When should enterprise DevSecOps be Cloud-Native?

Presenter: Chenxi Wang – Rain Capital
Cloud native security solutions are designed and built on the Cloud, leveraging the native services of each public cloud or container platform. While some of these services bring significant value, they should be integrated with the enterprise delivery pipelines as well as the security tooling for scanning and control. This talk will discuss the security motivation for extending enterprise pipelines with external cloud-native tooling, creating hybrid DevSecOps pipelines. It will present the common misconceptions with respect to enterprise DevSecOps and will discuss in which cases extending it with Cloud-native is beneficial.

DevSecOps Transformation at Scale

Presenter: Larry Maccherone – Comcast
Hosted by: Courtney Kissler – Nike
Many security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve. Similarly, security groups believe that policy enforcement is their biggest (only?) lever… “If we can just update the policies to be more (consumable/relevant/context aware/etc) and get developers to pay attention, then magic will happen.” But, policy enforcement rarely moves the needle and it creates a tense relationship between development and security that can do more harm than good.

More importantly, policy enforcement takes the place of development teams owning the security problem. The Lean, Agile, and DevOps movements have been successful precisely because they have empowered development teams to take ownership of QA, product management, operations, etc. in recognition of 100+ years of social psychology research proving that approaches with strong elements of intrinsic motivation (taking ownership) are far superior to extrinsic-only (policy enforcement) approaches.

So, how does a CISO or other security leaders break away from independent gating and policy enforcement to adopt this new approach? You have to change the mindset of your own security team as well as client development teams. You have to make the right thing to do be the easy thing to do. You have to get executive sponsorship throughout the organization and get middle management on board. You have to build trust between Dev, Ops, and Sec. And, a host of other things. Where do you start?

This talk is a step-by-step framework that will take you from wherever you are now and get you on the path of DevSecOps cultural transformation. It addresses the mindset shift concerns for all relevant audiences. It addresses the mechanics of getting started and tracking progress. It’s adaptable to any environment regardless of industry, technology, or maturity. Most importantly it’s been proven in a highly diverse environment at Comcast.

Panel: DevSecOps in the Healthcare Industry

DJ Schleen – Aetna/CVS
Poornaprajna Udupi – Lyra Health
Omar Khawaja – Healthmark
Moderated by: Mark Miller – Sonatype, All Day DevOps
Listen in as a panel of Healthcare IT Professionals talk about the successes and epic failures of their efforts to transform IT for the Healthcare industry through their DevOps/DevSecOps initiatives.

DevSecOps – Strategies on How to Get Buy-In and Get Started

Presenter: Anne Marie Zettlemoyer – Mastercard
Hosted by: Chris Roberts – Attivo
As security professionals we often lament on the still current reality that security is often an afterthought in the development processes, hastily and reluctantly bolted on at the end. There is no shortage of angst and frustration on this topic. We pontificate, theorize, analyze, and preach until we are blue in the face on how to win the argument of “speed of delivery vs. delivery securely”, “write access vs. right access” and so on – how to “get them to do better” while the other side watches us with our flailing arms and wonders the same thing. How do we move from talking past each other and admiring the problem to truly actioning change? What does it take to actually get started on the DevSecOps journey? This talk will focus on simply that – how to get started. From understanding, quantifying, and translating the problem to be solved and gaining support and the resources to meet it, we’ll discuss how to get buy in from the bottom and the top in order to make the start of the journey a viable and successful one.

Panel: DevSecOps in the Finance Industry

Anne Marie Zettlemoyer – Mastercard
Alexandra Shulman-Peleg – Citi
Oleg Kryb – VISA
Moderated by: Caroline Wong – Cobalt.io
The finance industry has been the poster-child for disruption through DevOps/DevSecOps initiatives. Listen in as a panel of Finance Industry Professionals talk about the successes and epic failures of their efforts to transform IT for the Finance industry through their DevOps/DevSecOps initiatives.

DevSecOps in Low and No Code Environments

Presenter: Navin Vembar – former GSA
Hosted by: Derek Weeks – Sonatype
When we talk about DevSecOps, we are often talking about custom code in fully built environments. But, as low- and no-code environments proliferate, we still want to follow the directions that DevOps takes us – frequent deliveries, automated testing, monitoring, and all of the other important factors that make for high-performing teams are still important. In this talk, we will talk about some of the challenges and successes in moving towards DevOps in environments that may mix low-code, no-code and custom code into one.

Security Data: GPS for Application Teams

Presenter: Jodie Kautt – Target
Presenter: Jennifer Czaplewski – Target
Hosted by: Caroline Wong – Cobalt.io

In this session, Jennifer and Jodie share how they have changed the internal culture in IT around security of applications. They have a system self-named as “Product Intelligence” where the team measures how closely an app lines up with the security requirements and gives the app a “credit score.” The process then offers very specific steps to take to improve the
security of your app. Jodie and Jennifer will go over the results of implementing the process and discuss the next steps in the initiative.