From Hype to Reality- The Broken State of DevSecOps and Its Maturity Model.pdf
eitan19
62 views
26 slides
Oct 01, 2024
Slide 1 of 26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
About This Presentation
The slides from the talk by Dustin Lehr and Eitan Worcel at the 2024 Global OWASP at SF
Despite the hype surrounding DevSecOps, the reality is starkly different: reported issues remain unresolved, SLAs are neglected, and the role of security champions is reduced to basic training sessions.
This ...
Slide Content
The Broken State of DevSecOps
and Its Maturity Model
From Hype to Reality:
and Its Maturity Model
From Hype to Reality:
Dustin Lehr
Dustinlehr
@DustinLehr1
2
13 Software Engineer, AppSec Leader at Staples and Fivetran
Co-founder / CPTO of Katilyst (Security Champions are The Way!)
Author of The Security Champion Program Success Guide
https://securitychampionsuccessguide.org/
Co-founded the Let's Talk Software Security global open discussion meetup
https://www.meetup.com/lets-talk-software-security/
3 Kids (5, 8, and 17!), and a wife… that’s enough!
Connect with me on LinkedIn ->
(it’s safe, trust me)
Dustinlehr
@DustinLehr1
2
13 Software Engineer, AppSec Leader at Staples and Fivetran
Co-founder / CPTO of Katilyst (Security Champions are The Way!)
Author of The Security Champion Program Success Guide
https://securitychampionsuccessguide.org/
Co-founded the Let's Talk Software Security global open discussion meetup
https://www.meetup.com/lets-talk-software-security/
3 Kids (5, 8, and 17!), and a wife… that’s enough!
Connect with me on LinkedIn ->
(it’s safe, trust me)
Eitan Worcel
Born and raised in Israel
Live in Massachusetts with my wife, three kids, and threetwo dogs :(
Retired long-distance runner
Over 20 years of experience in the software world
In the appsec space since 2007
Co-founder & CEO of Mobb
Worcel
@EWorcel
3
Connect also with me on LinkedIn ->
(well, if you trusted the other bald guy)
Born and raised in Israel
Live in Massachusetts with my wife, three kids, and threetwo dogs :(
Retired long-distance runner
Over 20 years of experience in the software world
In the appsec space since 2007
Co-founder & CEO of Mobb
Worcel
@EWorcel
3
Connect also with me on LinkedIn ->
(well, if you trusted the other bald guy)
Agenda
-Introduction and Overview
-The Role of Security Champions
-Cultural Shifts Needed
-Leveraging Technology
4
No AI was used in the creation of this content.
https://responsibleaidisclosure.com/
-Introduction and Overview
-The Role of Security Champions
-Cultural Shifts Needed
-Leveraging Technology
4
No AI was used in the creation of this content.
https://responsibleaidisclosure.com/
55
DevOps -Why, How, What?
What
Why
How
What-faster releases,improved quality,
and greater operational efficiency,
allowing companies to stay competitive
and agile in the market
Why-to help organizations deliver
software faster and more reliably
How-by fostering collaboration,
automation, and continuous feedback
across teams
DevOps -Why, How, What?
What
Why
How
What-faster releases,improved quality,
and greater operational efficiency,
allowing companies to stay competitive
and agile in the market
Why-to help organizations deliver
software faster and more reliably
How-by fostering collaboration,
automation, and continuous feedback
across teams
66
“IT’S THE ECONOMY,
STUPID”
“IT’S THE ECONOMY,
STUPID”
77
DevOps -Why, How, What?
What
Why
How
What-secure, high-quality software
delivered quickly and efficiently, reducing
vulnerabilities and improving compliance
while maintaining the agility of DevOps.
Why-to ensure that the software
delivered in the speed of DevOps is
secured
How-by shifting security left, using
automated security tools, and promoting
collaboration across development,
operations, and security teams.
DevOps -Why, How, What?
What
Why
How
What-secure, high-quality software
delivered quickly and efficiently, reducing
vulnerabilities and improving compliance
while maintaining the agility of DevOps.
Why-to ensure that the software
delivered in the speed of DevOps is
secured
How-by shifting security left, using
automated security tools, and promoting
collaboration across development,
operations, and security teams.
88
'It isn't that they can't see the
solution. It is that they can't see
the problem.’
Gilbert K. Chesterton
'It isn't that they can't see the
solution. It is that they can't see
the problem.’
Gilbert K. Chesterton
99
DevOps -Why, How, What?
What
Why
How
What-secure, high-quality software
delivered quickly and efficiently, reducing
vulnerabilities and improving compliance
while maintaining the agility of DevOps.
Why-to ensure that the software
delivered in the speed of DevOps is
secured
How-by shifting security left, using
automated security tools, and promoting
collaboration across development,
operations, and security teams.
DevOps -Why, How, What?
What
Why
How
What-secure, high-quality software
delivered quickly and efficiently, reducing
vulnerabilities and improving compliance
while maintaining the agility of DevOps.
Why-to ensure that the software
delivered in the speed of DevOps is
secured
How-by shifting security left, using
automated security tools, and promoting
collaboration across development,
operations, and security teams.
10
Mindset Shift Needed
DevSecOps is NOT just about implementing security tools as part of your CI/CD pipeline.
Automation alonewill not save you, and neither will AI.
https://devops.com/repeat-warning-there-is-no-silver-bullet/
Mindset Shift Needed
DevSecOps is NOT just about implementing security tools as part of your CI/CD pipeline.
Automation alonewill not save you, and neither will AI.
https://devops.com/repeat-warning-there-is-no-silver-bullet/
11
Building the Foundationfor DevSecOps
Building the Foundationfor DevSecOps
12
The Business Case ($) for Being Proactive
The Business Case ($) for Being Proactive
13
Changes to developer habits, the deployment
process, etc.
This is about gaining the proper supportand
influenceto infuse the deployment process
with security steps.
A DevSecOps Transformation
Means CHANGE
Changes to developer habits, the deployment
process, etc.
This is about gaining the proper supportand
influenceto infuse the deployment process
with security steps.
A DevSecOps Transformation
Means CHANGE
14
= HOW Change Catches On
= HOW Change Catches On
15
How to Start a Movement
https://www.youtube.com/watch?v=lbaemWIljeQ
How to Start a Movement
https://www.youtube.com/watch?v=lbaemWIljeQ
16
17
Allies / Security Champions
Innovators and Early Adopters are needed to push your CHANGE forward.
It’s the first followersthat influence others.
People will listen to those they know more closely than YOU.
Allies / Security Champions
Innovators and Early Adopters are needed to push your CHANGE forward.
It’s the first followersthat influence others.
People will listen to those they know more closely than YOU.
18
Patience! It takes time to do it right
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Obtain and maintain buy-in by asking people to weigh-in and then actively listening.
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Obtain and maintain buy-in by asking people to weigh-in and then actively listening.
Constantly share small winsalong the way to build support and momentum.
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Obtain and maintain buy-in by asking people to weigh-in and then actively listening.
Constantly share small winsalong the way to build support and momentum.
Don’t call the win early. Only when the changes are fully adopted across ALL of the dev population
should you claim success. Then, put controls in place to maintain the state.
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Obtain and maintain buy-in by asking people to weigh-in and then actively listening.
Constantly share small winsalong the way to build support and momentum.
Don’t call the win early. Only when the changes are fully adopted across ALL of the dev population
should you claim success. Then, put controls in place to maintain the state.
Avoid negative social proof! Don’t highlight the shortcomings or you’ll enable the naysayers.
Patience! It takes time to do it right
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Obtain and maintain buy-in by asking people to weigh-in and then actively listening.
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Obtain and maintain buy-in by asking people to weigh-in and then actively listening.
Constantly share small winsalong the way to build support and momentum.
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Obtain and maintain buy-in by asking people to weigh-in and then actively listening.
Constantly share small winsalong the way to build support and momentum.
Don’t call the win early. Only when the changes are fully adopted across ALL of the dev population
should you claim success. Then, put controls in place to maintain the state.
Make a strong business case to pursue actual leadership support-active engagement by senior
leaders
Obtain and maintain buy-in by asking people to weigh-in and then actively listening.
Constantly share small winsalong the way to build support and momentum.
Don’t call the win early. Only when the changes are fully adopted across ALL of the dev population
should you claim success. Then, put controls in place to maintain the state.
Avoid negative social proof! Don’t highlight the shortcomings or you’ll enable the naysayers.
19
Time to Build ONthe Foundation!
Time to Build ONthe Foundation!
2020
Leveraging Technology
Leveraging Technology
21
Pen Testing
SIEM
Incident and Response
DAST, IAST,
API Testing
SAST, SCA,
IaC scanning,
Secret Scanning
WAF, RASP
21
Security
Gates
Threat Modeling,
Secure policies
Secure Code Training
IDE Spell Check,
Scan on every
code change
Pen Testing
SIEM
Incident and Response
DAST, IAST,
API Testing
SAST, SCA,
IaC scanning,
Secret Scanning
WAF, RASP
21
Security
Gates
Threat Modeling,
Secure policies
Secure Code Training
IDE Spell Check,
Scan on every
code change
22
Pen Testing
SIEM
Incident and Response
DAST, IAST,
API Testing
SAST, SCA,
IaC scanning,
Secret Scanning
WAF, RASP
22
ASPM
Reachability
Exploitability
ADR
Security
Gates
Threat Modeling,
Secure policies
Secure Code Training
IDE Spell Check,
Scan on every
code change
Pen Testing
SIEM
Incident and Response
DAST, IAST,
API Testing
SAST, SCA,
IaC scanning,
Secret Scanning
WAF, RASP
22
ASPM
Reachability
Exploitability
ADR
Security
Gates
Threat Modeling,
Secure policies
Secure Code Training
IDE Spell Check,
Scan on every
code change
23
Pen Testing
SIEM
Incident and Response
DAST, IAST,
API Testing
SAST, SCA,
IaC scanning,
Secret Scanning
WAF, RASP
23
ASPM
Reachability
Exploitability
ADR
Security
Gates
Threat Modeling,
Secure policies
Secure Code Training
IDE Spell Check,
Scan on every
code change
Pen Testing
SIEM
Incident and Response
DAST, IAST,
API Testing
SAST, SCA,
IaC scanning,
Secret Scanning
WAF, RASP
23
ASPM
Reachability
Exploitability
ADR
Security
Gates
Threat Modeling,
Secure policies
Secure Code Training
IDE Spell Check,
Scan on every
code change
24
25
Summary
•Remember DevOps was a journey. DevSecOps is too
•There are new technologies to help you
•But tech (and AI) on its own won’t save you, changes are needed
•Celebrate the wins
Summary
•Remember DevOps was a journey. DevSecOps is too
•There are new technologies to help you
•But tech (and AI) on its own won’t save you, changes are needed
•Celebrate the wins
Dustin Lehr
Dustinlehr
@DustinLehr1
26
Eitan Worcel
Worcel
@EWorcel
Thank You
Questions?
Dustinlehr
@DustinLehr1
26
Eitan Worcel
Worcel
@EWorcel
Thank You
Questions?
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 62
- Slides 26
- Age 426 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
20 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views