DevSecOps Culture Under the Microscope at OWASP 2023 Global AppSec, Dublin

Dublin. City by the sea. Capital of Ireland. Home of Guinness. And, most recently, host to the OWASP 2023 Global AppSec Conference. This four-day event in mid-February included educational training, a conference of security industry professionals, and an exhibition hall with booths by many technology providers including HCL AppScan .

OWASP (Open Worldwide Application Security Project^®) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, with hundreds of local chapters worldwide, the OWASP Foundation is the source for developers and technologists to secure the web.

In the field of security, OWASP is best known for The OWASP Top 10, a standard awareness document for developers and web application security practitioners that represents a broad consensus about the most critical security risks to web applications.

Among the event’s highlights was a series of speakers covering a wide array of application security topics including threat modeling, hacking, defending APIs (Application Programming Interfaces), artificial intelligence, and much more.

One talk that stood out was Ten DevSecOps Culture Failures by Chris Romeo, CEO of Kerr Ventures and host of the Application Security Podcast. Chris drew on his 25 years of experience for a high-level discussion of how to improve the role of security in the overall DevOps culture. Here are some key takeaways from this talk.

1. Teach a foundation of security to everyone (developers) but also teach coding to security. Chris was emphatic that the days of security teams working separately from developers and DevOps are long gone and that successful DevSecOps requires a more collaborative approach where everyone understands each other’s roles and responsibilities.
2. “Drop the no; try yes, if…” Security needs to identify less as gatekeepers and find ways to let developers bring forward innovative ideas that still include security best practices. Chris suggested that practicing empathy was a key component of this change and encouraged the audience to spend time sitting with developers while they work to better understand the challenges they face when using security tools.
3. Never waste anyone’s time with security findings that don’t matter. Tune the tools you have and introduce new tools with a minimal policy so developers aren’t overwhelmed with hundreds of tickets that don’t represent critical vulnerabilities. Chris was clear that if security wants developers to use a tool, they need to like it first, and that’s better accomplished by delivering fewer and more impactful findings.

Other interesting topics covered included the importance of threat modeling and the integration of SCA (Software Composition Analysis) and other tools to protect the pipeline from vulnerabilities in third-party applications. In his final comments he predicted that in fifty years, the DevOps culture and the values and methodologies it contains will be far more impactful than the ever-changing security tools themselves.

Click here to hear the entire talk on YouTube.

HCL AppScan is committed to developing application security testing tools that enable everyone in the development pipeline to be part of the solution when it comes to developing secure software. Visit us online for more information or sign up for a free trial today.