Holding the Industry Accountable

Editor’s Note: This presentation by Chris Roberts was a session at last year’s All Day DevOps. Readers are reminded that individual actions influence the direction our industry takes.

“Today we’re going to have a conversation about holding our feet to the fire,” said Chris Roberts (@Sidragon1). “We’re going to break down what’s going on in the industry and why we should care about it. Then we’ll talk about what we should change, as well as why we should change it.”

First, Why Are We Failing?

Going back to childhood, we were told not to touch a hot kettle on the stove. But what did we do? We touched it. Or at least some of us did.

As humans, we need to experience something before we change. Can we fix humans? Can we change this behavior? In short, no, we can’t.

For example, when we send emails to our employees to verify if they’ll click on potentially dangerous links once a year, we’re not going to get the results we want. We’re going to have people click the link. Instead of sending a yearly email to complete the audit, we need something more.

So let’s be clear. If you experience it, you will listen and change.

Why We Need DevSecOps

Now let’s look at the adversary’s perspective. They have a large toolbox and a lot of time to do what they do.

On the organization’s side, we have fewer tools and technologies. We also have policies, resources, and controls. They’re not an effective tool against the adversary.

In short, we need help. We’re erratic, conflicted, and disorganized. And we debate every decision. This is why we need DevSecOps.

Does that mean we need to spend more money on security? No. Currently we spend more than $124 billion in (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Sylvia Fronczak. Read the original post at: https://blog.sonatype.com/holding-the-industry-accountable