One in Six Developers in Healthcare Report Open Source Breaches | Press Release

blog-logo Sonatype Blog

Myth Busting in DevSecOps

April 29, 2020 By Zack Conord

Larry Maccherone leads the DevSecOps efforts at Comcast. In this episode of DevSecOps: The Good, The Bad, and The Ugly, he busts some common DevSecOps myths and shares more about his DevSecOps Journey.

To start, Larry admits he has a "love/hate" relationship with the word "DevSecOps". If you're doing it right, of course security is included! He defines DevSecOps as a method that "empowers engineering teams to take ownership of their product all the way to production, including security."

Bust Several DevSecOps Myths with Three Steps to Cultural Transformation

Larry discusses several myths in the video below. He also outlines the three parts that are necessary for cultural transformation:

1. Win the hearts and minds of development teams by actively building and reinforcing interpersonal trust.

2. Introduce a gradual on-ramp of "to-dos" by identifying top priorities and outlining obvious next steps. (Remember: "obvious next step" may be subjective, so be sure to discuss it.)

3. Secure executive sponsorship. No one "DevSecOps" alone!

Larry always has good things to teach. For example, he classifies "pixie dust security" an epic failure. Read more from Larry in the Epic Failures, Volume 2 book.

Tags: DevOps Culture, devsecops, DevSecOps journey, Good Bad Ugly

Written by Zack Conord

Zach is Regional Account Manager at Sonatype and host of "DevSecOps: The Good, The Bad, and the Ugly" series on YouTube.