The 2020 State of the Software Supply Chain Report is available!

Study Shows High-Performance Dev Teams Fix OSS Vulns 26x Faster | Press Release

blog-logo Sonatype Blog

Larry Maccherone Says Pixie Dust Security is an Epic Failure [VIDEO]

February 18, 2020 By Mark Miller

Editor's Note: Larry's story is included in "Epic Failures in DevSecOps, Volume 2", available for free download.

"You can characterize the history of software engineering as an unending cycle of pendulum swings in search of a Goldilocks compromise that we never quite achieve. The Rational Unified Process (RUP) was people and process oriented, which was followed by Extreme Programming (XP) which was engineering oriented. Then, Agile took us back to people and process, followed by DevOps which is again more engineering focused.

The most fundamental epic failure is believing that you can sprinkle pixie dust on an already completed application to make it secure. This failure has been and continues to be widespread across the industry. When I started at Comcast, this was the general situation. Boundary protections like network firewalls as well as bolt-on solutions like web application firewalls were at the heart of our cybersecurity approach, despite the fact that the vast majority of security incidents were attributed to flaws in the underlying system design or software vulnerabilities." -- Larry Maccherone

Justin Miller interviews Larry Maccherone on his work helping to transform Comcast, his history prior to Comcast and on his chapter "Shift Left, Not S#!T Left" in the second volume of Epic Failures in DevSecOps.

Tags: AppSec, Application Security, devsecops, Post security/devsecops

Written by Mark Miller

Mark Miller serves as the Senior Storyteller and DevOps Advocate at Sonatype. He speaks and writes extensively on DevSecOps and Security, hosting panel discussions, podcasts, and webinars on tools and processes within the Software Supply Chain.