Larry Maccherone

Senior Director, DevSecOps Engineering
Contrast Security

Larry Maccherone is a thought leader on DevSecOps, Agile, and Analytics. At Comcast, Larry built and scaled the DevSecOps Transformation program over five years. In his DevSecOps Transformation role at Contrast, he’s now looking to apply what he learned to guide organisations with a framework for safely empowering development teams to take ownership of the security of their products. Larry was a founding Director at Camegie Mellon’s CyLab, researching cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. Larry has also served as Principal Investigator for the NSA’s Code Assessment Methodology Project which wrote the book on how to evaluate application security tools and received the Department of Energy’s Los Alamos National Labs Fellow award.

Lessons Learned by Leading Comcast’s Dev[Sec]Ops Transformation

I launched and led the Dev[Sec]Ops transformation program in the highly diverse development environment at Comcast. We started small but eventually scaled to all 600 development teams. Along the way, we needed to discover the keys to successfully get over each scaling step. So, regardless of where you are on your Dev[Sec]Ops transformation journey, there are likely to be some useful nuggets of knowledge in this talk.

Hosting Workshop

DevSecOps: How to SHIFT LEFT not S#!T LEFT

NIST, SANS, OWASP, PCI, etc. all have a different list of practices that should be in an app sec program, but they target security specialists. If attempt to shift them left to the development teams without grooming, it’ll feel a lot more like S#!T LEFT to them. This workshop will have the participants produce a prioritised list of practices, along with needed adaptations, that are good candidates to be shifted left. Take this list away as a valuable deliverable or re-conduct the workshop inside your own organisation to produce one tailored to your context.