We Can’t Hold on a Sec - Why We Need DevSecOps from Day 1

Tuesday, February 20, 2018 - 11:30am

DevSecOps means everyone is responsible for security from Day 1. In this day and age, a “live and learn” mentality when it comes to security is not going to cut it. Teams need to be on guard against major attacks all while building their apps in compliance with regulations. This session will dive into the issues of DevSecOps implementation, and how we can bake it all in from the from the get-go.

DevSecOps is a must to maintain speed, agility and innovation while simultaneously meeting regulations and staying ready for attacks. Learn how to bake it into your technology’s DNA from Day 1.

We all know that security is a top priority -- and challenge -- for many companies. But what do recent data breaches and attacks say about how the developer community prioritizes security? All too often, security is one of the last pieces of the puzzle. Work goes through the process of DevOps, testing, and launch...but security is only added in at some point along the line whenever it is “most convenient.” 

There is no more time for convenience. There needs to be an industry-wide shift toward embracing DevSecOps that prioritizes security at the same level as these other components. Teams will fail if they continue to add in security arbitrarily. Instead, it needs to baked in from Day 1. With most services now based in the cloud, we no longer have the leisure of running secure, internal applications. Our information is out in the wild, in an environment that anyone can hack  -- all reinforcing how important it is that security is built in at the rudimentary stage. But what does this really mean? How do you “do” DevSecOps?

It means that the security conversation needs to come first. In addition to vital team members, companies need developers and security pros on site,  securing the product from the ground up alongside everyone else. Additionally, developers need to engage in security training. This can come in the form of code review, short sprints, understanding what libraries are safe to use, or setting up feature flags that will check code carefully, one piece at a time. Teams can take the approach of releasing their code in small chunks, and staging it daily. There’s no such thing as a full release anymore, it must be broken up into bite-sized chunks to be adequately secure. If something goes wrong, the DevSecOps team can get into the QA mindset of fixing accordingly with security at the top of mind. Companies should empower developers with the security knowledge they need. And above all, the idea of DevSecOps has to be folded into management philosophy.

Ultimately, the challenge is to deal with imminent cloud-based attacks, all the while having visibility into  processes to ensure users that their information is adequately secured. This is easiest, and most scalable, under the mantra of DevSecOps. Do it from Day 1, and you won’t regret it on Day 1,000.

In this session, George will dig into the nuts and bolts of how companies can achieve this, as well as the benefits they’ll take away -- and potential catastrophes they will avoid.

  1. How DevSecOps is changing how organizations approach security
  2. The shifting security dynamics as workloads move to the cloud
  3. The steps it takes to successfully implement and maintain DevSecOps 

George Gerchow, Vice President of Security Compliance

George Gerchow

As Sumo Logic's Vice President of Security and Compliance, George Gerchow brings 18 years of information technology and systems management expertise to the application of IT processes and disciplines. His expertise impacts the security, compliance, and operational status of complex, heterogeneous, virtual and cloud computing environments. Mr. Gerchow's practical experience and insight from managing the infrastructures of some of the world's largest corporate and government institutions, make him a highly regarded speaker and invited panelist on topics including cloud secure architecture design, virtualization, configuration management, operational security and compliance. George was one of the original founders of the VMware Center for Policy and Compliance and he holds CISSP, ITIL, Cisco, and Microsoft Certifications. Mr. Gerchow is also an active Board Member for several technology startups and the co-author of Center for Internet Security - Quick Start Cloud Infrastructure Benchmark v1.0.0 and is a Faculty Member for IANS - Institute of Applied Network Security https://www.iansresearch.com/ and an instructor for MISTI http://misti.com/


Location TBD