Larry Maccherone
Founder, Transformation.dev
Raleigh, North Carolina, United States
Actions
Larry Maccherone is a DevSecOps/Shift-Left/Dev-centric Security and Development improvement pioneer.
At Comcast, Larry launched and scaled the DevSecOps Transformation program over five years by safely empowering 600 development teams to take ownership of the security of their products. Larry was a founding Director at Carnegie Mellon's CyLab, researching cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. Larry has also served as Principal Investigator for the NSA's Code Assessment Methodology Project, which wrote the book on evaluating application security tools and received the Department of Energy's Los Alamos National Labs Fellow award.
Larry firmly believes in learning by doing so in his spare time; he is the author of a dozen open source projects, one of which gets a million downloads per month.
Contact Larry on his LinkedIn page: https://LinkedIn.com/in/LarryMaccherone
Area of Expertise
Topics
The Coming Earthquake in App and API Security
The seismic activity has begun in App and API security.
The ground upon which your defense strategy is based is starting to crack, with these tectonic plates shifting underneath:
1. More sophisticated multi-faceted attacks, increasingly using AI and targeting application and API layer vulnerabilities
2. Accelerating pace of development driven by AI and DevOps
3. Shifting to both corporate AND EXECUTIVE liability without having to prove negligence for either vulnerabilities or bugs
Your current practices and defense philosophy were devised for a terrain map that is rapidly becoming outdated.
Join App and API Security Pioneer Larry Maccherone in this thought-provoking discussion on how to earthquake-proof your business and career.
Transformation Blueprint for Developer-Centric App and API Security
The traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products and involved fundamental changes to mindset, terminology, tools, metrics, roles, and practices. The cloud-native and DevOps movements similarly disrupted traditional IT Ops.
Now it's security's turn, but here's the rub.
NIST, SANS, OWASP, PCI, etc. provide lists of candidate application security practices, but the items in the list are unprioritized, target security specialists, and fail to specify adaptations needed for a developer-first approach. Attempting to shift these practices left without proper consideration of modern development practices and priorities is a recipe for frustration, resistance, and false starts.
You will come out of this workshop with a Transformation Blueprint for accomplishing the cultural shift to developer-centric application security at your organization. The approach is derived from the program that Larry has used to accomplish this shift for over 600 development teams. Since Larry is a developer, writing code every day, his program is perfectly suited to the way development teams really want to work, rather than how security folks assume they work.
BSidesSLC 2025 Sessionize Event Upcoming
2025 Palmetto Cyber Conference Sessionize Event
The 4th Annual North Carolina Cybersecurity Symposium Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top