EP 50 — DryRun Security’s James Wickett on Aligning Incentives and Speaking the Same Language with Developers and Security

In this special episode of the Future of Application Security, recorded at the Developers and Security are Friends Day, Eric speaks with James Wickett, co-founder and CEO of DryRun Security, a company that provides security products for developers. They discuss the misaligned incentives between developers and security and how teams can learn how to speak the same language to increase value. They also talk about how the SLIDE Model helps with context analysis, why you should focus less on control and more on context and composition in your security, and how organizations can close their knowledge gaps.

Topics discussed:

• Some of the frictions between security and developers, including how incentives are often misaligned and how each team has a different focus.
• How to talk the same language so that security and developers can build relationships that bring value to their organizations.
• What the SLIDE Model is and how it can help you better understand the context of your security actions and your priorities.
• How organizations can fill in their knowledge gaps and why it’s key to return to first principles in a world of automation and tooling.
• How security impacts an organization through control, composition, and context, and why organizations should lessen their dependence on control.
• How security is like barbeque, and why Oklahoma is a great analogy for a DevSec model.

Quotes: 

“Often I’ll go to DevOps conferences and talk about security and security conferences and talk about DevOps and really just trying to bring this together, because I feel like we’re all kind of going for the same thing, but we often have differing incentives, different places in the organization, different staffing resources, all that stuff, right? And so it creates a lot of friction between the groups and yeah, so I want to be part of helping make that better. I’ve seen the benefit of that throughout my career and hoping to see that help other people.” 

“Security and developers and how we’re fitting together … in many organizations, they’re trying to go through that same arc, same journey of trying to bridge those two groups to get them to work together and to do it in a way that is for the good of the organization.” 

“We talked about contextual security analysis, and we started working on writing this down. How do we pick up all these pieces of context that give us a way to think about it? And we break it up into five key areas and we use the SLIDE model.”

“We seem to have access nowadays to a lot of tooling and a lot of automation possibilities. But sometimes we don’t return to first principles of why we’re doing something in an organization.” 

“Control, composition, and context, they all work together, but you want to be lighter and really crisp on what you want to put control over. You can be more loose with composition and context, because you’re able to not putting blocking and barriers in place for developers.”