Security Superstream: DevSecOps
Published by O'Reilly Media, Inc.
Improve your security posture
According to Gartner, by 2025 a single centralized cybersecurity function won’t be agile enough to meet the needs of a digital organization. DevSecOps—the integration of security considerations into the delivery pipeline as early as possible—is an important means of addressing this challenge.
Join top experts for an overview of best practices and future trends in DevSecOps. You’ll learn how to integrate security into everything you do, understand the cultural changes your organization needs to make to do so, and explore new developments such as system resilience, MLSecOps, and more.
About the Security Superstream Series: This two-part series of events will cover some of the most challenging topics facing those who are concerned with security, with expert guidance and insight into best practices, new developments, and future trends.
What you’ll learn and how you can apply it
- Understand how the development, operations, and security teams can work together to improve your organization’s product.
- Gain a deeper understanding of system resilience, security champion programs, secure system development, and securing the ML lifecycle.
- Learn how to implement DevSecOps best practices.
This live event is for you because...
- You're a security practitioner interested in DevSecOps.
- You’re a developer or engineer looking to integrate security into your ML lifecycle.
- You want to understand the role of security in complex systems.
Prerequisites
- Come with your questions
- Have a pen and paper handy to capture notes, insights, and inspiration
Recommended follow-up:
- Read Learning DevSecOps (early release book)
- Read Security Chaos Engineering (book)
- Watch Software Development Hour with Sam Newman: Building Secure Software with Laura Bell (video)
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Chloé Messdaghi: Introduction (5 minutes) - 8:00am PT | 11:00am ET | 3:00pm UTC/GMT
- Chloé Messdaghi welcomes you to the Security Superstream.
Kelly Shortridge: Watering the Roots of Resilience—Learning from Failure with Decision Trees (45 minutes) - 8:05am PT | 11:05am ET | 3:05pm UTC/GMT
- Software systems are complex, sociotechnical systems; without humans, software systems can’t adapt. But understanding your system’s reality and how it adapts in response to changing conditions is no small feat. Kelly Shortridge explores how software engineers can align their mental models of the system with reality. You’ll learn about the necessity of resilience stress testing (i.e., chaos experiments) to expose your system’s messy reality, see how to document and visualize your mental models through decision trees to inform design improvements and further experiments, and examine some practical open source tools to apply in your everyday work. By the end of the session, you’ll understand how decision trees can empower you to reason about stressors and surprises in systems.
- Kelly Shortridge is a senior principal at Fastly and lead author of Security Chaos Engineering: Sustaining Resilience in Software and Systems (for O'Reilly). She’s best known as an expert on resilience in complex systems, the application of behavioral economics to cybersecurity, and bringing security out of the dark ages. Kelly is also a frequent keynote speaker, advisor, and author and has been a successful enterprise product leader, entrepreneur (with an exit to Crowdstrike), and investment banker.
Cassie Crossley: Supply Chain Security (45 minutes) - 8:50am PT | 11:50am ET | 3:50pm UTC/GMT
- Thousands of vulnerabilities are announced every month. A product’s open source or third-party commercial libraries often have vulnerabilities, but is that the only concern? What should a vendor be doing to secure its supply chain? Join Cassie Crossley to find out how a very large OEM has structured more than 13 supply chain security initiatives, including R&D security, secure development, SBOMs, vulnerability management, and third-party risk management.
- Cassie Crossley is vice president of supply chain security in the global Cybersecurity & Product Security Office at Schneider Electric. An experienced cybersecurity technology executive in information technology and product development, she’s also the author of Software Supply Chain Security, from O'Reilly. Cassie has many years of business and technical leadership experience in supply chain security, cybersecurity, product and application security, software and firmware development, program management, and data privacy. She’s a member of the CISA SBOM working groups and presents frequently on the topic of SBOMs and supply chain security.
- Break (10 minutes)
Laura Bell Main: So Long, Secure Coding—Shifting from Syntax to Secure Software Development Processes (45 minutes) - 9:45am PT | 12:45pm ET | 4:45pm UTC/GMT
- If you still need to start shifting left, you're late. The whole world has been shifting application security left for about five years, especially in the wake of DevSecOps. Do you still focus on "secure code," even though code is only part of the picture when protecting your data, systems, and people? Laura Bell Main examines this focus on secure code and examines how to move toward secure development, providing practical actions you can take throughout your SDLC, from initial ideas to ongoing systems maintenance and support that you can apply today.
- Laura Bell Main is cofounder and CEO of SafeStack, an online education platform offering flexible, high-quality, and secure development training focused on building application security skills, practices, and culture across the entire engineering team. She’s also the coauthor of Agile Application Security (O’Reilly) and Security for Everyone. With over 20 years of experience in software development and application security, she’s an experienced conference speaker, trainer, and panel member and has spoken at events such as BlackHat USA, NDC, RenderATL, and OSCON.
- Break (5 minutes)
Diana Kelley: Protect AI with MLSecOps (45 minutes) - 10:35am PT | 1:35pm ET | 5:35pm UTC/GMT
- The potential of AI is tantalizing. From automating routine writing tasks to modeling health outcomes for large populations, the technology is rich with promise. The more you rely on AI and ML, the more important it is that those systems are secure and resilient. Diana Kelley explains why the time is now to adopt an MLSecOps approach and provides key guidance on how to build security into the machine learning lifecycle.
- Diana Kelley is the chief information security officer for Protect AI. Previously, she was cybersecurity field CTO for Microsoft, global executive security advisor at IBM Security, CTO and cofounder of SecurityCurve, and has held other leadership positions at Symantec, Burton Group (now Gartner), KPMG, and Salt Cybersecurity. She serves on several boards, including WiCyS, the Executive Women’s Forum, InfoSec World, and the CyberFuture Foundation. She’s also a sought-after keynote speaker, the host of BrightTALK’s The (Security) Balancing Act, and coauthor of Practical Cybersecurity Architecture and Cryptographic Libraries for Developers.
Chloé Messdaghi: Closing Remarks (5 minutes) - 11:20am PT | 2:20pm ET | 6:20pm UTC/GMT
- Chloé Messdaghi closes out today’s event.
Your Host
Chloé Messdaghi
Chloé Messdaghi serves as the Head of Threat Intelligence at HiddenLayer, where she spearheads efforts to fortify security for AI measures and fosters collaborative initiatives to enhance industry-wide security practices for AI. A highly sought-after public speaker and trusted authority for national and sector-specific journalists, Chloé's expertise has been prominently featured across various media platforms. Her impactful contributions to cybersecurity have earned her recognition as a Power Player by esteemed publications such as Business Insider and SC Media.