DOES US 2021 has ended
Back To Schedule
Wednesday, October 6 • 2:20pm - 2:50pm
DevSecOps - The Broken or Blurred Lines of Defense

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
A classic model for risk management and control is something called “The Three Lines of Defense (3ODL).”

The three lines are as follows:
Line 1: Risk Owners - Front line staff and operational management
Line 2: Risk Oversight - Risk management and compliance functions
Line 3: Risk Assurance - Internal audit

However, with the advent of modern sociotechnical systems like Agile, Cloud Native, and Event-Driven architectures these legacy lines (3ODL) are at best blurred and at worst completely broken. With the modern patterns and practices of DevOps and DevSecOps it’s not clear who the front line owners are anymore. Risk management and organizational compliance teams struggle to adapt to new cloud-native models such as ephemeral containers, functions, microservices, and event-driven architectures. Most organizations' internal audit processes today are highly toil based and have very low efficacy. This is something I have called in previous presentations “Security and Compliance Theater.”

In this presentation, we are going to look at a couple of case studies that include the good, the bad, and the ugly when it comes to 3ODL. Primary topics covered will be organizational design, DevSecOps, and Automated Governance.

avatar for John Willis

John Willis

Distinguished Researcher, Kosli
John Willis is a Distinguished Researcher at Kosli. Previously, he was Senior Director of the Global Transformation Office at Red Hat. Before Red Hat, he was the Director of Ecosystem Development for Docker, which he joined after the company he co-founded (SocketPlane, which focused... Read More →

Wednesday October 6, 2021 2:20pm - 2:50pm CDT
Track 3