The Impact of DevSecOps Quantified
| Keynote |
Larry Maccherone, DevSecOps Transformation, Comcast
What if I could tell you the three application security practices whose adoption would most lower risk? What if I could also quantify the impact that each practice would have on your outcomes? Imagine being able to focus your entire organization (and your limited budget) on these three things rather than have your efforts spread across dozens of practices. Imagine how different the conversation with engineering teams and budget approvers will be if you can present research that shows just how important these three things are compared to other things you could invest in.
This talk is a presentation of research that quantifies the impact that various DevSecOps software security practices have on security risk outcomes. We have data from 200 different teams in the technologically and process diverse environments inside Comcast. We've tracked this data over time as teams have adopted practices like secure coding training, threat modeling, pen testing, SAST/IAST/SCA tool usage, security code review, etc. We have then correlated outcomes like network vulnerability to not only determine which practices have the most impact but to quantify how much of an impact each has.
Thirsty for more? Check out Snyk's DevSecOps Hub for more resources and tips:
Up Next
How to Implement a DevSecOps Culture in a Large Enterprise - People, Processes, Tools
Watch this SnykCon talk by Nicholas Vinson, Owen John and Paul Graziano to learn: How to build a security team, keep them engaged, and give them the right tools.
Keep reading