Implementing A DevSecOps Program For Large Organizations With David Imhoff

Jul 23, 2024

David Imhoff, Director of DevSecOps at Kroger, discusses implementing DevSecOps in large organizations, balancing regulatory compliance with business objectives, building a security culture, risk mitigation challenges, importance of asset management, security champions, and potential impact of AI on cybersecurity practices.

Ask episode

Chapters

Transcript

Episode notes

Intro

00:00 • 2min

Implementing DevSecOps and Security Champions Program in Large Organizations

01:45 • 13min

Implementing Program with Security Champions and Engineering Collaboration

14:57 • 6min

Implementing DevSecOps in Large Organizations

21:18 • 6min

Implementing DevSecOps for Large Organizations

27:35 • 10min

Exploring the Significance of Threat Modeling in Security for Large Organizations

37:34 • 3min

Episode Summary

In this episode of The Secure Developer, David Imhoff, Director of DevSecOps and Product Security at Kroger, shares insights on implementing DevSecOps in large organizations. He discusses balancing regulatory compliance with business objectives, fostering a security culture, and the challenges of risk mitigation. David also explores the importance of asset management, security champions, and the potential impact of AI on cybersecurity practices.

Show Notes

In this episode of The Secure Developer, host Danny Allan speaks with David Imhoff, Director of DevSecOps and Product Security at Kroger, about implementing security programs in large organizations. David shares his experience transitioning from blue team operations to engineering and back to security, emphasizing the importance of understanding both security and engineering perspectives to create effective DevSecOps programs.

The conversation delves into the challenges of starting a security program in a large retail organization, with David highlighting the importance of understanding regulatory requirements, such as HIPAA, and aligning security measures with business objectives. He discusses the use of the NIST Cybersecurity Framework for measuring and reporting security posture to the board, and the process of balancing security needs with business risk appetite.

David explains Kroger's approach to building a security culture, including the implementation of a security champions program and the use of Objectives and Key Results (OKRs) to drive security initiatives. He details the company's strategies for centralizing security policies while allowing flexibility in implementation across different engineering teams. The discussion also covers the integration of security tools into the development pipeline, including the use of GitHub Actions for vulnerability scanning and management.

The episode explores various security technologies employed at Kroger, including Software Composition Analysis (SCA), Static Application Security Testing (SAST), API security, and secrets scanning. David shares insights on the challenges of prioritizing security alerts and the ongoing effort to provide a cohesive view of risk across multiple tools. The conversation concludes with a discussion on the potential impact of AI on security practices, including the new challenges it presents in areas such as data poisoning and model management, as well as the potential for AI to improve threat modeling processes.

Links

NIST Cybersecurity Framework

Follow Us