Talk to executives in IT divisions of large enterprises about security and invariably the conversation will hover around
DevSecOps pipeline.
Is DevSecOps the only thing you need to do for security in your IT division or is there more?
What impact does bringing in secure culture in an engineering context mean?
What handshake is needed between the IT function and the security / risk function for large enterprises?
How does this impact roles and responsibilities of a developer?
This talk is an attempt to answer questions such as these using a real world examples of transformations seen in Fortune 100 companies.
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
Dev week cloud world conf2021
1. As DevExec AreYou Doing Enough For Security?
Archana Joshi
Head –Transformation, LTI
Note:The views expressed in the presentation are solely of the presenter and do not represent those of the company /clients she is associated with
2. 2
Let’s us meet the characters in our story
CEO CIO Legal Director
InfoSec Director Dev Director
3. 3
…. And ask them the same question
What are you doing about cyber security?
CEO CIO Legal Director
InfoSec Director Dev Director
One of the top agenda
Proactive investments
Being secure is our culture
Strengthening
Cloud Security &
Application Security
Compliance checks
Investing in Digital Forensics
Security lapse liability
3rd party coverage
DevSecOps
Risk based DAST, SAST
5. 5
Now ask them the same question
How can we prevent such breach in future?
CEO CIO Legal Director
InfoSec Director Dev Director
I am setting up a committee with
external experts to help us with next
steps
My team needs to come together
It’s not just us – we have partners too
We need to work together
I should provide stringent security norms
We need to work together
I don’t understand this focus for
opensource
We need to work together
My app team faces the brunt.There are
networks too
We need to work together
6. 6
2 months after the incident…. ask them the same question
How are you measuring effectiveness of cyber security
CEO CIO Legal Director
InfoSec Director Dev Director
I get weekly report on any breaches
We are also running an awareness
campaign
Mean time to receover from security
Kubernetes cluster monitoring
% Adoption of DevSecOps
No. of builds to production with security
clearances
Risk assessment profile
No. of third party assessments meeting
the legal guidelines
No. of security compliances defects
No. of developers undergone secure
coding practices session
7. 7
Is there a better way to handle this?
Can we truly achieve “continuous security”
9. 9
Security Pod & Roles
CISO – CIO pair
Extreme Automation
Inbuilt Dev Practices
Integrated OKR and metrics
Follow the motto of Centralize – But Decentralize
10. 10
Security Pod & Roles
Security Architect
Security Ambassador / Product Mgr
SRE with security focus
CISO – CIO pair
Common security governance
Active Legal involvement
Extreme Automation
Open source tagging via pipeline
Operations monitoring includes security parameters
Inbuilt Dev Practices
Security as a code
Secure coding insights via AI interventions
Integrated OKR and metrics
Threshold setting for central involvement
Security Debt as part of sprint goals
Follow the motto of Centralize – But Decentralize