• United States



What is the key to optimized DevSecOps?

BrandPost By Synopsys
Jun 26, 20232 mins

Key insights from AppSec Decoded to improve the ‘Sec’ in DevSecOps—what to know today.

Credit: Synopsys

"Change or die" applies to just about any business in any industry. If you don't adapt to evolving market demands and get better than you were last year, others who do will take your place. Which is why, in the software development world, it's very important--existential, even--to improve. These days, one of the keys to doing that is to get development, operations, and security teams--DevSecOps--to work more efficiently together.

Fortunately, there are ways to do that, which was the focus of an AppSec Decoded conversation at the 2023 RSA Conference in San Francisco between Taylor Armerding, security advocate with the Synopsys Software Integrity Group, and Dr. Matias Madou, security expert, researcher, and CTO and co-founder of Secure Code Warrior.

Madou realized early in his career that it was insufficient simply to detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers and make security less of a burden. He said one key to enabling the win-win-win for DevSecOps teams is to create software testing tools that "speak developer-speak ... that explain to developers why it's a problem, how they should fix it, and how they can prevent introducing the same problem the next time."

Another key is to help developers with "upskilling." Too often, he said, the majority of the security budget is devoted to tools. While this is important, it shouldn't come at the expense of helping developers keep their skills current. "There's an underinvestment in making sure developers have the skills to absorb the information and create secure code," he said. "It's like a cyber gym--you don't just upskill once, and you're good for your entire career. Quite often, if you take a particular job, you need to upskill on a regular basis to be in touch with the latest and greatest."

Finally, support for security needs to come from top to bottom, in the C-suite, and at the developer level.

"To me, it's about making sure the entire culture lives and breathes secure code," Madou said. "That's the only way the organization can move forward at speed."

Watch the full video interview here