News and Notes from the Makers of Nexus | Sonatype Blog

DevSecOps Leadership Forum: Revolutionizing financial services

Written by Sonatype | May 30, 2023

Sonatype's VP of Product Marketing, Tara Flynn Condon, recently hosted four esteemed experts from top-tier financial services companies, including Sallie Mae and Equifax at our DevSecOps Leadership Forum. The conversation's central theme revolved around their current projects, established best practices, strategies for measuring the ROI of security programs, advocating for budget, challenges they've encountered on their DevSecOps journey, what's next, and much more.

What did the financial services experts have to say?

Obie Harden, Equifax's Global Cyber Security Engineering Manager, shared how his company recently worked on its asset inventory to ensure a smooth journey throughout the development lifecycle, including deployment, build phase, and the operational side. Thanks to solutions like Sonatype Lifecycle and Sonatype Nexus Repository, Equifax achieved a comprehensive asset inventory that provided real-time solutions for various security-related issues.

Sallie Mae's Principal Architect of Information Security, Ron Ogle, discussed the organization's approach toward firewall security, focusing on open source libraries to mitigate malware risks. Ogle also emphasized seeing security as a component of quality and helping developers look at their code from a hacker's perspective to understand the potential risks.

Reza Mehran-Nejad, an Application Security Manager, discussed his work on shifting Static Application Security Testing (SAST) and software composition analysis (SCA) left, implementing Sonatype Repository Firewall, the importance of software bills of materials (SBOMs), and the importance of having a single-pane-of-glass view to manage risk effectively.

Derek Fisher, an award-winning author and Head of Product Security at a major financial institution, echoed the importance of understanding the organization's asset landscape. He talked about making application security a priority and aiming to balance enabling business and reducing risk. He also dived into the significance of having visibility into what libraries are being used and where they are implemented.

Dive deeper into the DevSecOps conversation

The conversation provided invaluable insights into the current trends in DevSecOps and emphasized the significance of a holistic approach to security, which sees it as a component of overall code quality and integrates security considerations throughout the development process. As a bonus, our Chief Product Development Officer, Mitchell Johnson, covered the convergence of developer productivity and secure software development and how Sauron and Frodo fit into that.

While each of these companies and their teams operates a bit differently, one thing this star-studded panel has in common is they all use Sonatype tools to help improve their software supply chains. Check out the full video to learn how these teams achieve DevSecOps success.