DevOps and Application Security: People You Need to Know

SERIES So INTERVI TSWA TRUSTED TRUSTED SOFTWARE ALLIANCE 50 IN 50 INTERVIEW SERIES DEVOPS AND APPLICATION SECURITY SOFTWA PEOPLE YOU NEED TO KNOW GENE KIM The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win "The ratio now is 20:1, developers have to spend 20 hours convincing people vs an hour actually doing the innovation. This is the consequence of building technical debt. The status quo (of development) pre-ordains failure from the very beginning." http://tiny.cc/tswa-GeneKim @RealGeneKim KRIS BUYTAERT Speaker, Author, Consultant, DevOps Days Organizer "Large organizations are saying 'We want to change the way we deliver software'. The real problem is that small startups can build better software with much better quality, much more secure, and much faster with a fraction of the budget of bigger organizations. The larger organizations are getting envious." @KrisBuytaert http://tiny.cc/tswa-KrisBuytaert MATT TESAURO Product Security Engineering Lead at RackSpace "We hired someone to do vulnerability management at the component level testing of the software, because it's a big issue & there's lots of moving pieces. It is a never ending [process] and unfortunately there's no one list you can subscribe to that tells you all of your software updates." http://tiny.cc/tswa-MattTesauro @matt_tesauro JACOB WEST CTO, Enterprise Security Products, HP "DevOps is not a specific role. It is more about communication channels and workflow. The two main things people try to get out of the idea of DevOps is influence on the deployment environment from development, then closing the loop and getting feedback from the operational environment." @sfjacob http://tiny.cc/tswa-JacobWest WENDY NATHER Research Director, Security, within 451 Research's Enterprise Security Program “ Companies under the security poverty line, those are the ones that are just not capable of fixing any of the software themselves; either it's not theirs and they are reliant on third parties (or) if they have any infrastructure, it has so much inertia they just don't know where to start to remediate." A http://tiny.cc/tswa-WendyNather @451 wendy ERIC BAIZE Senior Director of the Product Security Office at EMC Corporation "No software vendor can guarantee absolute security (of their product).It is up to the vendor to apply the right processes and develop products with security baked in. It is up to the customer to ask the vendor what type of processes they apply." http://tiny.cc/tswa-EricBaize JEREMIAH GROSSMAN Founder and CTO of WhiteHat Security "Cross-site scripting is like the cockroach of website security, we can never seem to stamp it out. We know how to fix these issues. What makes is difficult is the volume of these vulnerabilities and the limitation of the developer time that's out there" http://tiny.cc/tswa-JGrossman @jeremiahg RYAN BERG Chief Security Officer, Sonatype "The notion of DevOps is the realization that the development process doesn't end in development. We can't disconnect the operations piece of software (development) from those other phases of development." @ryanberg00 http://tiny.cc/tswa-RyanBerg BRIAN CHESS VP of Infrastructure & Security, NetSuite (founder of Fortify) "In Silicon Valley it's not as much the money you are paying (developers) as how many IQ points have you managed to accumulate under your roof, and are you getting the maximum possible value out of those IQ points. " http://tiny.cc/tswa-BrianChess JOHN WEATHERSBY Founder & Executive Director of the Open Source Software Institute "Open source is ubiquitous, it's pretty much in everything. You could not take open source out of the cloud. Open source is part of the technology that we call the cloud. It would be catastrophic for the DOD to try & ban open source." @jmwossi http://tiny.cc/tswa-JohnWeathersby CHENXI WANG Vice President, Market Insight & Business Intelligence at McAfee "Account management is one of the loopholes that bypasses all of the security processes you put together. If a password is breached, all of your security processes go out the door because it is a legitimate user access. There are tactical steps you can do to make it much, much harder." http://tiny.cc/tswa-ChenxiWang @chenxiwang DAN CORNELL Principal at Denim Group "The financial reality is it may be too expensive to fix some of this stuff. The important thing is they go through a structured process as opposed to running a bunch of scans and then emailing a 300 page report to the developer and that's the way the vulnerabilities get managed." @danielcornell http://tiny.cc/tswa-DanCornell HEATHER MEEKER Intellectual Property Licensing Attorney/Open Source Specialist "A large project will have many, many (open source) components under different licenses. Each component may be covered by GPL, LGPL or BSD, but the thing as a whole is covered by GPL. You need to make sure all of the pieces are compliant with whatever the overarching license is going to be " http://tiny.cc/tswa-HMeeker JEFF WILLIAMS CEO & Founder, Aspect Security (Founding members of OWASP) "The scale of the problem is massive, it's ridiculous. We've got to choose different (security) tactics. We have to choose only approaches that scale. What that means is you can't have experts be part of the critical path for security. " @planetlevel http://tiny.cc/tswa-JeffWilliams PLICATION TSWA SECURITY Trusted Software Alliance Thoughts, Ideas and Trends in Application Security SOFTWARE @TSWAIliance www.trustedsoftwarealliance.com f TrustedSoftwareAlliance designed by www.pinkpetrol.com 5 www.trustedsoftwarealliance.com Connect with us for updates 16 TRUSTED