Last week, we hosted our second virtual DevSecOps Leadership Series, focusing on DevSecOps in a High Tech World. With over 300 attendees, the afternoon featured an opening keynote from FISERV followed by two panel discussions with leaders from Sirius XM, NBC Universal, OneTrust, Estée Lauder, PointClickCare, and Micro Focus, all moderated by Michelle Dufty, SVP of Marketing here at Sonatype. Throughout the event, these leaders shared their experiences in DevSecOps and how they were specifically able to add value to their organizations through its adoption.
This panel featured Ramesh Regulapati, Director, Telematics and DevOps, Sirius XM, Michael Warthen, Director, Software Development, NBC Universal, and Steve Finch, Head of Architecture and Cloud Ops, OneTrust.
Michelle began by asking the panelists, "What's the state of your DevSecOps practice and how do your organizations manage vulnerabilities?" Ramesh, a more recent DevSecOps adopter, mentioned that his team had been previously working through vulnerabilities manually. However, they recognized they could not scale through manual efforts and needed to implement automation and shift security left.
For Michael at NBCUniversal, it was also about trying to look for opportunities to shift left in the software development life cycle (SDLC). He believes that while many bad actors exist, there are more good actors and those developers need to feel empowered by the tools they use and DevSecOps processes adopted. Ultimately, they've found that shifting security left and adjusting specific policies has allowed developers to release builds cheaper and faster without time consuming rebuilds.
At OneTrust, Steve Finch explained that, "process without control is like a speed limit without a policeman" in that no one follows it without a consequence. He agreed that developers want to do the right thing but they get frustrated if they are slowed down and look for ways to get their jobs done faster. As a result, OneTrust needed to find tools that allow developers to go fast without compromising security.
One of the big takeaways from this panel was the importance of communication with your teams and allowing them to be part of the process when choosing a tool. Be open to feedback from developers. Miscommunication can be one of the biggest blunders when it comes to implementing new tools and processes so continual communication and collaboration is critical for employees to accept changes. Specifically for development teams, leading with productivity is important to gain support for new tools. Additionally, the panelists agreed that it's important to celebrate wins across the company, elevate your team and create a culture of learning about emerging technologies.
This panel featured Les Correia, Director, Enterprise Cybersecurity & Risk, Estée Lauder, Tim Tomlinson, VP/CISO, PointClickCare, and Martin Knobloch, Global AppSec Strategist, Micro Focus.
Our next panel provided more insight into the needs from Application Security teams. Michelle asked the panelists, "Where are you on your DevSecOps journey to date?" Les from Estée Lauder responded that DevSecOps is top of mind given his development background and he realizes that processes, toolsets, and culture are important qualities to look at from a security perspective. Les also stated "It's critical to identify internal security champions and develop those champions." Next, Tim from PointClickCare, explained, "I inherited a robust app sec practice with some tooling but that tooling needed upgrades and to be refreshed." From Martin's perspective at a software company, his goal was to improve Micro Focus Fortify's products to help customers become more secure.
The next question Michelle asked was "How are the panelists dealing with the changing landscape of software supply chain attacks injecting malicious code into the open source projects directly? And how do they discuss these vulnerabilities with developers?" Les responded that at his organization they have tools in place such as the Sonatype Platform to help mitigate these risks. In turn, with zero day vulnerabilities he needs to be able to generate a software bill of materials (SBOM) to know what components are used in each application.
Tim answered Michelle's question with three key elements: "Vigilance, commitment, and why - explaining to developers why it's important to consider these threats while building code." Specifically for PointClickCare, which helps provide home healthcare solutions, it's critical for developers to understand the risks as they manage private data. Tim coined the slogan, "Protect your Granny's data" at his organization so his teams can fully internalize the importance of what they do. Tim also supports the use of automated tools to simplify the process.
Martin added that dependency management is an important concept for organizations to understand and it needs to be automated. From his perspective, "Organizations need to first implement guardrails then collect data to slowly get people working together in an agile environment under a unified goal."
I’ve learned a lot from all of the DevSecOps Leadership series we've held at Sonatype, but hearing about so many diverse approaches to DevSecOps made this one especially insightful. Hearing our customers speak about both successes and failures throughout their DevSecOps transformations, provides a realistic view of how these journeys can ebb and flow, and often face internal resistance.
With so much great information from being shared, we asked a graphic designer to help us visualize all the great stories we heard. The resulting poster was quite profound:
Even with so many different DevSecOps paths, there is one thing that all of our speakers agreed on - shifting security left will ultimately increase DevSecOps productivity, improve risk management outcomes, and drive innovation.
If you weren't able to join us live, you can watch all of the sessions on-demand, and learn more about Top 5 Vulnerabilities found in Technology Companies here. Also, please join us at one of our upcoming events.