Ten DevSecOps Culture Failures

The presentation discusses common failures in DevOps security and provides solutions to address them.

• Failure to prioritize security in DevOps
• Lack of collaboration between security and development teams
• Inadequate training and education on application security
• Inefficient use of tools and technology
• Lack of integration of threat modeling in DevOps process
• Vulnerable code in the wild

The speaker suggests that virtual workshops can be an effective way to engage remote teams in application security training. They also emphasize the importance of integrating threat modeling within the scope of where developers operate, rather than creating new systems for them to use. Additionally, the speaker highlights the need for software composition analysis and recommends open source tools like Dependency Check and Dependency Track.

Rolling out DevOps + Security has its series of pitfalls. In this talk, we'll explore real-world challenges, sprinkling in a bit of humor on behalf of the Internet, and work out the solutions to how to avoid these pain points using security culture. You'll experience what can go wrong, to expose how to do things right. We'll cover a sampling of the failures: name and brand, the infinity graph, security as a special team, vendor-defined DevOps, and a lack of collaboration. You'll receive actionable best practices for changing your DevOps security culture.