In mid-October, Sonatype hosted its second virtual DevSecOps Leadership Series, focused on DevSecOps in a High Tech World. The event was attended by more than 300 developers, application development and security professionals, and featured an opening keynote from FISERV. That keynote was followed by two panel discussions moderated by Michelle Dufty, SVP of Marketing at Sonatype, with leaders from Sirius XM, NBC Universal, OneTrust, Estée Lauder, PointClickCare, and Micro Focus.
Throughout the event, these leaders shared their experiences in DevSecOps and how they were specifically able to add value to their organizations through its adoption. Here are some of the key takeaways from the different panel discussions:
Delivering Value, Driving Innovation and Averting Risk at the Speed of DevOps
This panel featured Ramesh Regulapati, Director, Telematics and DevOps, Sirius XM, Michael Warthen, Director, Software Development, NBC Universal, and Steve Finch, Head of Architecture and Cloud Ops, OneTrust.
Michelle began by asking the panelists, “What’s the state of your DevSecOps practice, and how do your organizations manage vulnerabilities?” Ramesh, a more recent DevSecOps adopter, mentioned that his team had been previously working through vulnerabilities manually. However, they recognized they could not scale through manual efforts and needed to implement automation and shift security left.
For Michael at NBC Universal, it was also about trying to look for opportunities to shift left in the SDLC. He believes that while many bad actors exist, there are more good actors and those developers need to feel empowered by the tools they use and DevSecOps processes adopted. Ultimately, they’ve found that shifting security left and adjusting specific policies has allowed developers to release builds cheaper and faster without time-consuming rebuilds.
At OneTrust, Steve Finch explained that a “process without control is like a speed limit without a policeman,” in that no one follows it without a consequence. He agreed that developers want to do the right thing but they get frustrated if they are slowed down and look for ways to get their jobs done faster. As a result, OneTrust needed to find tools that allow developers to go fast without compromising security.
One of the big takeaways from this panel was the importance of communication with your teams and allowing them to be part of the process when choosing a tool. Be open to feedback from developers. Miscommunication can be one of the biggest blunders when it comes to implementing new tools and processes so continual communication and collaboration are critical for employees to accept changes. Specifically for development teams, leading with productivity is important to gain support for new tools.
Additionally, the panelists agreed that it’s important to celebrate wins across the company, elevate your team, and create a culture of learning about emerging technologies.
Beating the Competition: Securing Modern Applications in a High Tech World
This panel featured Les Correia, Director, Enterprise Cybersecurity & Risk, Estée Lauder, Tim Tomlinson, VP/CISO, PointClickCare, and Martin Knobloch, Global AppSec Strategist, Micro Focus.
The next panel provided more insight into the needs of Application Security teams. Michelle asked the panelists, “Where are you on your DevSecOps journey to date?” Les from Estée Lauder responded that DevSecOps is top of mind given his development background and he realizes that processes, toolsets, and culture are important qualities to look at from a security perspective. Les also stated, “It’s critical to identify internal security champions and develop those champions.”
Next, Tim from PointClickCare, explained, “I inherited a robust app sec practice with some tooling but that tooling needed upgrades and to be refreshed.” From Martin’s perspective at a software company, his goal was to improve Micro Focus Fortify’s products to help customers become more secure.
The next question Michelle asked was “How are the panelists dealing with the changing landscape of software supply chain attacks injecting malicious code into the open source projects directly? And how do they discuss these vulnerabilities with developers?”
Les responded that, at his organization, they have tools in place such as Nexus to help mitigate these risks. In turn, with zero day vulnerabilities, he needs to be able to generate a software bill of materials to know what components are used in each application.
Tim answered Michelle’s question with three key elements: “Vigilance, commitment, and why – explaining to developers why it’s important to consider these threats while building code.” Specifically for PointClickCare, which helps provide home healthcare solutions, it’s critical for developers to understand the risks as they manage private data. Tim coined the slogan, “Protect your Granny’s data” at his organization so his teams can fully internalize the importance of what they do. Tim also supports the use of automated tools to simplify the process.
Martin added that dependency management is an important concept for organizations to understand and it needs to be automated. From his perspective, “Organizations need to first implement guardrails then collect data to slowly get people working together in an agile environment under a unified goal.”