The traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products. The cloud-native and DevOps movements similarly disrupted traditional IT Ops. These were not mere shifts to the left, they all involved fundamental changes to mindset, terminology, tools, metrics, roles, and practices.
Now it’s security’s turn, but here’s the rub.
NIST, SANS, OWASP, PCI, etc. provide lists of candidate application security practices, but the items in the list are unprioritized, target security specialists, and fail to specify adaptations needed for a developer-first approach. Attempting to shift these practices left without proper consideration of modern development practices and priorities is a recipe for frustration, resistance, and false starts.
This talk delivers a Transformation Blueprint for accomplishing the cultural shift to developer-first security. The talk also includes a brief demo of an open source tool I’m releasing at SecTor that you can use to facilitate your adoption of the program and tracking your progress towards achieving it. I built a similar tool that was instrumental to scaling the Dev(Sec)Ops program at Comcast to 10,000 developers.