Larry Maccherone, DevSecOps Transformation, Comcast
What if I could tell you the three application security practices whose adoption would most lower risk? What if I could also quantify the impact that each practice would have on your outcomes? Imagine being able to focus your entire organization (and your limited budget) on these three things rather than have your efforts spread across dozens of practices. Imagine how different the conversation with engineering teams and budget approvers will be if you can present research that shows just how important these three things are compared to other things you could invest in.
This talk is a presentation of research that quantifies the impact that various DevSecOps software security practices have on security risk outcomes. We have data from 200 different teams in the technologically and process diverse environments inside Comcast. We’ve tracked this data over time as teams have adopted practices like secure coding training, threat modeling, pen testing, SAST/IAST/SCA tool usage, security code review, etc. We have then correlated outcomes like network vulnerability to not only determine which practices have the most impact but to quantify how much of an impact each has.
Thirsty for more? Check out Snyk’s DevSecOps Hub for more resources and tips:
User Story Threat Modeling: It's the DevSecOps Way
| Talk | Alyssa Miller, Application Security Advocate, Snyk Threat modeling is one of those security practices that is most often left out of the DevOps pipeline. Yet according to the Puppet 2019 State of DevOps Report, while not as often practiced in a DevOps Pipeline, collaborative threat modeling can have the most significant impact...