Daniel Fernández-Purroy, IT Security Officer at Holcim EMEA Digital Center has participated in the GiTHUB inFocus event to exchange with experts from other companies about "Shipping secure software within the developer flow". Below are some of the reflections from the discussion at the event.
What was the reason for your company's DevSecOps journey?
Business digitization increases and therefore the risk.
Shift Left on the developer's journey into the security landscape.
GDPR Storm is still evolving with more countries establishing similar regulations.
Agility but secure software delivery.
How to involve developers?
Not changing tools, but facilitating your existing landscape. Integration with existing development tools.
Gamification of security achievements with metrics, dashboards and prices.
Awareness of the work to be done and why it is important at the beginning and not at the end.
Application security and DevSecOps challenges?
Legacy code and fix a backlog of legacy problems from the past.
Knowledge of developers who understand secure software. Many different backgrounds and maturity levels per team.
New developer workflows are not well received and must be delivered with care.
Time to fix vulnerabilities vs. pressure to go into production.
Metric to look at?
Follow-up of changes and work done by each "commit" of code. Who is the team that creates the most security holes?
Severity of the findings and time spent in the system. Which team solves faster?
Security maturity of the team based on the findings.