DevOps and security: Lessons learned from Detroit to Deming

Presented at BSides Austin 2017, May 5, 2017, 10:30 a.m. (60 minutes)

In 1982, the city of Detroit saw 15,000 vehicles roll of its production lines every day. To achieve this goal, Detroit's line workers were being measured on velocity, often at the expense of quality. At the same time, auto workers in Japan -- applying lessons from W. Edwards Deming -- were implementing new supply chain management practices which enabled them to manufacture higher quality, safer vehicles, for less cost and at higher velocity. As a result, from 1962 to 1982, the Detroit auto industry lost 20% of its domestic market to Japan. The parallels between the auto industry of 35 years ago and secure software development practices in place today are remarkable. DevOps teams around the world are consuming billions of open source components and containerized applications to improve productivity at a massive scale. The good news: they are accelerating time to market. The bad news: many of the components and containers they are using are fraught with defects including critical security vulnerabilities. This session aims to enlighten InfoSec and AppSec professionals by sharing results from the 2017 State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis. The presentation will also reveal findings from the 2017 DevSecOps Community survey where over 2,200 professionals shared their experiences blending automated security and DevOps practices together. Throughout the discussion, I will share lessons that Deming employed decades ago to help us accelerate adoption of the right DevSecOps culture, practices, and measures today. Attendees in this session will learn: - What our analysis of 25,000 applications reveals about the quality and security of software built with open source components - How organizations like PayPal, Intuit, Fannie Mae and the Department of Defense are utilizing the DevOps principles of software supply chain automation - Why avoiding open source components and containers over 3 years old might be a really good idea - How to balance the need for speed with quality and security -- early in the development lifecycle Attend this session and leverage the insights to understand how your organization's application security and development practices compare to others. We'll share the industry benchmarks to take back and discuss with your InfoSec, AppSec, and development teams.

Presenters:

• Derek Weeks - Vice President - Sonatype
  Derek E. Weeks, Vice President, Sonatype. Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is also the co-founder of All Day DevOps, an online community of 40,000 IT professionals, and the lead researcher behind the annual State of the Software Supply Chain report for the DevOps industry. In 2018, Derek was recognized by DevOps.com as the "Best DevOps Evangelist" for his work in the community.

Links:

• https://bsidesaustin2017.sched.com/event/AP2F/devops-and-security-lessons-learned-from-detroit-to-deming

Similar Presentations:

• AppSec USA 2016 / Making Invisible Things Visible: Revealing Secrets from 25,000 Applications
• AppSec USA 2013 / An Introduction to the Newest Addition to the OWASP Top 10. Experts Break-Down the New Guideline and Offer Provide Guidance on Good Component Practice
• AppSec USA 2013 / Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development