Hi [[ session.user.profile.firstName ]]

Transforming from DevOps to DevSecOps at Scale

Many security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

Similarly, security groups believe that policy enforcement is their biggest (only?) lever... "If we can just update the policies to be more consumable/relevant/context aware/etc and get developers to pay attention, then magic will happen." But, policy enforcement rarely moves the needle and it creates a tense relationship between development and security that can do more harm than good.

This talk is a step-by-step framework for going from wherever you are now to getting on the path of DevSecOps cultural transformation. It addresses the mindset shift concerns for all relevant audiences. It addresses the mechanics of getting started and tracking progress. It's adaptable to any environment regardless of industry, technology, or maturity. Most importantly it's been proven in a highly diverse environment at Comcast.
Recorded May 30 2019 63 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Larry Macherrone (DevSecOps Transformation Leader at Comcast)
Presentation preview: Transforming from DevOps to DevSecOps at Scale

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • From Zero to Hero: Continuous Container Security in 4 Simple Steps Jul 9 2019 8:00 am UTC 57 mins
    Shiri Ivtsan, Product Manager at WhiteSource
    Containers are shaping the way organizations are developing and managing applications nowadays. However, many are not always fully aware of the measures that need to be taken across the entire software development lifecycle, especially when it comes to open source security aspects. The mindset of securing our applications needs to be shifted – to continuous security. In this session, Shiri Ivstan, Product Manager at WhiteSource, will discuss:

    1) the main security challenges organizations face when using containers;

    2) the most common layers in a typical container deployment; and

    3) 4 simple steps to build security into each layer.
  • How DevSecOps Automates the Way for Secure Open Source Usage Recorded: May 30 2019 37 mins
    Jeff M. (Sr. Dir. of Product @ GitHub), Rami S. (CEO @ WhiteSource) & Rami E. (Sr. Dir. of Product Mgmt @ WhiteSource)
    Open source software has become the building block in the applications we interact with nowadays.

    The good? Thanks to the time and cost efficiency it brings, organizations are able to facilitate productivity and innovation at a faster pace than ever. The bad (or rather, less good)? Many organizations are grappling with the security aspect when it comes to their open source usage. In order to solve this, organizations should turn to practices such as DevSecOps.

    Join Jeff McAffer, Sr. Dir. Product, GitHub, Rami Sass, CEO at WhiteSource, and Rami Elron, Senior Director of Product Management at WhiteSource, as they discuss:

    -The challenges surrounding the security of open source code;
    -Which role DevSecOps practices play with respect to your open source usage; as well as
    -How technologies such as Software Composition Analysis can help automate and shift left your open source security.
  • How SAP Integrates License Compliance & Security Into Their DevOps Pipeline Recorded: May 30 2019 23 mins
    Stefan Gustafsson, Global Technology Legal Compliance, SAP & Shiri Ivtsan, Product Manager, WhiteSource
    Gone are the days where open source components were only used by individual developers, start-ups or small corporations. Today, even the biggest corporate giants have realized the numerous benefits open source usage brings, thereby openly embracing this as part of their software to help them focus their efforts and push more code out of the door faster.

    Join Shiri Ivtsan, Product Manager at WhiteSource, as she interviews WhiteSource’s customer, Stefan Gustafsson from SAP, to discuss:

    - How SAP perceives open source usage, thereby discussing its benefits and challenges;
    - SAP’s process of managing open source components before having an open source management solution in place; and
    - How SAP managed to successfully integrate automated license compliance and security into their DevOps pipeline.
  • Lessons Learned by an Agent of Chaos From DevOps Transformations Recorded: May 30 2019 29 mins
    Willy-Peter Schaub (Software Engineer, Director at AJATO Transformations Limited)
    Is your organization ready to embrace a DevOps mindset? Receive a pragmatic view from an agent of chaos, who’s promoting the goal for a single continuous integration and delivery pipeline, shifting testing, security, code reviews, and other opportunities to improve information sharing and quality to the left, shifting configuration to the right, and most importantly, aiming to delight users with constant value.

    Join Willy-Peter Schaub, Software Engineer & Director at AJATO Transformations Limited, as he shares:

    -The learnings and epiphanies gathered during DevOps transformations
    -How practices such as Shift Left, Shift Right and progressive mindset affects the union of people, process and products
  • Security vs Developers: How to Make DevSecOps Work Together Recorded: May 30 2019 46 mins
    Simone Curzi (Principal Consultant at Microsoft) and Tom Shapira (Application Team Lead at WhiteSource)
    DevSecOps has taken the world by storm. Ever since the DevSecOps philosophy stepped into the limelight in the past few years, a growing number of organisations are trying to ensure their businesses are set up with the security in mind (and practice) from the get-go.

    In theory, the concept is great. In practice? Less so, given that the objectives and mindset of developers and security teams completely differ. While Security’s objectives are focused on ensuring secure SDLC from start to finish, developers are focused on software development and meeting their deadlines. Despite both aspects being equally important, these teams are struggling to find a common ground.

    So how can these teams be better aligned? Join Simone Curzi, Principal Consultant at Microsoft, and Tom Shapira, Developer Team Lead at WhiteSource, as they discuss:

    - What causes the gap between Security and Development teams with respect to Security objectives
    - How Developers can embrace Security (and DevSecOps practices as a whole) in a way that will ultimately satisfy both teams
  • Do Your Pipelines Remember?They Must If You Want to Go Fast With Static Analysis Recorded: May 30 2019 29 mins
    Jimmy Rabon (Product Manager at Micro Focus)
    All static analysis tools produce false positives, and often require developer context to determine exploitability of a security risk. Automating a static scan is usually straightforward but building automation workflows around SAST findings require that your Pipelines become smarter over time.

    Optimizing the data provided by SAST tools is an often overlooked aspect to integrating SAST tooling into the CI / CD pipeline but it is required to be successful.

    Come learn from Jimmy Rabon, Senior Product Manager at Micro Focus, about best practices for DevSecOps / SAST integration and about how machine learning can help us predict the future, based on our past.
  • Container Security at the Speed of DevOps Recorded: May 30 2019 45 mins
    Tim Chase (Director of Information Security at Healthstream)
    Containers are becoming more popular, but how do you deal with the security challenges of using containers? You have to secure the application, the code, the web server and the host itself. And how do you do this at the speed of DevSecOps? Join Tim Chase, Director of Information Security at Healthstream, as he talks about containers, why they are complex to secure and provides actionable insights on how to start the process of securing them.
  • DevSecOps in the Cloud Is More Than Just CI/CD Recorded: May 30 2019 37 mins
    Henrik Johansson (Principal - Office of the CISO at AWS)
    DevSecOps is often associated with securing a development pipeline in traditional CI/CD frameworks. Join this session, held by Henrik Johansson, Principal - Office of the CISO at AWS, as he discusses and shows:

    - how public cloud technology enables you to fully embrace security automation in your infrastructure
    - how to account security using managed security services to detect incidents and risks at scale; as well as
    - techniques like automated incident response actions and automated instance isolation.
  • Transforming from DevOps to DevSecOps at Scale Recorded: May 30 2019 63 mins
    Larry Macherrone (DevSecOps Transformation Leader at Comcast)
    Many security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

    Similarly, security groups believe that policy enforcement is their biggest (only?) lever... "If we can just update the policies to be more consumable/relevant/context aware/etc and get developers to pay attention, then magic will happen." But, policy enforcement rarely moves the needle and it creates a tense relationship between development and security that can do more harm than good.

    This talk is a step-by-step framework for going from wherever you are now to getting on the path of DevSecOps cultural transformation. It addresses the mindset shift concerns for all relevant audiences. It addresses the mechanics of getting started and tracking progress. It's adaptable to any environment regardless of industry, technology, or maturity. Most importantly it's been proven in a highly diverse environment at Comcast.
  • Panel Discussion: Forrester Wave Vendors Discuss Software Composition Analysis Recorded: Apr 21 2019 54 mins
    Panel Discussion including David Habusha (VP Product at WhiteSource)
    Forrester recently released its “Forrester Wave Software Composition Analysis SCA for Q2 2019,” highlighting the leaders in this fast-growing category.

    According to their report, nowadays, one in eight open source component downloads contained a known security vulnerability and security pros now have less time to identify and remediate them. In order to keep up, a Software Composition Analysis (SCA) solution is necessary.

    Watch this panel webinar as three of the companies highlighted in the Wave report discuss why SCA is so important and how it can help you keep your open source components secure.
  • The DevOps Challenge: Open Source Security at Scale Recorded: Apr 10 2019 48 mins
    Shiri Ivtsan, Product Manager @ WhiteSource
    It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018.

    The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?

    Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses:

    - The current state of open source vulnerabilities management;

    - The latest innovations in the open source security world; and

    - The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.
  • Secure your CI/CD Pipeline from Start to Finish with CircleCI Orbs & WhiteSource Recorded: Mar 19 2019 39 mins
    Shiri Ivtsan, Product Manager @ WhiteSource | Angel Rivera, Developer Advocate @ CircleCI
    In the agile age of software development, speed is the name of the game. This is why CI/CD tools like CircleCI have played such a pivotal role in changing how we work, sending our software along through the pipes at a breakneck pace.

    We are always asking questions such as: How fast can we get a new version out to our customers? How can we add these new features and stay on schedule? How can we do these things with as little wasted time and effort as possible?

    Open source software components play an important role by providing us with the building blocks of our products. These free software components allow us to skip over the more monotonous work of writing basic features on our own by offering us tried-and-true code. This allows us to focus on our business logics instead of having to build our own frameworks and infrastructures from scratch. However, even as we enjoy the benefits of open source components, they are not without their challenges, especially when it comes to security vulnerabilities.

    In this webinar, you'll learn how:

    - WhiteSource can help teams catch vulnerabilities within open source components at early stages of the development cycle
    - You can start implementing the Whitesource CircleCI orb into your CI configuration
    - To gain insights into your software helping you make smarter decisions in working with open source components
  • The State of Open Source Security Management Recorded: Mar 6 2019 20 mins
    Rami Sass, CEO, WhiteSource & Vince Tocce, Host, Vince in the Bay Podcast
    How should organizations think about the open source components that they are using in their products? Why should organizations take steps toward open source vulnerability management? As open source management is being widely adopted and has earned its place into the standard AppSec tools suite, discover how organizations should the most of these tools and bring them into the development lifecycle.

    Join Rami Sass for a video interview at RSA Conference 2019 to learn more about:
    - Why open source is being so widely embraced by enterprises for their development nowadays?
    - What are the risks when it comes to using open source components? Are open source libraries riskier than proprietary code?
    - For those businesses that are ready to implement open source management and security, where should they start?
    - Where do you see open source usage moving in the next 5 years? What are going to be the challenges that companies are going to require solutions for managing better?
  • Improving Security in a DevOps World Recorded: Mar 5 2019 43 mins
    Michelle McLean (StackRox), Azi Cohen, (WhiteSource), Cindy Blake (GitLab), Vikram Kapoor (Lacework)
    The average enterprise today leveraging hundreds of applications across multiple clouds. With the risk of cyber attacks and breaches looming large, application security is becoming a key area of focus for organizations.

    Join this interactive Q&A panel of industry experts to learn more about:
    - How to integrate application security testing into the DevOps process early on
    - Why automation, speed and coverage are critical to the success of DevSecOps programs
    - Speed vs Security: Where do you draw the line?
    - Recommendations for improving security in 2019
  • Ubiquitous Open Source Makes for Security Challenges Recorded: Jan 23 2019 29 mins
    Rami Sass (WhiteSource) | Baruch Sadogursky (JFrog) | Cindy Blake (Gitlab)
    You don’t need an expert to tell you that open source software will be ubiquitous in the enterprise in 2019. You also don’t need an expert to tell you that this will present security challenges either. But what can you do in 2019 to ensure your open source software is as secure as you can make it? Best practices, processes and tools are coming into focus. 2019 is the year you need to implement and use them.

    Join the panel of experts as they share their best advice to help make 2019 a secure year for your open source use.
  • Find And Fix Open Source Vulnerabilities Within GitHub With WhiteSource Bolt Recorded: Dec 12 2018 6 mins
    Victoria Oiknine, Project Manager at WhiteSource
    Meet WhiteSource Bolt for GitHub - the new free app which will allow you to harness the power of open source without having to compromise on security or agility ever again!

    WhiteSource Bolt continuously scans all your repos, detects vulnerabilities in open source components and provides fixes, all in real-time, in your GitHub native environment. The tool supports both private and public repositories, and covers over 200 programming languages.

    Sign up to this short webinar to learn more about the different capabilities of this new app and how to use it in your GitHub native environment.
  • The State of Open Source Vulnerabilities Management Recorded: Nov 21 2018 51 mins
    Rami Elron, Senior Director of Product Management at WhiteSource
    The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.

    Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.

    It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:

    - the current state of open source vulnerabilities management;
    - organizations' struggle to handle open source vulnerabilities; and
    - the key strategy for effective vulnerability management.
  • New Research Reveals Key Strategy to Manage Open Source Security Recorded: Nov 14 2018 55 mins
    Scott Crawford, Research Director at Information Security & Rami Elron, Senior Director of Product Management at WhiteSource
    According to the latest open source security research report, "The State of Vulnerabilities Management in 2018", almost 97% of developers rely upon open source components in order to develop their applications nowadays. But with the recent spike in disclosed open source vulnerabilities, the question arises whether security and development teams have the right strategy in place in order to meet their security objectives?

    Join Scott Crawford, Research Director at Information Security, and Rami Elron, Senior Director of Product Management at WhiteSource, as they discuss:

    -the current state of Open Source Security;
    -the challenges faced by security and development teams when handling open source vulnerabilities; and
    -how Open Source Security strategies need to be stepped up with the latest next-gen technology for management and prioritization
  • Automating Open Source Security: A SANS Product Review of WhiteSource Recorded: Oct 4 2018 63 mins
    Serge Berso, SANS Community Instructor and Analyst, and Rami Elron, Senior Director of Product Management at WhiteSource
    Open source components have become the key building blocks for application development in today's market, allowing companies to assemble their products faster and more efficiently. The increasing adoption of open source components, however, has introduced new security challenges that most teams are not prepared to mitigate.

    This review looks at WhiteSource's solution, which helps companies automate the entire process of open source component selection, approval and management, including detection and remediation of security and compliance issues.

    Join Serge Berso, SANS Community Instructor and Analyst, and Rami Elron, Senior Director of Product Management at WhiteSource, in this webcast to learn how WhiteSource's solution can be easily integrated into companies' software development lifecycle to:

    *Detect open source vulnerabilities in real time
    *Prioritize and remediate vulnerabilities
    *Automate policy enforcements throughout the SDLC
  • How to Achieve a DevSecOps Culture Using a Lean-Agile Approach Recorded: Sep 27 2018 60 mins
    Larry Maccherone, DevSecOps Transformation Leader at Comcast
    There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or more faster than human gating can achieve.

    What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and coaches and stop thinking of their jobs as gatekeepers.

    Join Larry Maccherone, an industry-recognized thought leader on Lean/Agile, Analytics, and DevSecOps, as he introduces a framework to accomplish this mindset shift. It includes guidance on the characteristics of tools compatible with DevOps. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
An open source security and licenses management solution
WhiteSource allows engineering, security and compliance officers to effortlessly secure and manage the use of open source components in their software, allowing developers to focus on building great products. WhiteSource fully automates all open source management processes: component detection; security vulnerability alerts and fixes; license risk and compliance analysis along with policy enforcement; quality review, and new version alerts. It offers a complete suite of control, reporting and management to help software teams manage open source truly effortlessly. For more information about WhiteSource, visit http://www.whitesourcesoftware.com or follow us on twitter: @whitesourcesoft

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Transforming from DevOps to DevSecOps at Scale
  • Live at: May 30 2019 3:00 pm
  • Presented by: Larry Macherrone (DevSecOps Transformation Leader at Comcast)
  • From:
Your email has been sent.
or close