Activity Spotlight

Security is Everbody's Job

I’m here to argue that DevOps is the best thing to happen to application security since OWASP. And by the end I hope that you will agree that security is truly everybody’s job. Let’s start! In DevOps everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job. AppSec is a Thing, and it needs to be taken seriously: Current status: causes around 1/4 of incidents (you know, those scary things you read about on the news) Usual ratio for Dev/Ops/AppSec is 100 > 10 > 1 Security is not taught thoroughly in schools Waterfall never really worked, and the security model around it “stop while we do this” is slow and untenable, and certainly not possible in DevOps (Dinosaurs in a waterfall)