Subject: Successful DevSecOps evolution through realistic expectations and company-wide transparency Description: Although most companies are somewhere in the middle and it's hard to really determine the factors that allow them to manage their security operations, there is a lot we can learn by studying the stories of companies that thrive on DevSecOps and those that really struggle to make it work. In my experience, the biggest reason for companies failing to succeed with DevSecOps is that instead of embracing it, they engage in the project with deep resistance because they know they haven't really done their homework and aren't prepared enough to comprehend the big-picture perspective. During my presentation, I want to share with you my observations from over 5 years spent in the trenches, which should turn helpful if your goal is to build a DevSecOps roadmap that focuses on practicality and positive long-term influence at your organization. The release of this video on my youtube channel has been approved by Joe Colantonio from SecureGuild 2019.

1. Successful DevSecOps
evolution
through realistic expectations and
company-wide transparency
by Dawid Bałut

2. The challenge
To build a DevSecOps roadmap that focuses on
practicality and positive long-term influence at
your organisation

3. Practical cyber resilience
1 security engineer vs 5 cybercriminals
OR
100 security-savvy software engineers + 1 security
engineer vs 5 cybercriminals?

4. How to fail at DevSecOps
- believe in the power of one
- put processes and tools before humans
- plan in months instead of years
- underestimate the value of transparent communication
- distract yourself with the latest industry news

5. Closer you look, the less you see
99% of things TOP 1% of companies do, aren’t practical for
99% of other companies,
unless you follow their path - instead of trying to
replicate the state of their destination.

6. Secure SDLC by Microsoft (2002)

7. How to increase the chances of success
for the DevSecOps evolution
- enable capable ones to become willing and able
- deploy automation and processes to support humans
- keep the whole organisation in sync with the evolution
- follow a multi-year long strategic roadmap
- be flexible by executing in weeks-long sprints

8. My TOP essentials
1. Educate all technical stakeholders such as software engineers, QA testers, product owners and
engineering managers on secure software engineering.
The training should cover secure programming as well as create the awareness of corporate security
policies, procedures, processes and best practices. The goal is to provide employees with an access
to the “bigger picture” mindset, enabling them to easily connect the dots going forward.
Security training should be conducted at least yearly, preferably in a form of interactive workshops.
Employees should have access to comprehensive knowledge base e.g. in a form of a e-learning
platform that allows ad-hoc access to the specific modules so employees
can easily find the material that’s actually relevant to their situation
at a given moment.

9. My TOP essentials
2. Educate the business-oriented professionals on how important it is for them to support their tech
teams during their day to day work.
Management must be made aware and regularly reminded that in order to improve company’s
cyber resilience, it’s required of them to actually provide employees with necessary resources do get
their job done.
Sometimes the best support one can provide is to stop themselves from creating additional
problems.

10. My TOP essentials
3. Each and every member of the Security Team must be aligned with the vision, because if you want
to earn the trust of the whole organisation, you need to be integral and stable.
Security professionals shouldn’t be treated as an independent consultancy silo, but as a teammate
like any other.
The goal is to make every employee feel like the security pros are there for them and such
atmosphere is created by infosec willingly sharing their knowledge and contributing to the
engineering projects acting as a subject matter expert in their respective domain.

11. My TOP essentials
4. Deploy systems and tools to provide you a high level of insights into what’s going on at the
company. You want to know what changes are being made by engineers so you can react
appropriately, knowing that you can’t protect something if you don’t know it exists.
Once properly tuned and optimized you can delegate the tool’s ownership to relevant department
and delegate the issue’s remediation to the very person that introduced a malfunctioning change.
Avoid fixing all the things in the dark, because you want employees to be made aware and educated,
so they learn how they can do things better in the future.

12. My TOP essentials
5. Define minimum viable security requirements that must be met in each software / operations
related project.
You want to have a document or a system which allows engineers to easily comprehend the
compliance and infosec requirements expected against their contributions.
In an agile world, each back-and-forth with security team is a waste of time, which is why all
documentation should be prepared upfront and delivered to relevant stakeholders so they don’t have
the resistance to work on security, just because they didn’t know where to look for help.
Create quality gates that define which risk levels should automatically fail the build and not allow
software to be deployed in the external environment.
As a signal to the algorithm making this decision, use the input from
the automated systems for code scanning, dynamic application
security testing, config auditing as well as manual testing.

13. My TOP essentials
6. Incorporate one-time manual and automated threat modeling and design reviews.
Reviewing software design at earliest and final phase of SDLC enables you to provide contextual
guidelines for development teams. It’ll also prepare the security department for risks associated with
development of very specific software so that you are prepared for the incidents that are likely to
arise around the mission critical components.
You can get your security to the next level if you train product owners and systems architects how to
create threat models that allow them to perform risk analysis at lower cost without direct involvement
of a security team.

14. My TOP essentials
7. Define benchmarks which will be enforced by the automated systems of combined scanning tools.
If you’ve made people aware of the requirements and guided them for long enough, there comes a
point in which you should feel comfortable with deploying systems that execute the verification for
you.

15. Simple starting points
1. Learn about and understand the existing software development practices to optimize existing
processes first, and then move onto adding more things on top of it.
2. Educate everyone on the principles of the DevSecOps culture and perform the relevant training.
3. Incrementally implement new processes and automated systems supporting software engineers in
writing and maintaining secure code and secure infrastructure.

16. Q & A
happy to answer all the questions you
may have :)
- Dawid Bałut