We're excited about Contextual Security Analysis and how it is a positive change for the industry. That's why I was happy to join the fine folks at DeveloperWeek in San Mateo to discuss how the security industry finds a new path forward with developers.
This talk has been in progress for a while and represents my thinking about what we're doing and where we're going as an industry, because, frankly, DevSecOps isn't working. In many organizations, it has been used to add more control over developers and add roadblocks to delivering applications. That's unfortunate.
Across the board, there has been a negative impact on the CI/CD pipeline, resulting in longer cycle times, and worst of all, in most cases, the systems aren't getting more secure. DevSecOps needs to find a new way.
This presentation explores what is missing in most organizations; the intersection points between developers and security; and what to do about it. I also discuss how composition and context work together, how to reduce friction in the pipeline, reduce the time for discovery of security issues, and provide collaboration between groups.
Below are the slides from that talk hosted via SpeakerDeck.
If you found this interesting, or if you have questions, I'd love to chat. Reach out to me at wickett AT dryrun .security.
You might also be interested in checking out the Contextual Security Analysis Guide, we have a complimentary copy waiting for you. In it, you'll find a more in-depth breakdown of CSA and the benefits of using the SLIDE model. You can get it at dryrun.security/csa.