Home » Cybersecurity » DevOps » DevSecOps: Security at the Speed of DevOps

DevSecOps: Security at the Speed of DevOps

by Katie McCaskey on June 18, 2019

How do you foster the cultural change necessary to implement DevSecOps?

Larry Maccherone (@LMaccherone) of Comcast shared his approach at the Nexus User Conference.

Larry guides teamwork across the company to support DevSecOps adoption with Noopur Davis, Comcast’s CISO. The challenge is to establish and build trust between developers and security professionals — folks who previously held opposing goals. But, when these teams work together, the collaborative frameworks create better quality software, faster.

Quality software is resistant to penetration and nimble enough to respond quickly to threats.

Sponsorships Available

Analyze, Learn, and Repeat

Larry highlights the “Analyze and Learn” step as especially critical in the cultural transformation. His philosophy is that teams must stop thinking of security measures as gated off responsibilities.

Instead, he says, “We need to, one, take what [security breach] was found and turn into a pattern. Two, we need to find and fix the vulnerability in the codebase and consider how this pattern could be used again. Three, we need to put in place the changes that will prevent this vulnerability in the future.”

Teams collaborate on the solution and establishing preventative steps. Prevention could be in the form of new training or changing the tech stack. The process is tracked in an in-house tool called Greenhouse combined with open source radar visualization.

Using Greenhouse, Larry and his team can identify participants for 90-day plans to strengthen and grow the DevSecOps teams. The idea is to “green up,” or mature, over time. Teams move to darker shades of green along the way to track progress. All team members participate.