May TASK: A Blueprint for Developer-First Security

Written By David Senf

Join us for our next TASK on May 31, 2023, at 6pm online. Zoom link below.

Speaker: Larry Maccherone

Topic: A Blueprint for Developer-First Security

Every organization is experiencing more software development throughout their business whether they like or not. This talk delivers a Blueprint for accomplishing the cultural shift to developer-first security. The talk also includes a brief demo of an open-source tool that you can use to facilitate your adoption of the program and tracking your progress towards achieving it. Larry built a similar tool that was instrumental to scaling the Dev(Sec)Ops program at Comcast to 10,000 developers.

The traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products. The cloud-native and DevOps movements similarly disrupted traditional IT Ops. These were not mere shifts to the left, they all involved fundamental changes to mindset, terminology, tools, metrics, roles, and practices.

Now it’s security’s turn, but here’s the rub.

NIST, OWASP, PCI, etc. provide lists of candidate application security practices, but the items in the list are unprioritized, target security specialists, and fail to specify adaptations needed for a developer-first approach. Attempting to shift these practices left without proper consideration of modern development practices and priorities is a recipe for frustration, resistance, and false starts.

Larry Maccherone is a thought leader on Dev(Sec)Ops, Agile, and Analytics. At Comcast, Larry launched and scaled the DevSecOps Transformation program over five years. In his new role at Contrast, he’s now looking to apply what he learned to guide organizations with a framework for safely empowering development teams to take ownership of the security of their products. Larry was a founding Director at Carnegie Mellon’s CyLab, researching cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. Larry has also served as Principal Investigator for the NSA’s Code Assessment Methodology Project which wrote the book on how to evaluate application security tools, and received the Department of Energy’s Los Alamos National Labs Fellow award. Contact Larry on his LinkedIn page: https://www.linkedin.com/in/LarryMaccherone.

Zoom Register: https://us06web.zoom.us/webinar/register/7716854630113/WN_wPDDpJw_TBy7h28C5dlBoQ

We look forward to see you all then,
The TASK Steering Committee

David Senf
Previous

July TASK: Hands on with Physical Security / Deciphering ZTNA, SASE, and SSE Marketspeak

Next

April TASK: The State of Browser Security: Protecting the New Perimeter