Transformation Blueprint for Developer-Centric Application Security


Room: “Gesang” / 2nd floor

Abstract: The traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products and involved fundamental changes to mindset, terminology, tools, metrics, roles, and practices. The cloud-native and DevOps movements similarly disrupted traditional IT Ops.

Now it’s security’s turn, but here’s the rub.

NIST, SANS, OWASP, PCI, etc. provide lists of candidate application security practices, but the items in the list are unprioritized, target security specialists, and fail to specify adaptations needed for a developer-first approach. Attempting to shift these practices left without proper consideration of modern development practices and priorities is a recipe for frustration, resistance, and false starts.

You will come out of this workshop with a Transformation Blueprint for accomplishing the cultural shift to developer-centric application security at your organization. The approach is derived from the program that Larry has used to accomplish this shift for over 600 development teams. Since Larry is a developer, writing code every day, his program is perfectly suited to the way development teams really want to work, rather than how security folks assume they work.

Prerequisites for this workshop: There are no special prerequisites. The participants, typically members of a development team, should be interested to learn of how to do a cultural shift to developer-centric application security.

Number of participants: 30 participants max



Larry Maccherone


Dev[Sec]Ops Transformation Architect @ Contrast Security

Larry Maccherone is a thought leader on DevSecOps, Agile, and Analytics.

At Comcast, Larry launched and scaled the DevSecOps Transformation