Senior Director, DevSecOps Engineering
Larry Maccherone is a thought leader on DevSecOps, Agile, and Analytics. At Comcast, Larry built and scaled to 600 development teams the Dev(Sec)Ops Transformation program over five years. In his Dev(Sec)Ops Transformation role at Contrast, he’s now looking to apply what he learned to guide organisations with a framework for safely empowering development teams to take ownership of the security of their products.
Larry writes code every day. He is the primary author of a dozen open source projects… one of which gets 1M downloads per month. He believes that if you are going to give advice to developers and development teams you can’t just have done it at some point in your career. You have to be doing it now. He’s not just talking the talk. He’s also walking the walk when it comes to developer-first security.
Title: A Developer’s Guide to “Making a Deal” with Security
There is the way development teams really function and there is the way security believes development teams function. In most organizations, the two don’t match.
This is a guide that engineering can use to “make a deal” with security so they more closely align. It does so by answering these questions:
What are the basic software engineering prerequisites (aka, DevOps basics) for effectively doing true Shift-Left Developer-First Security, aka Dev(Sec)Ops?
How can you help security get it right so the practices and tools they are trying to get you to adopt are suited to the way developers want to work while providing better cyber risk reduction?
What is the criteria for a good tool? Hint: low false positives and rapid feedback, but:
- Why are low false positives and rapid feedback the most critical?
- How rapid is good enough?
- What level of false positives should be considered low? , and most importantly,
- How do you “make a deal” with security to provide you with these kinds of practices and tools?