Software Engineering Institute

In many organizations, DevSecOps emphasizes delivery speed and automation at the expense of security. Unfortunately, this leads to increased business risk. Today, many DevSecOps teams cannot provide clear, defensible security assurance to their business stakeholders. This, ironically, slows the business down.

We need to seamlessly integrate proactive security controls and requirements into our DevSecOps automated pipelines in order to achieve the right balance between development speed and security risk. This integration is achieved by traceably mapping coarse-grained business risk and security policies into fine-grained DevSecOps pipeline requirements. Dashboards, produced through automation, provide real-time security assurance and development speed metrics at multiple levels. This helps achieve the right balance between development speed and security risk.

This presentation by Altaz Valani of Security Compass was given virtually at DevSecOps Days DC 2020 on October 1, 2020.

Altaz Valani manages the overall research vision and team as the Director of Insights Research at Security Compass. He is a regular conference speaker who conducts ongoing research in the software security domain. Prior to joining Security Compass, he was a Senior Research Director and Executive Advisor at Info-Tech Research Group, Senior Manager at KPMG, and held various positions working alongside senior stakeholders to drive business value through software development. Altaz is on the SAFECode Technical Leadership Council, CIO Strategy Council, and several IEEE Working Groups where cyber security and privacy challenges are being tabled at the international standards level. He is a frequent collaborator within industry and academic circles on a wide range of topics related to governance, risk, cyber security, and software development.

Watch the video.