DevOpsDays Halifax

Doing more with less - DevSecOps with limited budget
2024-08-21 , Scotiabank Lecture Hall

Cost is the most powerful driving factor of everything we do in a DevSecOps program (or anything in general) and yet, more often than not, focus is on well-discussed trilogy - People, Process and Technology. In this talk I will share my real-world approaches, experiences & learnings of a scalable DevSecOps program and provide the cost perspective to it. It will help the application security professionals to understand how they can optimize the (limited) resources to achieve the relevant and measurable outcome.


In today’s time everyone will agree and we have enough data to prove that
1. Business demands software fast and frequent and secure
2. Technologies are growing at unprecedented rate
3. Organizations are operationally complex
4. Security is tough
5. Information security skill gap is real
6. Security budget is limited

We have several good content covering the importance of well-discussed trilogy - People, Process, Technology. In this talk I am going to do a deep dive into the cost aspect of a DevSecOps program and how we can optimize the limited resources to secure software faster and align with modern SDLC. The content of this talk will provide the guidelines with case-study to application security professionals to devise and adapt a DevSecOps program aligning to their organization business needs.

Presentation Outline
1. Challenges - First I will describe the challenges of making and keeping a software secure in the modern software development lifecycle.
2. Methodology - DevSecOps is the only way to ship softwares quickly while staying secure and compliant. I will present approaches, learnings and experiences of real-world DevSecOps programs I have been part of.
3. Cost Analysis - In this section, I will do a deep dive into the cost of each activity mentioned in the above section providing the OpEx and CapEx analysis from both tools and people perspective.
4. Role of Metrics - I will have a separate section for the role of metrics in a successful and scalable DevSecOps program and how they help to sell the program to leadership.
5. Optimization Tips & Techniques - Last, I will share tips and techniques both technical and non-technical to optimize the resources and reduce the cost to achieve more with less. I will present a case-study of automation, self-service security services, removal of false-positives with contextual analysis and open source solutions utilization.

Pramod Rana is author of below open source projects:
1. Omniscient - LetsMapYourNetwork: a graph-based asset management framework
2. sec-depend-aider - Dependabot pull request monitoring automation platform
3. CICDGuard - Orchestrating visibility and security of CICD ecosystem
4. vPrioritizer - Art of Risk Prioritization: a risk prioritization framework

He has presented at BlackHat, Defcon, nullcon, OWASPGlobalAppSec, HackMiami, HackInParis and Insomnihack before.

He is leading the application security team in Netskope with primary focus on integrating security controls in the development process and providing security-testing-as-a-service to engineering teams.