Upcoming TISQA Meetings
3/23/17 Larry Maccherone – Cyber Security
4/27/17 Bob Galen – Stop Leading from the Front
5/25/17 Fish Bowl
6/22/17 Taylor Roberts – Job Hunting
“From DevOps to DevSecOps An application security framework for a Lean/Agile/DevOps environment”
The bad guys don’t break in through the highly secure bank vault door; they attack the crumbly bricks and mortar of the vault walls. The same is true for application security. The vast majority of incidents don’t target security features like encryption, authentication, and authorization… the bank vault door. Rather, they target vulnerabilities in the “boring”, non-security parts of the code… the crumbly bricks and mortar of the vault walls.
The security function is still largely throw-it-over-the-wall at many organizations, but things are changing. There is growing awareness that you cannot prevent the vast majority of incidents with a bolt-on approach to security. You have to produce applications that are free of such vulnerabilities as they are being developed. In other words, you have to BUILD SECURITY IN.
Just like DevOps is a cultural transformation, to BUILD SECURITY IN we need a mindset shift and cultural change. We need DevSecOps.
This talk starts by introducing a DevSecOps manifesto and then a process model for achieving a “BUILD SECURITY IN” DevSecOps culture. The framework is designed to sit on top of any SDLC but it is particularly suited to Lean/Agile environments and even more so to a DevOps environment or in conjunction with an ongoing DevOps transformation.
- The values identified in a DevSecOps manifesto
- The key disciplines of security practice most relevant to development teams – A maturity scale for these disciplines that you can leverage to incrementally up your application security game
- The key measures that will provide feedback for a data-driven and gamification approach to cultural change
- Common objections from large organization inertia/ossification and how to overcome them – How to BUILD SECURITY IN rather than bolt it on
Larry Maccherone is an industry-recognized thought leader on agile, metrics, and cybersecurity. He currently helps a number of companies including Comcast, AgileCraft, and Agility Health. Previously, Larry led the insights product line at Rally Software which enabled better decisions with data, leveraged big data techniques to conduct ground-breaking research, and offered the first-ever agile performance benchmarking capability. Before Rally, Larry worked at Carnegie Mellon with the Software Engineering Institute (SEI) and CyLab for seven years conducting research on cybersecurity and software engineering.
Contact Larry on his LinkedIn page: https://www.linkedin.com/in/larrymaccherone
Welcome! The Triangle Information Systems Quality Association – TISQA – is a network of software professionals in the Raleigh-Durham/Research Triangle area dedicated to the development of quality systems. Our mission is to create an open forum in which to share Software QA/Testing best practices and jointly address issues facing Software Quality Assurance professionals. We are affiliated with QAI Global Institute, a worldwide software quality organization. In addition to providing educational and QAI certification opportunities to our members, we hold meetings on the 3rd Thursday of the month to discuss relevant topics in QA and testing.
Contact us for additional information.
Become a TISQA Member: