Möchten Sie mit Ihrem Team teilnehmen? Ab drei Personen profitieren Sie von unseren Gruppenrabatten! Direkt im Shop buchen!

A Developer’s Guide to “Making a Deal” with Security

There is the way development really functions and there is the way security believes development functions. In most organizations, the two don’t match.

This is a guide that engineering can use to “make a deal” with security so they more closely align. It does so by answering these questions:

  • What are the basic software engineering prerequisites (aka, DevOps basics) for effectively doing true Shift-Left Developer-First Security, aka Dev(Sec)Ops?
  • How can you help security get it right so the practices and tools they are trying to get you to adopt are suited to the way developers want to work while providing better cyber risk reduction?
  • What is the criteria for a good tool? Hint: low false positives and rapid feedback, but:
  • Why are low false positives and rapid feedback the most critical?
  • How rapid is good enough?
  • What level of false positives should be considered low? , and most importantly,
  • How do you “make a deal” with security to provide you with these kinds of practices and tools?



Larry Maccherone
Larry Maccherone 's work has empowered 600 development teams to take ownership of the security of their software. He embodies a rare combination of deep cybersecurity background with current software development experience. He was a founding Director at Carnegie Mellon's CyLab and co-led the launch of Build-Security-In initiative but is also the author of a dozen or so open-source projects, one of which gets a million downloads per month, and all of which utilize the approach he advocates for. In his Dev(Sec)Ops Transformation role at Contrast, he now applies what he learned to guide organisations with a framework for safely empowering development teams to take ownership of the security of their products.


Ihr möchtet über die heise devSec
auf dem Laufenden gehalten werden?