The report highlights for leaders involved in application security development and management key opportunities to drive security effectiveness – showcasing best ideas and up-to-the-minute perspectives on everything from secure product lifecycle best practices to creating risk-based cultures that use security as a go-to-market enhancement tool.
Coalfire’s prestigious Cloud Advisory Board (CAB), consisting of some of the world’s most experienced C-level cyber leaders, and cloud security thought leaders from Coalfire, shine a light on how competition, COVID, and the rapid adoption of cloud technologies are driving organizations to build software and bring products to market with novel technologies and new management styles.
Matt Sharp
LogicWorks CISO
Nils Puhlmann
CRSO, MoonPay and Co-founder, Cloud Security Alliance
Tony Spinelli
CISO, Urban One, Inc. and Board advisor to NSA, BCBS and others
Gail Coury
SVP & CISO, F5
Authors
Mark Weatherford
Patrick Kehoe, Coalfire
Meet the experts
Smartest path to DevSecOps transformation
MEET THE EXPERTS
KEY INSIGHTS
ACCESS FULL REPORT
Key insights are described for each of the chapters below. Tap on the “+” for access to takeaways for each area – and additional details are available on the highlighted takeaways. The full report, which can be requested below, details all takeaways and more.
Chapter highlights
PREPARATION
DevSecOps is not optional
THE SECURE DEVELOPMENT CYCLE
Risk-based development without end
Creating a risk-based mindset in your org
AUTOMATION
Leveraging DevSecOps to get products to market faster
REPORTING
Communicate to be understood
GOVERNING THE ORGANIZATION
Governance and culture are not one in the same
SECURITY AS A DIFFERENTIATOR
Secure your customer experience
Jerry Bell
CISO and Vice President, IBM Public Cloud
Jerry has been slinging code, managing systems, modeling threats, and hunting down vulnerabilities for 30 years. Jerry has seen it all. Although he’s always learning, nothing in his career has come close to the disruption of the cloud, and with it, the need to learn more, faster. The cloud’s impact on the development and the expansion of risk exposure and fundamentally new capabilities for risk mitigation compels CISOs and InfoSec professionals to adapt to faster learning curves and implement novel approaches to development lifecycles.
x
x
x
x
x
x
Click to learn more
MEET THE EXPERTS
KEY INSIGHTS
ACCESS FULL REPORT
Though cybercrime is inevitable, companies, suppliers, and vendors simply cannot afford not to adopt a zero-tolerance mentality. It’s falling on CISOs and DevSecOps teams to turn around this out-of-control loss-of-trust train as fast as we can.
Chapter 2: The secure development lifecycle
Adrian Mayers, Dr. B.A.
CISO and Vice President, Premera Blue Cross
As the current CISO of Premera Blue Cross, with seats on 10 security advisory boards, and as an alumnus of Nokia and Vertafore, Adrian’s professional experience signaled to him the coming long-term upheaval caused by digital transformation. He has managed enterprise security programs for the past 20 years and his extensive understanding of cyber policy gives him the unique perspective of the landscape both up close and geopolitically.
Chapter 3: Culture
While DevSecOps can address risks within the SDLC (Software Development Lifecycle), it doesn't often cleanly align with legacy development approaches.
Matt Sharp
CISO, LogicWorks
Matt recognized the upside in digital transformation early. First, he got his MBA, then he refactored his career around DevSecOps in the public cloud. Matt’s success as a security professional comes at the heels of a dogged persistence and intense discipline. Prior to his current role, Matt partnered to build a global InfoSec program and today he is helping others create and protect digital business value.
Chapter 4: Automation
In reality, five years ago very few customers had basic automation or requisitve organizational structures to support fully automated code deployment. Now, we certainly observe a rising customer desire for distributed, immutable, containerized or serverless environments.
Nils Puhlmann
CRSO, MoonPay and Co-founder,
Cloud Security Alliance
Nils has been questioning the status quo for his entire career. His resume in brief includes security executive leadership roles at five public companies, pivotal positions in two IPOs, and numerous industry board positions. His passion is conveyed through the dedication of his spare time to give back to the community and challenge the status quo thinking in security. To wit, he co-founded the Cloud Security Alliance in 2008 to ensure that the speed of technology innovation did not blindside the security industry again. He’s built security programs and teams at scale and has focused on coaching and building future security leaders. The hallmark of his professional style is thinking bigger. He’s been looking to the future of technology and security since most of us were on dial-up and he’s not going to stop any time soon. To this day, he enjoys applying and adjusting security principles at companies that disrupt existing industries.
Chapter 5: Governance
Five years ago, very few customers had basic automation or requisite organizational structures to support fully automated code deployment. Now, we certainly observe a rising customer desire for distributed, immutable, containerized or serverless environments.
Tony Spinelli
CIO, Urban One, Inc. and Board director Peapack
From pioneering global security practices at Ernst & Young a quarter century ago to leveraging AI/ML into cloud security strategies at Urban One today, Tony has had a hand in shifting every paradigm since the dawn of cyber history. He was there when First Data set the table for secure electronic payments; when Tyco pioneered the movement to public cloud operations; when Capital One was the first bank to go cloud-native; and pretty much everywhere in between, before, or since.
Chapter 6: Reporting
Five years ago very few customers had basic automation or requisite organizational structures to support fully automated code deployment. Now, we certainly observe a rising customer desire for distributed, immutable, containerized or serverless environments.
Gail Coury
CISO and Senior Vice President, F5
Math was Gail’s favorite subject. She pivoted from wanting to be a math teacher to getting a Computer Science degree, and the result has been a long and influential career in application development and security. From one of the software industry’s most significant M&A ventures starting in the ’90s with JD Edwards, Peoplesoft, and Oracle, to today as CISO at F5, the world is cybersafer thanks to Gail’s contributions. She continues to shape future generations of cybersecurity through her devoted advocacy of Women in Tech.
Chapter 7: The Secure Customer Experience
Market your organization as one that cares about security, as one that is fundamentally maturing in its cyber mission and culture.
1. Define and align your vision.
2. Commit to train, train, train.
3. Plan for, and invest in, automation.
4. Enlist an AppSec champion for support and scalability.
1.
2.
3.
4.
1.
2.
3.
4.
1.
2.
3.
Shift your talking points to reflect functional business objectives instead of security objectives.
Embrace defensible instead of obsessing over being “secure.”
Streamline tools to ensure technology and people are being deployed efficiently and effectively.
1.
2.
3.
4.
1.
2.
3.
CULTURE
•CISOs should engage with peer-to-peer respect and enter with empathy and a listening/learning mindset.
•Let’s be fair to everyone, but let’s start with being fair to the customer.
•Start the conversation with designers, developers, and engineers from the customer’s threat perspective.
•We’re sellers, and our buyers need assurance. If they don’t get it, they’ll find somewhere else that provides and certifies it.
•Ownership and accountability need to be clarified and delegated.
•Development may have legitimate grievances with security or executive leadership.
•Use organizational purpose and mission to reframe the context of “why” and “how” to develop respect and build trust.
•Turn the conversation into how the DevSecOps process affects managers and their direct reports.
•Understand that developer culture places tremendous value on quality.
•Merge security with quality and infuse it into company culture.
•Cross-functional collaboration will strengthen the business value proposition and enhance job security
•Building and embracing the new culture will lead to successful employees with more portable skills, enabling career evolution and promotion
•Secure applications drive revenue and enable business functions like M&A
•Adoption of the risk-based culture within DevSecOps will promote healthy competition, purpose and pride within teams and in their ability to code securely
•Enable, improve, and build cultural diversity, equity, and inclusion. Culture should be a mosaic of the company and the customers it serves.
ACCESS FULL REPORT
ACCESS FULL REPORT
ACCESS FULL REPORT
ACCESS FULL REPORT
ACCESS FULL REPORT
ACCESS FULL REPORT
ACCESS FULL REPORT
Chapter 1
Preparation
Chapter 2
The secure
development cycle
Authors
Jerry Bell
Caitlin Johanson, Coalfire
Adrian Mayers, Ph.D.
VP,CISO, Premera Blue , CoalfireCross
Chapter 3
Culture
Authors
Adrian Mayers, Dr. B.A.
Mike Eisenberg, Coalfire
Chapter 4
Automation
Authors
Matt Sharp
Adam Kerns, Coalfire
Chapter 5
Governing the
organization
Authors
Nils Puhlmann
Matt Klein, Coalfire
Chapter 6
Reporting
Authors
Tony Spinelli
John Hellickson, Coalfire
Tony Spinelli
CISO, Urban One, Inc. and Board advisor to NSA, BCBS and others
Chapter 7
Security as a
differentiator
Authors
Gail Coury
Nate Demuth, Coalfire
Mark Weatherford
x
CSO, AlertEnterprise and CSO, National Cybersecurity Center and Board advisor to public and private organizations
After a 26-year career as a cryptologist in the U.S. Navy, Mark retired and joined a defense contractor to build and operate the Navy’s first enterprise SOC. Among other positions on a resume too long to list here, he became the first CISO for the State of Colorado and worked with Coalfire Founder Rick Dakin to write the state’s first InfoSec policy. It was the first legislation of its kind to be passed by a state government and established Colorado as a leader in cybersecurity. Following Colorado, Weatherford was lured to California where he once again became the state’s first CISO, this time working with +160 state agencies and departments. Then the White House called, and he was appointed as DHS’s first Deputy Under Secretary for Cybersecurity.
Patrick Kehoe
Co-author
Chief Marketing and Strategy Officer, Coalfire
30 years in Tech / go-to-market leadership roles with 10+ years of cloud and cybersecurity experience
Chapter 1: Preparation
Though cybercrime is inevitable, companies, suppliers, and vendors simply cannot afford not to adopt a zero-tolerance mentality. It’s falling on CISOs and DevSecOps teams to turn around this out-of-control loss-of-trust train as fast as we can.
Caitlin Johanson
Director, App Security Services, Coalfire
13+ years of security and engineering experience
Mike Eisenberg
VP, Strategy, Privacy, and Risk, Coalfire
Former Global CISO with 35+ years of security experience
Adam Kerns
Managing Principal Cloud Eng., Coalfire
18+ years of security and engineering experience
Matt Klein
Field CISO, Coalfire
Former CISO with 25+ years of security experience
John Hellickson
Field CISO, Coalfire
Former Global CISO with 30 years of security and infrastructure experience
Nate Demuth
Senior Director, Cloud Services, Coalfire
10 years of security and consulting experience
Chapter 01 insights
Chapter 02 insights
Chapter 04 insights
Chapter 03 insights
Chapter 05 insights
Chapter 07 insights
Chapter 06 insights
Co-author
Co-author
Co-author
Co-author
Co-author
Co-author
Report introduction
Gauge security awareness and interest with the organization’s leadership.
Articulate what “secure” means, why you want to be secure, and get others to believe.
Coach fellow managers and executives into alignment between security and C-suite teams.
Cultivate a regular audience with the board, and get them on board.
Establish expectations, policies, and a culture that orbits around security.
Defined secure
coding standards
Shifting security left
(DevSecOps)
Executive buy–in/support
Dedicated application security resources
Shift-left security (DevSecOps)
Defined secure coding standards
Secure SDLC maturity roadmap
Application security testing gates
Cross-functional communication/collaboration
Application security
testing gates
Secure SDLC
maturity roadmap
Executive buy-in/support
Cross-functional
communication/collaboration
Who
How
How
Partnership
Cooperation
Collaboration
Continuously monitor system health and performance
Collect governance artifacts and automate traceability
Apply controls that support incident response activities
Identify and detect anomalous activities management strategies
Implement effective patch and vulnerability demands and workload requirements
Auto scale the environment based on customer communications and access
Apply controls that segment inter-workload/container
Create a bill of materials for each source code branch
Manage and inventory dependencies
Harden AMIs/VMs and containers to established
Collect governance artifacts and automate traceabilitysecurity baselines
Identify and remediate misconfigurations and vulnerabilities within a
lower run-time environment
Identify and remediate environment availability concerns
Goals of CI/CD (build and test)
Goals of continuous monitoring (operate and monitor)
DevSecOps lifecycle
Embed security perspectives (from the start) into the product design and configuration management processes
Identify risks and threats
Develop and maintain repositories for good known technical assets (application code, IaC, AMIs, reference architectures, etc.)
Automatically identify misconfigurations and vulnerabilities within development workstreams
Receive (near) real-time alerting when security and functional inspections fail
Reduce down times/interruptions for production systems (availability)
Perform security configuration checks for cloud-native services
Validate that secrets are adequately secured
Perform checks against serverless functions to reduce attack vectors and security weaknesses
Goals of continuous deployment (release and deploy)
Goals of continuous development (plan and develop)
Automation use cases
Consider the following development-stage security integrations in your cloud-native application lifecycle:
How CISOs communicate their vision
Most impactful approaches for embedding security into the SDLC
Inject security from the outset.
Embrace the mindset that attacks are inevitable.
Build executive buy-in by tracking business KPIs
(not just security KPIs).
Mitigate risks before writing code by threat modeling.
Identify which internal obstacles may be causing issues and how to manage pervasive cultural habits.
Rely on the cultural triad (partnership, cooperation, and collaboration) and plan to build from the ground up.
Focus your efforts to build culture on shared goals and outcomes between security and IT teams.
Articulate security first messages as customer first messages.
Align and work closely with customers to understand how automation best supports their needs.
Expand automation use cases.
Manage lessons learned in deployment.
Incorporate qualitative metrics for comprehensive security dialogue. While countless orgs rely solely on quantitative measures, there is an enormous gap in looking at security this way. .
Insist on centralized accountability for security, starting at the Board level.
Embrace the idea that having security expertise in your organization is not the same thing as governance and commit leadership to the cause through a shared responsibility model.
Require a cultural shift away from “moving fast and breaking things” to prioritizing quality and completeness.
1.
2.
3.
Incorporate security and trust into messaging alongside features and specifications.
Competitive differentiation is a team sport that requires knowing how to talk about being secure internally and externally.
Ensure customers know that you, and your supply chain, are secure and be able to back that up with certifications and proof points if asked.
In-person discussions/workshops as part of purchase process
Access to compliance reports
Maturity score/benchmark (e.g., against frameworks, industry peers)
Pen test results
Customer-facing collateral providing high-level overview of security approach
Vendor security assessments provided by partners/service providers
Customer-facing collateral provided by partners/service providers
Security rating by third party (e.g., BitSight, Security Scorecard)
Inject security from the outset
Embrace the mindset that attacks are inevitable
Build executive buy-in by tracking business KPIs
(not just security KPIs)
Mitigate risks before writing code by threat modeling
Identify which internal obstacles may be causing issues and how to manage pervasive cultural habits
Rely on the cultural triad (partnership, cooperation, and collaboration) and plan to build from the ground up
Focus your efforts to build culture on shared goals and outcomes between security and IT teams
Articulate security first messages as customer first messages
Align and work closely with customers to understand how automation best supports their needs
Expand automation use cases
Manage lessons learned in deployment
Incorporate qualitative metrics for comprehensive security dialogue. While countless orgs rely solely on quantitative measures, there is an enormous gap in looking at security this way
Insist on centralized accountability for security, starting at the Board level
Embrace the idea that having security expertise in your organization is not the same thing as governance and commit leadership to the cause through a shared responsibility model
Require a cultural shift away from “moving fast and breaking things” to prioritizing quality and completeness
Shift your talking points to reflect functional business objectives instead of security objectives
Embrace defensible instead of obsessing over being “secure.”
Streamline tools to ensure technology and people are being deployed efficiently and effectively
Incorporate security and trust into messaging alongside features and specifications
Competitive differentiation is a team sport that requires knowing how to talk about being secure internally and externally
Ensure customers know that you, and your supply chain, are secure and be able to back that up with certifications and proof points if asked
