correlated outcomes like network vulnerability to not only determine which practices have the most impact but to quantify how much of an impact each has.

DevSecOps: Security at the Speed of DevOps

Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.

This talk includes guidance on the characteristics of security tools compatible with DevOps but it primarily focuses on the harder part... THE PEOPLE. This talk introduces the DevSecOps manifesto and provides you with a process model, based upon Agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.

Development Team Transformation

How do you actually get development teams to adopt new mindsets and behaviors?

There is more to it than this, but the basic approach is to:
- Leverage, rather than work against, developer psychology and development team sociology
- Hook into their desire for engineering excellence
- Define practices in terms that make sense to developers using a modern Agile/DevOps approach rather than security specialists who assume a more waterfall or "software factory" approach
- Focus on coaching and toolsmithing rather than gatekeeping, policing, or auditing
- Never overwhelm the development team by providing up-front a comprehensive list of gaps
- Rather, provide a shallow improvement ramp via incremental gap analysis where you shift into planning mode as soon as you uncover a few high-value improvement opportunities
- Get each individual development team on this improvement path
- Coach and gamify each team along it
- Create an environment of viral adoption

This talk is a walkthrough of the Transformation Blueprint framework that implements the above approach.

I don’t always do App and API Security Testing, but when I do, it’s IN PRODUCTION

That’s crazy talk! ...or is it?

One revolutionary technique that has shifted the paradigm of load and performance testing is doing it in production using canary deployments and efficient agents. However, the benefits of using a similar approach for App and API security are even more significant. Doing so assures that your vulnerability resolution fixes are relevant to and effective in a real-world environment as opposed to a not-real pre-prod environment.

This avoids the shortcomings of traditional tools -- the inaccuracy and long scan times of SAST, poor coverage of DAST and IAST tools, lack of context in SCA, and ineffectiveness of WAF. It even aligns well with movements like DevOps, cloud-native, and shifting ownership of security left from the security team to engineering.

Join this discussion to learn what revolutionary techniques are necessary to safely pull this off.

Godfather Security: How Development Can Make an Offer that Security Can't Refuse

There is the way development really functions and there is the way security believes development functions. In most organizations, the two don’t match.

Join Larry Maccherone for an enlightening guide - tried and tested with scaling security in 600 dev teams - that engineering can use to “make a deal” with security so the two functions align more closely. You will hear thoughts on how true Developer-First Security could look like; what practices and tools provide better risk reductions; how productivity doesn’t need to be hampered by security; and, how security can be scaled in engineering terms.

The Coming Earthquake in App and API Security

A shake-up has begun in App and API security, and you’ve probably felt it coming.

The ground upon which your existing security practices and defense philosophy is based is starting to crack, with these tectonic plates shifting underneath.

1. Shifting attack trends
OLD: Simple infrastructure and identity compromises
EMERGING: Sophisticated multi-faceted attacks, which increasingly include application and API layer vulnerabilities

2. Shifting risk measurement
OLD: Prioritizing risks purely based on vulns in development
EMERGING: Prioritizing based on level of threat, blast radius, and other production context

3. Shifting legal liability
OLD: Corporations protected by "reasonable and customary" box-checking
EMERGING: Both corporate AND EXECUTIVE liability without having to prove negligence for either vulnerabilities or bugs

Your current practices and defense philosophy were devised for a terrain map that is rapidly becoming outdated. What should they look like once the tremors subside?

Join App and API Security Pioneer Larry Maccherone in this thought-provoking discussion on how to earthquake-proof your business and career.

Larry Maccherone

DevSecOps Transformation

Raleigh, North Carolina, United States

Links

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top