Alyssa Miller (CISM) is a life-long hacker, security advocate, author, and public speaker with almost 15 years of experience in security roles. She has always had a passion for deconstructing technology, particularly since buying her first computer at the age of 12 teaching herself BASIC programming. In her career, Alyssa has performed all forms of security assessments but given her developer background, she has a dedication to application security. She specializes in working with business and security leaders to design and deploy effective security programs that strengthen enterprise security posture. Alyssa is also committed to advocating for improving security practices. Not only does she speak internationally at various industry, vendor and corporate events, Alyssa also engages in the community through her online content, media appearances, and security community activism. Her journey through security was recently featured in Cybercrime Magazine. She’s also been recognized in Peerlyst’s e-Book “50 Influential Penetration Testers”. Alyssa is board member for Women of Security (WoSEC), Advisory Board Member for BlueTeam Con, and serves on the review board for DevSec Con. She is currently an Application Security Advocate for London-based Snyk Ltd.
LinkedIn - Twitter
Alyssa Miller dives into the key issues that keep security shut out of the DevOps Pipeline.
Alyssa introduces presentation topic of DevSecOps — 00:00
Alyssa’s background as Hacker/Researcher, Security Advocate (Snyk), and co-host of podcast The Uncommon Journey — 0:43
The story of DevSecOps, starting in 2008 — 1:30
Why have we struggled to make security a part of DevOps? Who is responsible for security? — 2:50
Why isn’t it always easy for developers to handle security? The reality of Modern Development, with dependencies and transitive dependencies. 80 lines of code with 7 direct dependencies becomes 713,348 lines of code — 3:58
The struggle of understanding what’s in our software. Security of Open Source Dependencies. Majorities of vulnerabilities come from indirect dependencies — 5:45
The sprawl of open-source technologies in our applications — too much for developers to keep track of — 7:13
Vulnerabilities in Official DockerHug Images — 9:15
Importance of being aware of potential vulnerabilities, how to discover them, and how to account for them. But security teams are overwhelmed already. — 12:04
Building DevOps differently. Welcome to DevSecOps culture: a blend of governance, process, technology, and people — 13:15
Losing track of culture makes things complex, and this can come from how our DevSecOps pipelines look. Analysis of evolution of the pipeline and conflicting motions across teams in cloud-native environments — 15:00
Frictionless enablement, making sure our security in the pipeline doesn’t increase friction for developers, so instead of creating gates, we should think about security embedded in the phases of the pipeline. Integrating security into the phases of the pipeline, instead of building gates — 17:00
The business value of doing security correctly — 19:21
Thinking about security practices differently. What gets us the most value? — 20:30
Example of collaboration on threat modeling — 21:30
How do we build the culture for this? Start with empathy and a bigger-picture organizational view, understanding shared responsibilities. Alyssa highlights specific programs and examples you can do to foster this. — 23:30
Share your questions and comments below!