SlideShare a Scribd company logo

Shift Left Security: Development Does Not Want to Own It.

A
Aggregage

The document discusses the challenges of implementing 'shift left' security, highlighting resistance from development teams who do not want to take ownership of security responsibilities. It features insights from industry experts Shlomo Bielak and George Davis, focusing on the need for collaboration and continuous integration of security into development processes. The webinar emphasizes optimizing security across various environments to enhance governance, risk, and compliance while maintaining operational effectiveness.

Software
Related topics:
CI/CDInsights on Software Development Data Security
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Shift Left Security? Development Does Not Want to Own It. Shlomo Bielak George Davis With: With: TO USE YOUR COMPUTER'S AUDIO: When the webinar begins, you will be connected to audio using your computer's microphone and speakers (VoIP). A headset is recommended. Webinar will begin: 11:00 am, PST TO USE YOUR TELEPHONE: If you prefer to use your phone, you must select "Use Telephone" after joining the webinar and call in using the numbers below. United States: +1 (213) 929-4212 Access Code: 255-485-743 Audio PIN: Shown after joining the webinar --OR--
2 For over 30 years, Trend Micro’s unwavering vision has been to make the world safe for exchanging digital information. Security is our entire focus, and it shows. This single-minded passion has inspired our innovations that keep up with the bad guys despite a changing IT landscape, riskier user behavior, and constantly evolving threats. The depth of our experience remains unmatched. From the endpoint to the network to the cloud, we’ve got you covered with a connected threat defense recognized by analysts, customers, and industry gurus of all kinds. Our seamless protection for your mission-critical environments doesn’t just happen. We have developed deep relationships and partnered with industry leaders that you can trust. Our security is optimized for leading environments, platforms, and applications that are needed to maximize protection and performance.
3 Click on the Questions panel to interact with the presenters https://www.informationmanagementtoday.com/frs/14625244/shift-left-security-- development-does-not-want-to-own-it-
4 About Shlomo Bielak Shlomo, Benchmark Corp’s CTO is building expertise to shift global markets in understanding how to make a transformational initiative scale without heroics. His experience and thought leadership coupled with his talented engineering effectiveness department are creating never-before-seen solutions for Multi-Cloud, DevOps, DevSecOps, and enabling continuous deployment to production for the enterprise. A rich and responsive customer experience. About George Davis George is a DevOps and Cloud expert at Trend Micro. He works closely with Trend Micro’s customers and partners to build layers of security into every step of their CI/CD pipeline. His experience working in Dev, Test, Ops and Security helps customers to connect the dots, deliver continuously, and iterate often while maintaining a healthy security posture. He primarily focuses on Cloud One - Trend Micro's Security Services platform for the Cloud, securing application runtime, container/server/serverless workloads and overall, better management of governance, risk and compliance in the Cloud.
Applying Shift Left Go Tri-Centric George Davis – Trend Shlomo Bielak – Benchmark Corp Benchmark Confidential
THIS IS COMPLEX & FAILS BUY ANOTHER COMPANY - HARDER THIS IS FUN Dev-Centric Works! ENTERPRISE Sell ‘X’ to customers STARTUP Sell ‘X’ to customers DELIVER CODE FAST – CHANGE NPS Brand SLA Regulatory / Security Code drop Code drop Code drop Code drop DELIVER CODE FAST – CHANGE Realities of Shift-Left POC POV LAB SUSTAIN & SCALE
7 DESIRE: Commit Code CORE COMPETENCY: Coding DESIRE: Confident Steward of Prod CORE COMPETENCY: Operational Excellence DESIRE: Risk Managed CORE COMPETENCY: Governance Developer / DevOps SRE / OPS Security Expert Enterprise Personas - Today’s Approach?
8 THIS REQUIRES SOLDIERS OF FORTUNE THE INTERACTION MODEL IS THREATENING THE INTERACTION MODEL IS POOR Making Dev Own Security/Ops Requirements Operations Does Not Feel Valued Security Is Seen As Slowing Down Dev Dev-Centric Shift left RESPONSIBILITY ACCOUNTABILITY ACCOUNTABILITY
Security Is More Than Code REVIEWING COMMON IT SECURITY FRAMEWORKS ISO NIST FEDRAMP FISMA PCI CIS Completed with Code √ Requires Education √ Requires Audit Process Focus Incident Focused √ √ √ √ √ √ √ √ √ √ √ √ SDLC Component √ √ √ √√ √ √
GOVERNANCE ENGINEERING MEASURE CX RESPONSIVENESS MODEL
GOVERNANCE ENGINEERING MEASURE CX RESPONSIVENESS MODEL DeploymentPipeline If(is_array($v[?])) IN PRACTICE Orchestration Pipeline – CI/CD Governance Standards – Checking Tags and Values = KPI per service Dev Workflow QA Workflow Staging Workflow Prod Workflow Task Task Task Task Task Task Task Task Tag/ Value Tag/ Value Tag/ Value Tag/ Value Tag/ Value Tag/ Value Tag/ Value Tag/ Value LAYERS OF PIPELINE GOVERNANCE STANDARDS Regulatory (i.e. PCI) Criticality or Service Tier (i.e. Platinum) Quality (i.e. Code) Stage (i.e. Development) Target (i.e. Cloud Provider) OUTPUT KPIs – Compliance % per service Auditability Customer Loyalty / Brand Quality / Cost Savings Human Toll (i.e. Fire fighting hours) Talent pool development
Security In Practice Pipeline Tasks LAYERS OF PIPELINE TASKS Measure – Integration Pipeline Standards – Identify Tech Debt Over time – Maturity & Standards Improve Measure - Output Unique Per Stage Gate or Threshold or Track Continuous Improvement of Standards 1 2 Evaluate - Release to Release Delta Values – Not starting value Better Worse
13 THIS REQUIRES COLLABORATION THE INTERACTION MODEL IS INVOLVEMENT THE INTERACTION MODEL IS RESPONSIVE MAKING DEV OWN CODE AGAIN OPERATIONS HANDLES DIFFICULT PRESSURES - REDUCE WITH CODING SECURITY BRINGS THEIR BALLIWICK – MEASURE CONFORMANCE AND FITNESS Tri-Centric Shift Left – Governance Engineering Operating Model
14 Q&A George Davis With: With: CTO, Benchmark Corp. Linkedin: in/ciscoconsultant Website: benchmarkcorp.com Shlomo Bielak Sales Engineer, Trend Micro Linkedin page: /in/georgedavisc/ Website: https://gdcrocx.github.io/ https://www.informationmanagementtoday.com/frs/14625244/shift-left-security--development-does-not-want- to-own-it-
Thank you!

More Related Content

PPTX
What the DevOps - What is it, how did it come here, what does it feel like?
Towo Toivola
 
DOCX
SusanGerhartResume
Susan Gerhart
 
PPTX
Secure development of code
SalomeVictor
 
PPTX
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
PDF
5 principles-securing-devops-veracode-whitepaper
wardell henley
 
PPTX
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
DOCX
SaiBhaskar-Resume
Saibhaskar Yenumula
 
PDF
Danfoss Shields Its Third Party Applications From Security Threats with patch...
Flexera
 
What the DevOps - What is it, how did it come here, what does it feel like?
Towo Toivola
 
SusanGerhartResume
Susan Gerhart
 
Secure development of code
SalomeVictor
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
5 principles-securing-devops-veracode-whitepaper
wardell henley
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
SaiBhaskar-Resume
Saibhaskar Yenumula
 
Danfoss Shields Its Third Party Applications From Security Threats with patch...
Flexera
 

What's hot (20)

PDF
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
PDF
Devops certification training course
NamnaChheda1
 
PDF
Devops certification training course
NamnaChheda1
 
PPTX
Setting up a secure development life cycle with OWASP - seba deleersnyder
Sebastien Deleersnyder
 
PDF
Head in the Clouds? Let’s get serious about how to benefit from Cloud platfor...
Digital Transformation EXPO Event Series
 
PDF
2017-07-12 GovLoop: New Era of Digital Security
Shawn Wells
 
PPTX
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
PPTX
Check point sandblast threat-emulation-customer-success-presentation
Nattira Panbun
 
PDF
Preforce Slideshare Proof
Eric Hollinshead
 
PDF
Use our OWASP Threat Modeling Playbook to Improve your Product Security
Sebastien Deleersnyder
 
PDF
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
SlideTeam
 
PDF
Lessons from a recovering runtime application self protection addict
Priyanka Aash
 
PDF
Security is our duty and we shall deliver it - White Paper
Mohd Anwar Jamal Faiz
 
PDF
TOP GOOGLE CHROME EXTENSIONS FOR ONLINE MARKETERS IN 2021
Sprintzeal
 
DOCX
Ritam Bose_Webspheresupport_unix
RItam Bose
 
PDF
A Successful SAST Tool Implementation
Checkmarx
 
PDF
Webinar–Building A Culture of Secure Programming in Your Organization
Synopsys Software Integrity Group
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
PDF
HOW TO BECOME A RELEASE MANAGER IN 2021
Sprintzeal
 
PPTX
Industry 4.0 and security
Denis Jakuzza
 
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Devops certification training course
NamnaChheda1
 
Devops certification training course
NamnaChheda1
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Sebastien Deleersnyder
 
Head in the Clouds? Let’s get serious about how to benefit from Cloud platfor...
Digital Transformation EXPO Event Series
 
2017-07-12 GovLoop: New Era of Digital Security
Shawn Wells
 
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
Check point sandblast threat-emulation-customer-success-presentation
Nattira Panbun
 
Preforce Slideshare Proof
Eric Hollinshead
 
Use our OWASP Threat Modeling Playbook to Improve your Product Security
Sebastien Deleersnyder
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
SlideTeam
 
Lessons from a recovering runtime application self protection addict
Priyanka Aash
 
Security is our duty and we shall deliver it - White Paper
Mohd Anwar Jamal Faiz
 
TOP GOOGLE CHROME EXTENSIONS FOR ONLINE MARKETERS IN 2021
Sprintzeal
 
Ritam Bose_Webspheresupport_unix
RItam Bose
 
A Successful SAST Tool Implementation
Checkmarx
 
Webinar–Building A Culture of Secure Programming in Your Organization
Synopsys Software Integrity Group
 
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
HOW TO BECOME A RELEASE MANAGER IN 2021
Sprintzeal
 
Industry 4.0 and security
Denis Jakuzza
 
Ad

Similar to Shift Left Security: Development Does Not Want to Own It. (20)

PPTX
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
PDF
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
PDF
The Challenge of Integrating Security Solutions with CI.pdf
Savinder Puri
 
PDF
Modern Security Operations - Building and leading modern SOC
Security Bootcamp
 
PDF
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
 
DOCX
Ambesh
Ambesh Sharma
 
PDF
Scaling AppSec through Education
Grant Ongers
 
DOC
Resume
Suboor Ali(suboorali@rediffmail.com)
 
PDF
Building Elastic into security operations
Elasticsearch
 
PDF
Stu r35 a
SelectedPresentations
 
PDF
Operational security engineer architect
Mark Long
 
PPTX
Scalar Security Roadshow - Vancouver Presentation
Scalar Decisions
 
PPTX
Scalar Security Roadshow - Calgary Presentation
Scalar Decisions
 
PDF
thei-cybersecurity-thiene-company-profile-eng.pdf
Iwan Setiawan
 
PPTX
The Teams Behind DevSecOps
Uleska
 
PDF
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
 
PDF
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
PDF
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
PPTX
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
The Challenge of Integrating Security Solutions with CI.pdf
Savinder Puri
 
Modern Security Operations - Building and leading modern SOC
Security Bootcamp
 
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
 
Ambesh
Ambesh Sharma
 
Scaling AppSec through Education
Grant Ongers
 
Resume
Suboor Ali(suboorali@rediffmail.com)
 
Building Elastic into security operations
Elasticsearch
 
Stu r35 a
SelectedPresentations
 
Operational security engineer architect
Mark Long
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Decisions
 
Scalar Security Roadshow - Calgary Presentation
Scalar Decisions
 
thei-cybersecurity-thiene-company-profile-eng.pdf
Iwan Setiawan
 
The Teams Behind DevSecOps
Uleska
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
 
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Ad

More from Aggregage (20)

PDF
Staying Ahead of UFLPA Enforcement: Best Practices for Retail Supply Chains
Aggregage
 
PDF
Making the Moment: The Art of Creating Events That Drive Results
Aggregage
 
PDF
Maximizing Profit And Productivity: The New Era Of AI-Powered Accounting
Aggregage
 
PPTX
From Rigid To Resilient: Why Enterprises Need Modular Commerce Now
Aggregage
 
PDF
How to Achieve High-Accuracy Results When Using LLMs
Aggregage
 
PDF
AI for Paralegals: Everything You Need to Know (and How to Use It Safely)
Aggregage
 
PPTX
Beyond the Blast: How to Pitch with Purpose and Build Lasting Media Relations...
Aggregage
 
PDF
Next-Level Fraud Prevention: Strategies for Today’s Threat Landscape
Aggregage
 
PDF
Cash Flow Secrets Every Upskilled CPA Should Know
Aggregage
 
PDF
The Great Disruption: Leveraging AI To Better Your Benefits Strategy
Aggregage
 
PDF
AI in Marketing & Sales: Today’s Tools, Tomorrow’s Potential
Aggregage
 
PDF
Navigating Payroll Compliance: Future-Proofing Payroll in an Evolving Regulat...
Aggregage
 
PDF
AP Automation: The Competitive Advantage Your Business Needs
Aggregage
 
PPTX
Campaigns that Click: Practical Personalization Strategies to Boost ROI
Aggregage
 
PDF
The Constructor's Digital Transformation Playbook: Reducing Risk With Technology
Aggregage
 
PDF
The Future Of Finance: How To Manage Spend The Right Way
Aggregage
 
PDF
The Evolving Retailers Fulfillment Strategy: Meeting Demands with Agility
Aggregage
 
PDF
The New Way CPAs are Delivering Value: Aligning Automation with Client Success
Aggregage
 
PDF
The 2nd Generation of Innovation Management: A Survival Guide
Aggregage
 
PPTX
Case Closed: How to Optimize Your Legal Intake Process for Efficiency
Aggregage
 
Staying Ahead of UFLPA Enforcement: Best Practices for Retail Supply Chains
Aggregage
 
Making the Moment: The Art of Creating Events That Drive Results
Aggregage
 
Maximizing Profit And Productivity: The New Era Of AI-Powered Accounting
Aggregage
 
From Rigid To Resilient: Why Enterprises Need Modular Commerce Now
Aggregage
 
How to Achieve High-Accuracy Results When Using LLMs
Aggregage
 
AI for Paralegals: Everything You Need to Know (and How to Use It Safely)
Aggregage
 
Beyond the Blast: How to Pitch with Purpose and Build Lasting Media Relations...
Aggregage
 
Next-Level Fraud Prevention: Strategies for Today’s Threat Landscape
Aggregage
 
Cash Flow Secrets Every Upskilled CPA Should Know
Aggregage
 
The Great Disruption: Leveraging AI To Better Your Benefits Strategy
Aggregage
 
AI in Marketing & Sales: Today’s Tools, Tomorrow’s Potential
Aggregage
 
Navigating Payroll Compliance: Future-Proofing Payroll in an Evolving Regulat...
Aggregage
 
AP Automation: The Competitive Advantage Your Business Needs
Aggregage
 
Campaigns that Click: Practical Personalization Strategies to Boost ROI
Aggregage
 
The Constructor's Digital Transformation Playbook: Reducing Risk With Technology
Aggregage
 
The Future Of Finance: How To Manage Spend The Right Way
Aggregage
 
The Evolving Retailers Fulfillment Strategy: Meeting Demands with Agility
Aggregage
 
The New Way CPAs are Delivering Value: Aligning Automation with Client Success
Aggregage
 
The 2nd Generation of Innovation Management: A Survival Guide
Aggregage
 
Case Closed: How to Optimize Your Legal Intake Process for Efficiency
Aggregage
 

Recently uploaded (20)

PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 

Shift Left Security: Development Does Not Want to Own It.

  • 1. Shift Left Security? Development Does Not Want to Own It. Shlomo Bielak George Davis With: With: TO USE YOUR COMPUTER'S AUDIO: When the webinar begins, you will be connected to audio using your computer's microphone and speakers (VoIP). A headset is recommended. Webinar will begin: 11:00 am, PST TO USE YOUR TELEPHONE: If you prefer to use your phone, you must select "Use Telephone" after joining the webinar and call in using the numbers below. United States: +1 (213) 929-4212 Access Code: 255-485-743 Audio PIN: Shown after joining the webinar --OR--
  • 2. 2 For over 30 years, Trend Micro’s unwavering vision has been to make the world safe for exchanging digital information. Security is our entire focus, and it shows. This single-minded passion has inspired our innovations that keep up with the bad guys despite a changing IT landscape, riskier user behavior, and constantly evolving threats. The depth of our experience remains unmatched. From the endpoint to the network to the cloud, we’ve got you covered with a connected threat defense recognized by analysts, customers, and industry gurus of all kinds. Our seamless protection for your mission-critical environments doesn’t just happen. We have developed deep relationships and partnered with industry leaders that you can trust. Our security is optimized for leading environments, platforms, and applications that are needed to maximize protection and performance.
  • 3. 3 Click on the Questions panel to interact with the presenters https://www.informationmanagementtoday.com/frs/14625244/shift-left-security-- development-does-not-want-to-own-it-
  • 4. 4 About Shlomo Bielak Shlomo, Benchmark Corp’s CTO is building expertise to shift global markets in understanding how to make a transformational initiative scale without heroics. His experience and thought leadership coupled with his talented engineering effectiveness department are creating never-before-seen solutions for Multi-Cloud, DevOps, DevSecOps, and enabling continuous deployment to production for the enterprise. A rich and responsive customer experience. About George Davis George is a DevOps and Cloud expert at Trend Micro. He works closely with Trend Micro’s customers and partners to build layers of security into every step of their CI/CD pipeline. His experience working in Dev, Test, Ops and Security helps customers to connect the dots, deliver continuously, and iterate often while maintaining a healthy security posture. He primarily focuses on Cloud One - Trend Micro's Security Services platform for the Cloud, securing application runtime, container/server/serverless workloads and overall, better management of governance, risk and compliance in the Cloud.
  • 5. Applying Shift Left Go Tri-Centric George Davis – Trend Shlomo Bielak – Benchmark Corp Benchmark Confidential
  • 6. THIS IS COMPLEX & FAILS BUY ANOTHER COMPANY - HARDER THIS IS FUN Dev-Centric Works! ENTERPRISE Sell ‘X’ to customers STARTUP Sell ‘X’ to customers DELIVER CODE FAST – CHANGE NPS Brand SLA Regulatory / Security Code drop Code drop Code drop Code drop DELIVER CODE FAST – CHANGE Realities of Shift-Left POC POV LAB SUSTAIN & SCALE
  • 7. 7 DESIRE: Commit Code CORE COMPETENCY: Coding DESIRE: Confident Steward of Prod CORE COMPETENCY: Operational Excellence DESIRE: Risk Managed CORE COMPETENCY: Governance Developer / DevOps SRE / OPS Security Expert Enterprise Personas - Today’s Approach?
  • 8. 8 THIS REQUIRES SOLDIERS OF FORTUNE THE INTERACTION MODEL IS THREATENING THE INTERACTION MODEL IS POOR Making Dev Own Security/Ops Requirements Operations Does Not Feel Valued Security Is Seen As Slowing Down Dev Dev-Centric Shift left RESPONSIBILITY ACCOUNTABILITY ACCOUNTABILITY
  • 9. Security Is More Than Code REVIEWING COMMON IT SECURITY FRAMEWORKS ISO NIST FEDRAMP FISMA PCI CIS Completed with Code √ Requires Education √ Requires Audit Process Focus Incident Focused √ √ √ √ √ √ √ √ √ √ √ √ SDLC Component √ √ √ √√ √ √
  • 11. GOVERNANCE ENGINEERING MEASURE CX RESPONSIVENESS MODEL DeploymentPipeline If(is_array($v[?])) IN PRACTICE Orchestration Pipeline – CI/CD Governance Standards – Checking Tags and Values = KPI per service Dev Workflow QA Workflow Staging Workflow Prod Workflow Task Task Task Task Task Task Task Task Tag/ Value Tag/ Value Tag/ Value Tag/ Value Tag/ Value Tag/ Value Tag/ Value Tag/ Value LAYERS OF PIPELINE GOVERNANCE STANDARDS Regulatory (i.e. PCI) Criticality or Service Tier (i.e. Platinum) Quality (i.e. Code) Stage (i.e. Development) Target (i.e. Cloud Provider) OUTPUT KPIs – Compliance % per service Auditability Customer Loyalty / Brand Quality / Cost Savings Human Toll (i.e. Fire fighting hours) Talent pool development
  • 12. Security In Practice Pipeline Tasks LAYERS OF PIPELINE TASKS Measure – Integration Pipeline Standards – Identify Tech Debt Over time – Maturity & Standards Improve Measure - Output Unique Per Stage Gate or Threshold or Track Continuous Improvement of Standards 1 2 Evaluate - Release to Release Delta Values – Not starting value Better Worse
  • 13. 13 THIS REQUIRES COLLABORATION THE INTERACTION MODEL IS INVOLVEMENT THE INTERACTION MODEL IS RESPONSIVE MAKING DEV OWN CODE AGAIN OPERATIONS HANDLES DIFFICULT PRESSURES - REDUCE WITH CODING SECURITY BRINGS THEIR BALLIWICK – MEASURE CONFORMANCE AND FITNESS Tri-Centric Shift Left – Governance Engineering Operating Model
  • 14. 14 Q&A George Davis With: With: CTO, Benchmark Corp. Linkedin: in/ciscoconsultant Website: benchmarkcorp.com Shlomo Bielak Sales Engineer, Trend Micro Linkedin page: /in/georgedavisc/ Website: https://gdcrocx.github.io/ https://www.informationmanagementtoday.com/frs/14625244/shift-left-security--development-does-not-want- to-own-it-