Software Security with Melissa McKay @ cdCon

May 8, 2023

< 1 min read

Software Security with Melissa McKay @ cdCon

Talking about DevSecOps with Melissa McKay of Jfrog At cdCon I caught up with Melissa McKay after she delivered her talk on software security. In this video Melissa talks about the importance of recognizing attack vectors, the mindset of shifting software security all the way to the left and where DevSecOps fits in.


Melissa McKay

    Melissa McKay

    Melissa is a long-time developer/software engineer turned international speaker and is currently a Developer Advocate on the JFrog Developer relations team, sharing in the mission to improve the developer experience with DevOps methodologies. Her background and experience as a software engineer span a slew of languages, technologies, and tools used in the development and operation of enterprise products and services. She is a mom, Java Champion, Docker Captain, co-author of the upcoming book DevOps Tools for Java Developers, a huge fan of UNconferences, and is always on the lookout for ways to grow and learn. She has spoken at Kubecon, DockerCon, CodeOne, JFokus, Java Dev Day Mexico, the Great International Developer Summit, and is part of the JCrete and JAlba UNconference teams. Given her passion for teaching, sharing, and inspiring fellow practitioners, you are likely to cross paths with her in the conference circuit — both online and off!

    Video Transcript

    voices from the industry these are not

    paid actors all right we’re here live at

    cdcon in the JW Marriott in Austin Texas

    I’m here with Melissa McKay Melissa how

    are you it’s I’m doing great and so what

    is your role I know you’re Jay fraud

    what is your role there I’m a developer

    Advocate with jfrock and I just started

    a couple years ago but before that I was

    a developer 20 plus years of development

    experience so very cool heart for the

    developer and so you gave a talk here

    today about security about

    vulnerabilities you mind just giving an

    overview of what it was about yes

    um well basically I guess that the

    biggest takeaway that I would want

    someone to have from that talk is be

    afraid be very be afraid and hey that’s

    give you give your laptops in all of

    your devices a little side eye and just

    pay attention pay attention to how

    you’re building your software pay

    attention to how your pipelines are

    actually put together most people now

    are cobbling together different parts of

    the pipelines they may use different

    projects different vendors for a

    different part it’s very important to

    recognize where the attack vectors are

    where to pay attention to where the

    weaknesses are and one of the biggest

    things that I focus on is just you know

    paying attention to the default behavior

    of our package managers that we use

    every day as a Java programmer you know

    I use Maven and I’ve trusted Maven for

    years and years and years but do I

    really know when I’m pulling in a huge

    framework do I know every in every

    dependency that’s getting pulled in that

    I use you know as a baseline for the

    software I’m working on

    um I don’t there’s not enough time in

    this world for someone to go through and

    do all of that research themselves so we

    come to rely on either a security team

    or what you’re seeing now in in the

    industry is a lot of different tools

    like scanning that provide scanning for

    these binaries in these packages making

    sure that we’re keeping up with our

    updates and you know the media helps us

    out a lot lets us know when we’ve messed

    up so there’s a lot of I know activity

    anytime any vulnerable any vulnerability

    has been exposed and um everyone knows

    about it and needs to do something about

    it now there’s been a few recently that

    all of a sudden people say whoa what is

    security for us yeah so do you all use

    the phrase devsec Ops or do you do you

    not do you think it’s bigger than that

    or I definitely appreciate devsec Ops uh

    we talk a lot about security being even

    pushed farther left so I like to talk

    about and a lot of the workshops I do

    and the talks I do we shift it all the

    way to the left

    um talk about it before your software

    has even begun before you’ve even

    started that’s when discussions need to

    happen now for a developer now you have

    all of these techniques that you can use

    to scan your packages before you even

    check your code in to go to source code

    you know it’s it’s something that we can

    start paying attention to now the

    struggle for developers is we’re not

    Security Experts you still need that you

    still need to pull experts in and that’s

    where I like that term devsec Ops you’ve

    got your developers you have your

    security focused employees and you have

    your operation it doesn’t mean that one

    person knows all those things it means

    that all of you work together and you

    have a composite team so that all of you

    can communicate and understand what’s

    going on for developers it’s one thing

    to get a list of vulnerabilities that

    you might have in your software but now

    what what do we do with that how do we

    you know the next problem is analyzing

    those and deciding which ones are

    important which ones aren’t which ones

    can we ignore which ones we can’t

    release until we fix all of these things

    we’re all working on and everyone in the

    industry is getting better and better at

    this they have to yes very cool Melissa

    McKay thank you so much thanks