Session Name: DevSecOps Poker
You're wrapping security tools into your DevSecOps, but there's 1000s of commercial, open-source, and custom scripts you can use, where do you start? Is it AppSec, Cloud, network, vuln scans, containers, microservices, other?
Uleska has been dealing with this for years now, with enterprise companies, and it all comes down to a game of poker. Do you have better cards (tools) and are you using them better than your opponent?
In this session we talk about how moving to DevSecOps is not just using a vendor tool that's had an API stuck onto it and an interface to Jira. It's about regulations/standards coverage, it's about avoiding duplication and false positives. It's about being transparent to the developer, yet effective assurance for the security team/champion. It's about knowing what you have in DevSecOps coverage, and what you don't. It's about using DevSecOps to do more than just automate, but to speed up triage and fixes, inform wider strategy, and protect the business.
To make it more fun, we describe this through a DevSecOps poker game. Texas Hold'em with the price of regulatory fines as your stake, and the breadth of the black hat community as your opponents.
Gary Robinson has over 20 years’ experience in software and cyber security and is respected in the cyber security industry having been recently voted to the Global Board of OWASP. Gary brings experience as a Senior Application Security Architect at one of the world’s largest banks.