Software Engineering Institute

Building a mature AppSec program is critical to the success of any product by managing the most vulnerable areas of the application. How can we ensure that the DevSecOps pipeline implemented is working effectively? This presentation highlights the key measures every CISO must monitor to track the effectiveness of the AppSec maturity.

Effective outcomes were measured by tracking 6 key metrics to validate if DevSecOps was successfully implemented. When done right, DevSecOps goes well beyond 'shifting security left' to 'shifting security everywhere,' ensuring applications are secure in development, delivery, and in production with faster delivery when security is integrated in the DevOps pipeline with improved security posture enabling greater overall business success.

More than 85% of the applications from public app stores, like the Apple Store and Google Play, violate one or more of the top 10 risks and vulnerabilities identified by OWASP. That clearly shows that the current state of our insecure apps, and hence the importance of DevSecOps, is even more prominent today with the need for a transformational shift to improve the AppSec.

By integrating application security principles and practices into software development and operations, teams can deliver with more agility without compromising application security.

The talk will articulate how to apply the DevSecOps best practices from Gartner across the different pillars of the Continuous Delivery Pipeline. Threat Modeling as a service (TMaaS) is carried out to help discover the vulnerabilities and plug any gaps in security controls by identifying the threats and build the necessary protection into your DevSecOps workflows. With 60%-80% of today's typical application is open source code, the primary focus is to identify and removing known open-source vulnerabilities.

Suresh Chandra Bose, Ganesh Bose, is a senior manager - consulting at Cognizant Business Consulting. Accredited as a lead assessor from TMMi Foundation, Suresh has been in the IT Industry for more than 23 years with vast consulting experience in various industries. He has executed strategic initiatives for many Fortune 100 companies in the areas of PMO, PPM, process consulting, program management, TMMi assessment/implementation, organization strategy, test consulting, and CIO/governance dashboard/metrics across the globe.

Suresh holds 21 international IT certifications and speaks at numerous international conferences, such as the American Society for Quality (ASQ) Innovation Conference, Docker Community with JFrog, 8.8 Computer Security Conference, American Software Testing Qualifications Board (ASTQB), DevOps Days, and the Pacific Northwest Software Quality Conference (PNSQC). Suresh has also been part of the selection and review panel for a leading software conference.

View a graphic recording of the presentation or watch the video on YouTube.