The month of October is dedicated to intimate gatherings of DevSecOps professionals, thought leaders, and decision makers in cities across North America and Europe.
Participants tell us that these forums and roundtables foster dynamic, collaborative conversations.
Too often, you attend an in-person event, only to feel overwhelmed. There is so much going on - sponsored booths, hundreds, if not thousands, of people, and a long list of sessions, which unfortunately compete for your attention. And, ultimately, the conversations you were hoping to have with your peers, never happen.
We’ve created the DevSecOps Leaderships Series to counterbalance that feeling - and provide a safe, open space for real conversation to happen. We host three kinds of curated gatherings: forums, roundtable dinners, and summits. Each event is structured to facilitate discussion between small groups of professionals united by industry, regulation oversight, and/or geography. Participants differ on their DevSecOps implementation journey, providing a relaxed learning and networking environment where peers can share stories, strategies, and insights.
Central to all of the conversations are supply chain automation and why open source governance is critical to organizations. The mix of people provides a unique look into the ongoing evolution of modern software development, and a glimpse of what’s coming next.
For example, last week we kicked off the North American leg of the DevSecOps Leadership Roundtables in Charlotte, North Carolina, with leaders from Duke Energy, and our CEO Wayne Jackson. There, they discussed how open source security practices further innovation and yield competitive differentiation.
In Madrid, Spain discussions at our DevSecOps Leadership Forum focused on accelerating software production and aligning security initiatives from speakers like David Jones (Credit Suisse), Enrique Cervantes Mora (Repsol), and Juan Jose Torres Garcia (KPMG).
Earlier this week In England, the conversation focused on matching security needs with the increased speed that DecOps provides, building software in regulated environments and one of the most important topics of the year, securing cloud environments.
A rockstar line-up of speakers, which included Aubrey Stearn (Nationwide Building Society), Dermot Dwyer (The Co-Operative Bank), Paul Horton (Clydesdale Bank), and Ryan Sheldrake (Sonatype), started discussions with real anecdotes and insight into their own journeys.
As Paul Horton posed to the room “How do we know if we have been affected by a vulnerability? Too often, organizations have difficulty answering that question. In the financial sector they often ignore the security within their applications.”
Consensus was that organizations need to figure out how to answer these key issues, and fast.
Yesterday’s event in Chicago featured Fortune 2000 leaders and senior IT decision makers, such as Rich Hui (Discover), Matt Howard (Sonatype), Nic Roth (Vivid Seats) and Giri Rao (Discover).
The most engaging discussions followed the declaration “No one’s pipeline is perfect.” This brought on tales of successful and unsuccessful DevSecOps implementation efforts. Several participants shared how they addressed them.
Said one participant, “Modern software development pipelines are powered by a digital supply chain fed by a massive supply of third party code and open source libraries. We depend on Sonatype Nexus to help us harness all of the good that open source has to offer without any of the risk.”
Another vigorous discussion came when Nick Roth of Vivid Seats acknowledged the cultural resistance to DevSecOps, either in management or developer circles. “There will always be developer friction; it’s just a matter of how much,” he said, adding “Ours is down to 5%.” Nick’s tracking methodology spearheaded a discussion of tactics to measure DevSecOps outcomes and bottom-line effectiveness.
The week of fascinating conversations ended in Toronto, with a roundtable fit for King Arthur.
Discussions led by Iqbal Umair (RBC Royal Bank), Peter Meaney (CaseWare), Linda Mackiewicz (CaseWare), and Matt Howard (Sonatype) centered on the challenges and rewards of digital transformation — and the challenges and rewards of utilizing open source to develop innovative software applications
One key moment of the event, however, was when the topic of dependency management came up - something we’ve been doing a lot of research on.
Everyone agreed that automated pull requests would help scale dependency management, but that not every new dependency is worthy of an update. So, there is a need for better data that can actually tell you when you should update a dependency. That’s the only way you’ll be able to trust automating this process.
At Sonatype, we fully understand the extent of this issue. Dependency management isn’t easy, but determining a way to automate it is becoming critical to software development. Which is why we’re focused on doing next generation research research aimed at understanding the relative health, hygiene, and integrity of new versions of dependencies every time they are published.
It’s hard to sum up all of the conversations we had this past week, but we’re invigorated by the discussions within the DevSecOps Leadership Series. Additional events are planned throughout October in New York City, Richmond, Virginia, San Francisco, and Munich, Germany.