Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This is a Snyk panel discussion on “Shift Left Strategy with CISOs” featuring Anant Shrivastava (Technical Director, NotSoSecure) and Patrick Pachapa (Director of Information Security and Risk, Altia Group), moderated by Vandana.
Panelists
Anant Shrivastava: Information security professional with 12+ years corporate experience, expertise in network/mobile application/Linux security, Technical Director for NotSoSecure Global Services, speaker/trainer at various international conferences (Black Hat USA/Asia/EU, NULLCon, KOKON), leads multiple open source projects (Android Tamer, Code Vigilant, Hacking Archives of India)
Patrick Pachapa: Graduated as Electronics and Communication Engineer in 1995, moved into IT in 1997, 24 years experience covering all aspects of IoT infrastructure and security, currently Director of Information Security and Risk at Altia Group (Middle East-based retail franchisee operator)
Key Topics Discussed
DevOps and Security Teams Working Together:
Still silos: Lot of teams still working in silos, running own projects, separate from main agenda
CISO’s major aim: Make sure getting integrated - if don’t get integrated, as good as old model
Old model: Business analysts get requirements, security had nothing to do with it, development teams develop, testing teams come, only after that security teams got involved (VAPT), just before code went into production
Still playing out: In quite a bit of places, quite a bit in industry
Maturity level: Still way off, lot of work to do
Larger vs Smaller Organizations:
Larger companies: Massive team working on things - very hard to get them to formulate single team and work as single unit
Startup world/agile companies: Small number of people, take up both dev and ops responsibility
Security: Always on edge end of ladder, not too much involved - whole point of keyword “sec” being added into DevOps
CISO as Scapegoat:
Equifax breach: More than 140 million user records stolen, week later CISO was fired
CISOs raised voices: Why was not head of development fired?
DevSecOps model: Security gets involved right there - should be security architect sitting with software architects when requirements gathered
De-risk Individuals, Focus on Collective Responsibility:
If hack happens: Not one person responsible - collective responsibility right from dev to ops to security
Moment de-risk individuals: When that part out of equation, that’s when people start looking at “okay something has happened wrong, what can we collectively do to fix it”
In-House vs Vendors:
Need skeleton crew: Within organization (no matter how small how big) who understands what those tools are
Three to five people: Minimum being three, max being five - governance team maintaining DevSecOps pipeline
Your mileage will most definitely vary: With every single organization
Shift Left:
Unavoidable: Having release pretty much every week or every day
Three musketeers: Development, testing, security - all working together
Sony television example: Automation built into manufacturing eliminates defects before end of conveyor belt
Key Insights:
DevOps and security teams still working in silos - maturity level way off
CISO as scapegoat - Equifax example, CISO fired week after breach
De-risk individuals, focus on collective responsibility
In-house vs vendors - need skeleton team who understands
Shift left unavoidable - releases every week/day, maybe every hour
Sony television example - automation eliminates defects before end of conveyor belt
Security operations - how offload to third party or handle in-house
Actionable Takeaways:
DevOps and security teams still in silos - lot of work to do
CISO as scapegoat - Equifax example, CISO fired
De-risk individuals, focus on collective responsibility
Respect experience of people already in organization
In-house vs vendors - need skeleton team (3-5 people) who understands
Shift left unavoidable - releases every week/day
Tools must be customized for large environments
Sony television example - automation eliminates defects
Security operations - how offload or handle in-house
Three musketeers: Development, testing, security - all working together
