Software Security with Melissa McKay @ cdCon

voices from the industry these are not

paid actors all right we’re here live at

cdcon in the JW Marriott in Austin Texas

I’m here with Melissa McKay Melissa how

are you it’s I’m doing great and so what

is your role I know you’re Jay fraud

what is your role there I’m a developer

Advocate with jfrock and I just started

a couple years ago but before that I was

a developer 20 plus years of development

experience so very cool heart for the

developer and so you gave a talk here

today about security about

vulnerabilities you mind just giving an

overview of what it was about yes

um well basically I guess that the

biggest takeaway that I would want

someone to have from that talk is be

afraid be very be afraid and hey that’s

give you give your laptops in all of

your devices a little side eye and just

pay attention pay attention to how

you’re building your software pay

attention to how your pipelines are

actually put together most people now

are cobbling together different parts of

the pipelines they may use different

projects different vendors for a

different part it’s very important to

recognize where the attack vectors are

where to pay attention to where the

weaknesses are and one of the biggest

things that I focus on is just you know

paying attention to the default behavior

of our package managers that we use

every day as a Java programmer you know

I use Maven and I’ve trusted Maven for

years and years and years but do I

really know when I’m pulling in a huge

framework do I know every in every

dependency that’s getting pulled in that

I use you know as a baseline for the

software I’m working on

um I don’t there’s not enough time in

this world for someone to go through and

do all of that research themselves so we

come to rely on either a security team

or what you’re seeing now in in the

industry is a lot of different tools

like scanning that provide scanning for

these binaries in these packages making

sure that we’re keeping up with our

updates and you know the media helps us

out a lot lets us know when we’ve messed

up so there’s a lot of I know activity

anytime any vulnerable any vulnerability

has been exposed and um everyone knows

about it and needs to do something about

it now there’s been a few recently that

all of a sudden people say whoa what is

security for us yeah so do you all use

the phrase devsec Ops or do you do you

not do you think it’s bigger than that

or I definitely appreciate devsec Ops uh

we talk a lot about security being even

pushed farther left so I like to talk

about and a lot of the workshops I do

and the talks I do we shift it all the

way to the left

um talk about it before your software

has even begun before you’ve even

started that’s when discussions need to

happen now for a developer now you have

all of these techniques that you can use

to scan your packages before you even

check your code in to go to source code

you know it’s it’s something that we can

start paying attention to now the

struggle for developers is we’re not

Security Experts you still need that you

still need to pull experts in and that’s

where I like that term devsec Ops you’ve

got your developers you have your

security focused employees and you have

your operation it doesn’t mean that one

person knows all those things it means

that all of you work together and you

have a composite team so that all of you

can communicate and understand what’s

going on for developers it’s one thing

to get a list of vulnerabilities that

you might have in your software but now

what what do we do with that how do we

you know the next problem is analyzing

those and deciding which ones are

important which ones aren’t which ones

can we ignore which ones we can’t

release until we fix all of these things

we’re all working on and everyone in the

industry is getting better and better at

this they have to yes very cool Melissa

McKay thank you so much thanks