This document discusses how security needs to adapt to keep up with rapid changes in technology and development practices. As internet usage and the number of developers have grown massively, the development process has become more complex, involving tools like AWS and DevOps. However, security has struggled to integrate effectively. The document argues security must improve its developer experience by focusing on high-impact issues, speaking the same language as developers, making tools easy to use, and tightly integrating with development workflows. By learning from how quality evolved, security can become a commodity that developers respect and rely on.

1. DevSecOps –
Securing a great DX
Stefan Streichsbier
CEO - GuardRails
CTO - DevSecOps@

2. About me
Stefan Streichsbier
@s_streichsbier
GuardRails
Move fast, be safe.
Cyber Security Ventures
DevSecOps@

3. What are we going to cover?
And also, how security and developer experience are related.
How security is
keeping up with it
How the tech
landscape changed
What mindset security
has to adopt

4. Some Statistics
As of June 2017,
51% of the world's population
has internet access.
That’s close to
4,000,000,000 people
As of June 2018,
there are 28,000,000
developers on Github alone.

5. Source: https://www.bigfootcap.com/a-review-of-why-software-is-eating-the-world-how-have-the-companies-fared/

6. With change comes complexity

7. It used to be so simple
Figure 1: Use an FTP Client
to Copy the Necessary Files
from Your Desktop to the
Web Server at the
Web Host Provider.
Source: https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/deploying-your-site-using-an-ftp-client-cs
Pro Tip:
• Add Google Analytics
(post November 2005)

8. Web masters
don’t need to
collaborate
Build?
I’m using PHP,
ASP, PERL, etc
Test locally,
As long as there
is no parsing
error, we’re all
good.
Drag and drop
files to Filezilla.
GoDaddy

9. It’s better now, but is it simpler?
https://gist.github.com/rasheedamir/7da0145ae1b5d9889e4085ded21d1acb

10. https://devopedia.org/devops

11. Complexity Is Increasing

13. How does security fit into this?

14. AWS Security Primer
https://news.ycombinator.com/item?id=14628108
https://cloudonaut.io/aws-security-primer/
I have worked extensively with AWS over the last 4 years,
and I can barely wrap my head around the scope of
managing security in AWS.
We have an entire department dedicated to security in
our company, and none of them are remotely close to
being experts in AWS security either.
I’m starting to get curious if there even is an expert who
could set up and maintain a bulletproof AWS account.

15. The Evolution of Security
Secure SDLCPenetration Testing DevSecOps

16. Security
Developers

17. https://devopedia.org/devops
Application
Vulnerability
Correlation &
Security
Workflows
Security tools
integrating with
Chat Bots
Security sections
on all major
social media
platforms
Security tools
integrating with
SCMs
Security tools
integrating with
pipelines
Custom security
linters, and
compiler flags
All the security
tools, we need a
bigger box!
Security/Complia
nce/Infrastructur
e as Code,
Secret
Management
Secure
Repositories,
golden images,
artefact security
scanning
Cloud Platform
security tools
RASP, NG WAF,
Micro-
segmentation

19. “The first rule of any technology used in a business is that
automation
applied to an efficient operation will magnify the efficiency.
Bill Gates
The second is that automation applied to an inefficient
operation
will magnify the inefficiency. ”

20. The vicious cycle
Tools compound
the issue.
There is too much
security debt
Developers “comply”

22. What has to change then?

23. Psst, this has happened before …
Quality used to face the same challenges
that security is facing now.

24. https://blog.sonarsource.com/kill-the-noise-to-change-gear-in-our-code-analyzers

25. Developer Experience, Finally!
User ExperienceUsability Developer Experience

26. Excellent, let’s do this for security!

27. Signals vs Noise
Focus on high-impact
issues
Don’t add to the noise Ensure the issues have
high accuracy
Security Trivia #213: What is the largest security tool report that has been recorded?
13,000 pages

28. Lost in Translation
Speak the same language
as developers
Issues are useless
until they are fixed
Leverage the right
communication channel
Security Trivia #937: What is the official CWE title for a SQL Injection?
Improper Neutralization of Special Elements used in an SQL Command

29. Make it easy
Tightly integratedAllow developers to
get started in minutes
Provide all the needed
functionality
Security Trivia #23: How many of the 12 leading AST companies - according to
the Gartner Magic Quadrant – have clear pricing information on their website?
1

30. Ok, cool – let’s wrap it up

31. How can we get ahead for once?
Respect complexity,
but provide focus
Acknowledge that
developers are key
Security has to become
a commodity