16 - 17 April 2024 | Alte Kaserne Winterthur
Dev[Sec]Ops Transformation Architect @ Contrast Security
Larry Maccherone is a thought leader on DevSecOps, Agile, and Analytics.
At Comcast, Larry launched and scaled the DevSecOps Transformation program over five years. In his DevSecOps Transformation role at Contrast, he’s now looking to apply what he learned to guide organizations with a framework for safely empowering development teams to take ownership of the security of their products.
Larry was a founding Director at Carnegie Mellon’s CyLab, researching cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. Larry has also served as Principal Investigator for the NSA’s Code Assessment Methodology Project which wrote the book on how to evaluate application security tools, and received the Department of Energy’s Los Alamos National Labs Fellow award.
Larry firmly believes in learning by doing so in his spare time, he is the author of a dozen or so open source projects one of which gets a million downloads per month.
Transformation Blueprint for Developer-Centric Application Security
Room “Malen” / 1st floor
The traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products and involved fundamental changes to mindset, terminology, tools, metrics, roles, and practices. The cloud-native and DevOps movements similarly disrupted traditional IT Ops.
Now it’s security’s turn, but here’s the rub.
NIST, SANS, OWASP, PCI, etc. provide lists of candidate application security practices, but the items in the list are unprioritized, target security specialists, and fail to specify adaptations needed for a developer-first approach. Attempting to shift these practices left without proper consideration of modern development practices and priorities is a recipe for frustration, resistance, and false starts.
You will come out of this workshop with a Transformation Blueprint for accomplishing the cultural shift to developer-centric application security at your organization. The approach is derived from the program that Larry has used to accomplish this shift for over 600 development teams. Since Larry is a developer, writing code every day, his program is perfectly suited to the way development teams really want to work, rather than how security folks assume they work.
Prerequisites for this workshop: