A week ago we hosted the North American DevSecOps Leadership Forum. It was an online event and an amazing experience in which we assembled 500+ software development, application security, and IT operations professionals to share experiences and learn from one another.
The purpose of this post is to provide a quick recap of the day. For starters, I want to share context in regards to participating companies and professionals -- and how they rated themselves with respect to DevSecOps maturity.
Participating Companies:
| What Industry Do You Identify With? |
| Financial Services and Insurance - 36% |
| Healthcare - 13% |
| Manufacturing - 4% |
| Other - 11% |
| Retail - 2% |
| Technology and Software - 33% |
Participating Roles:
| What Part of the DevSecOps Community Do You Most Identify With? |
| Development - 28% |
| Operations - 21% |
| Other - 14% |
| Security - 47% |
Level of DevSecOps Maturity:
| If DevSecOps is Like Climbing a Mountain, How Mature is Your Journey? |
| Not yet started - 4% |
| We've been climbing for less than a year - 30% |
| We've been climbing for less than 2 years - 42% |
| We've been climbing for 3+ years - 24% |
World Class Speakers and Panelists
At Sonatype we have developed deep roots within the global software engineering and application security communities and we are grateful to the world class speakers who shared their experiences at DLF 2020. You can also watch these videos live, with the on-demand recording.
- Bryan Batty, Director of Product and Infrastructure, kicked off the program sharing his application security journey at Bloomberg. Prior to his tenure, there were no open-source governance policies in place. With the introduction of the right tools and a cultural shift, he’s seen transformative success. However, there were many challenges along the way. Batty stated, “Security was often viewed as an impediment to innovation by the development team. Developers were frequently resistant to new tools and were not interested in making significant changes." Batty discussed how he worked to collaborate with developers, build trust, and slowly refine culture.
- Financial Services Panel: This discussion featured Robb Keayes, VP, DevOps Coaching Lead, Nomura, Howard Zeemer, Staff Engineer, OTA Team Lead at LendingTree, and Sladjana Jovanovic, VP, Enterprise Payments and Technology, TD Bank. The panelists addressed how banks and financial service firms compete and win in today’s world through software innovation.
- Sladjana Jovanovic shared TD Bank is “in the business of building trust with our customers. In order to be trustworthy, we need to be resilient. If I dissect ‘resiliency’ it means security and operational stability.” In the context of COVID-19 Sladjana is proud of the resiliency that has been displayed across TD Bank.
- Next, Robb Keayes said that financial services firms are all “undergoing a significant transformation”. With regard to DevSecOps, Keayes shared how value streams can be applied with common goals to show people across the organization what good outcomes look like.
- Howard Zeemer from Lending Tree reflected on his experience empowering developers to embrace new security tools. “Developers often feel like security tools in the pipeline will slow them down. That's why the best security tools are viewed by developers as helping them deliver faster. The prevalence of public data breaches has made developers more aware that security is critical.”
- Sladjana Jovanovic shared TD Bank is “in the business of building trust with our customers. In order to be trustworthy, we need to be resilient. If I dissect ‘resiliency’ it means security and operational stability.” In the context of COVID-19 Sladjana is proud of the resiliency that has been displayed across TD Bank.
- Joe Friedrichsen, Managing Director of Infrastructure and Operations, BCBS of RI, provided an operations perspective on digital transformation. To begin his session Friedrichsen stated that his “journey has been primarily about people, some process, and a little technology.” The people are critical, so you have to focus on user experience. DevSecOps is really hard -- and he finds it's always easier to solve hard problems when you have relentless focus on user experience.
- Panel: The Stockdale Paradox featured Garrison Hu, Head of AppSec, T-Mobile, James Dean, Manager of Deliver Automation Services, BCBS TN, and Rob Aragao, Chief Security Strategist, MicroFocus. The Stockdale Paradox states that when faced with a difficult challenge, it is wise to balance realism (brutal honesty about circumstances) with optimism (unwavering belief that success is inevitable). So how does this paradox apply to a DevSecOps journey?
-
- Garrison Hu stressed that most people want to do the right thing but often times developers don’t have time to take on additional security work. Therefore, it is important to implement tools that can help do security work automatically on behalf of developers.
- James Dean agreed that it takes a lot of effort and time to ensure your code is secure. It needs to be in the developers' faces so they can educate themselves as they’re working. Dean worked with his team to shift security tools further left into the SLDC.
- Rob Aragao sees a lot of organizations struggling to get security integrated into the developer workflow. Tools can definitely help, but you also need to align people and process. Robb also emphasized the importance of reviewing a software bill of materials (SBOM) so organizations can have a full understanding of what’s in their applications.
- Garrison Hu stressed that most people want to do the right thing but often times developers don’t have time to take on additional security work. Therefore, it is important to implement tools that can help do security work automatically on behalf of developers.
- Mike Wilkes, CISO, ASCAP, “Sleeping Securely During a COVID-19 Induced Coma” addressed how corporations and modern IT departments should think about securing their enterprise during a medically induced coma. What challenges are presented by a work at home posture? Do we release software any differently than we did before?
- Wilkes believes that before COVID-19, many organizations had become complacent. Now is a great time to ramp up security efforts, shift left, and invest in automation security within your CI/CD pipeline. Teach your teams how to find flags. If you don’t have additional budget, find out how to better maximize your tools.
- Changing culture is hard, but you won’t get there unless you have the awareness to know something is wrong. If you don’t focus on awareness, acceptance, and action you won’t be a good leader within your organization.
- Wilkes believes that before COVID-19, many organizations had become complacent. Now is a great time to ramp up security efforts, shift left, and invest in automation security within your CI/CD pipeline. Teach your teams how to find flags. If you don’t have additional budget, find out how to better maximize your tools.
That's a wrap! DLF 2020 is complete. Thank you again to our amazing speakers and to everyone who participated. The full on-demand recording is now available here.
