About this DevOps Toolchain Episode:
In today's episode, AI-Powered Security Orchestration in DevOps, we'll delve into the nitty-gritty of how DevOps can effectively integrate application security into every phase of the Software Development Lifecycle.
Brittany Greenfield, CEO and founder of Wabbi, joins the show to debunk the myth of “DevSecOps” and reinstate the idea that security should be an inherent detail in DevOps, not an add-on.
Brittany will discuss the advanced concept of application security posture management and its pivotal role in aligning development and security processes using tools that resonate with what developers already know.
Throughout our discussion, we'll highlight the urgent need for application security, where 9 out of 10 breaches find their roots. We'll explore how Wabbi's approach is revolutionizing this space by leveraging AI and machine learning. We'll also underline the criticality of developer collaboration with application security teams, a key aspect that cannot be overlooked, and how to navigate the vibrant landscape of application security lifecycle management.
Get ready for a deep dive into transforming the DevOps security culture and understanding why marrying development with security is more than just a checklist.
Listen up!
TestGuild DevOps Toolchain Exclusive Sponsor
BUGSNAG: Get real-time data on real-user experiences – really.
Latency is the silent killer of apps. It’s frustrating for the user, and under the radar for you. It’s easily overlooked by standard error monitoring. But now BugSnag, an all-in-one observability solution, has its own performance monitoring feature: Real User Monitoring.
It detects and reports real-user performance data – in real time – so you can rapidly identify lags. Plus gives you the context to fix them.
Try out Bugsnag for free, today. No credit card required.
About Brittany Greenfield
Brittany Greenfield is the CEO & Founder of Wabbi, she's a leading force in Application Security, recognized as a Top Woman in Cybersecurity by Cyber Defense Magazine and her peers in the Cybersecurity Excellence Awards, as well as as a 40 Under 40 by Boston Business Journal. She is the CEO & founder of Wabbi, backed by investors including Cisco and work-bench, has pioneered what is now known as the Application Security Posture Management space with its continuous security platform that bridges the gap between security and development. In recognition of its leadership at the forefront of innovation in cybersecurity, Wabbi has been named an RSA Innovation Sandbox Finalist, Best DevSecOps Solution, and Publisher's Choice in Software Development Lifecycle Security.
Connect with Brittany Greenfield
- Company: www.wabbisoft
- Blog: www.brittanygreenfield
- LinkedIn: www.brittanygreenfield
Rate and Review TestGuild DevOps Toolchain Podcast
Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.
[00:00:01] Get ready to discover some of the most actionable DevOps techniques and tooling, including performance and reliability for some of the world's smartest engineers. Hey, I'm Joe Colantonio, host of the DevOps Toolchain Podcast and my goal is to help you create DevOps toolchain awesomeness.
[00:00:19] Hey, it's Joe, and welcome to another episode of the Test Guild DevOps Toolchain. And today, we'll be talking with Brittany Greenfield all about DevOps, continuous security, development, application security, posture management, and a bunch more. Really excited to have her on the show. If you don't know, Brittany is the CEO and founder of Wabbi. She is also a leading force in application security, recognized as a top woman in cybersecurity by Cyber Defense Magazine and her peers in the Cybersecurity Excellence Award, as well as a 40 under 40 by Boston Business Journal. So she really knows her stuff. And I'm really excited because today, she is the founder of a company, Wabbi that has really pioneered what is known as application security posture management space, with its continuous security platform that bridges the gap between security and development which is really in the wheelhouse of what I think you all are interested in. And so if you want to know about the future of DevOps, you don't want to miss this episode. Check it out.
[00:01:19] Hey, if you're app is slow, it could be worse than an error. It could be frustrating. And one thing I've learned over my 25 years in industry is that frustrated users don't last long. But since slow performance isn't sudden, it's hard for standard error monitoring tools to catch. That's why I think you should check out BugSnag, an all-in-one observability solution that has a way to automatically watch for these issues real user monitoring. It checks and reports real-user performance data in real time so you can quickly identify lags. Plus, you can get the context of where the lags are and how to fix them. Don't rely on frustrated user feedback. Find out for yourself. Go to bugsnag.com and try it for free. No credit card required. Check it out. Let me know what you think.
[00:02:10] Joe Colantonio Hey, Brittany, welcome to the Guild.
[00:02:14] Brittany Greenfield Hey, Joe. Thanks for having me.
[00:02:16] Joe Colantonio Awesome to have you. I guess before we get into, I'd like to maybe set the stage with defining some terms just to make sure everyone's on the same page before, but again too is. But I think it's a really great solution and a great technique. The first one is, I think we were talking back and forth in email, and you just said you don't necessarily believe in, DevSecOps. And this is a big debate. So, could you tell us a little bit more like, what is DevOps? How is it compare to DevSecOps and why do you think sex should be part of DevOps or not?
[00:02:43] Brittany Greenfield Yeah. No. Absolutely. The reason I don't believe DevSecOps should exist as a term is it should just be DevOps, which should just be development, right? And if we think about where DevOps came from, it was really about breaking down silos. And DevSecOps is no different. The only difference is the job of the people that are responsible for delivering it. And what really happened was we had DevOps become, even if not fully implemented, but really the norm of development by about 2015, however, security was just sort of left behind in it for some very functional reasons. One, security, especially application security, is difficult, right? It doesn't run the exact same way DevOps processes do. There's a lot more. I call it sort of the system of checks and balances like building a house. When you look at DevOps, you have that quality control to say, are there four walls and a door? So I can call it a room. But security gets a little more nuanced in terms of the configurations and also the number of silos you have to break down. It's not just necessarily just one security person you're dealing with, right? Whereas, your DevOps or one security team, you could also be getting as far out as legal and compliance and whatnot to be able to accept some of this risk. And so really, that term DevSecOps was born of the recognition that as development organizations, we'd moved forward to say, let's break down silos, leveraging automation and orchestration to maximize efficiency on the team. And we hadn't brought security along as, on the ride. Part of my mission with Wabbi is to make that term DevSecOps obsolete because it should just be the norm.
[00:04:27] Joe Colantonio How are you doing with that? You must be with a lot of companies, a lot of users. Are you seeing about breakthrough or is it still like a education?
[00:04:34] Brittany Greenfield It is a breakthrough for sure. If you get into the sort of technical market adoption thing, it's in the plateau now, which doesn't mean it's gone away. It just means everybody recognizes that DevSecOps is the norm. Now, actually, from an execution perspective, it's not as good. And that's because it's no different. The transformation to DevSecOps is not going to be any easier than the transformation from DevOps, other than the lessons that companies got to learn from that. And that's because we haven't leveraged automation and orchestration the same way in integrating security into the SDLC as we did in DevOps. And so now you compound that with the fact that 80% of organizations are actually through DevOps organizations versus having just sort of adopted pieces here and there. And all of these mandated approaches are falling apart very quickly. So, yes, everybody knows this is the new norm for me, but most enterprises are actually still in the place where they've implemented DevSecOps, but they haven't codified it as part of their existing SDLC process. We can dive into why that is.
[00:05:45] Joe Colantonio Yeah, absolutely. You mentioned a lot of people tripped up on the execution piece. So how do you integrate then Security and DevOps?
[00:05:51] Brittany Greenfield Yes. Well, so that's our realm, right? That's what we call what has been termed application security posture management. And so we're so thrilled that there's our own acronym in this big alphabet soup that security has in development has. And really what it gets at is none of the concepts should feel foreign to any development team. Paid on development to make sure we get things out on time, on budget, on spec. We leverage a couple of things. We manage our tech debt and security. That's just called vulnerability management. We leverage orchestration because that improves developer productivity. We can't all be experts in the exact thing that we need to do now, nor can we be available and all the time. We need to know when we need to direct our attention to something. And then the third is really what I think is the norm now that we've seen comes with the DevOps transformation isn't just monitoring, but observability. And the analogy I like to use here is that we've created all of this data, but it's not enough to have data. You have to have actionable information. Data is saying, hey, it's 34 degrees. Well, here I am in Colorado and that is a warm day here. Beautiful spring day. If you said that to somebody in Los Angeles, they'd be pulling out the puffer jackets, right? Maybe even apocalyptic. And that's the information part because that information is going to provide the context that allows you to make educated decisions. And this is really the area we addressed that doesn't say, hey, security. Can you suddenly start acting like development may development can you start to act like security? Let's use everything that's already available to us to marry the processes.
[00:07:34] Joe Colantonio All right. Let's dive a little more into that then. What is Wabbi then? I mean, is this AI? Like AI we have all this data. So what does a machine learning and all sudden we have application security posture management. Like how does this work?
[00:07:45] Brittany Greenfield Yeah. AI's an intrinsic part of it, right. Cyber has always been right for AI applications even before AI. AI was at the tip of everybody's tongue because of all the data, right? What we want to do, and especially in cyber, there's a real scale issue. And this has been one of the challenges in DevSecOps programs. If there's one application security manager for every 100 developers. We've done some research ourselves that actually shows developers recognize that security is responsive to feedback, but they don't have those automated feedback loops. So how can you be responsive if you can't get back in real time at the same pace? It's just this is one of the many areas of disconnect. And this is where AI is super helpful. It's an intrinsic part of our platform. But what we are is a SAS platform that orchestrates the end-to-end application security lifecycle as part of the software development lifecycle. Developers get to keep doing what they're doing, which is developing code, and they get the security tasks that they need to fed into their process at the right time. Rather than, hey, we're going to stick you in security training once a quarter and expect you to magically remember the right security thing to do in exactly this right time, we're going to orchestrate that and sometimes do that for you, or just tell you what the manual step is and then allow you to have the chance to put that feedback. And so one of the things I think every developer has become very familiar with nowadays is SaS scanning static analysis. And that's something that many of our customers require to be completed before the PR. So Wabbi, instead of as a developer, instead of having to hit a button or call your friendly security person, Wabbi, once you submit the PR will automatically kick that off, bring those results back and prioritize them for you. And if your company says you have to fix the criticals first, kind of like bugs, we're going to block you from completing the PR or allow you to route it to somebody for an acceptance. That's one example of that. But there's that goes from the design perspective, right? Some customers even have depending on the kind of confidential information, hey, we've got to have an actual meeting before we'll even release the features, we can orchestrate that to also, the thing I think we don't talk about so often, we talk about the differences between security and development, but not the similarities. But security and software are living, breathing things. So changes are happening all the time. We can take in changes from the security side or from the application side that may change the security requirements.
[00:10:23] Joe Colantonio All right. So how is this information fed?
[00:10:24] Brittany Greenfield One right now.
[00:10:26] Joe Colantonio Yeah a lot of people, I think they know if like a security scan, you're checking code, you do a security scan. That's a first stage a pipeline, didn't pass, doesn't get checked in. This sounds more like an end-to-end kind of shift left, shift right. How does this feed information, how do people get the information at the right stage and not be necessarily security experts when they do get like, hey, this is an issue. How do they even know how to fix it? I know that's a lot of questions wrapped in one but.
[00:10:53] Brittany Greenfield No, no, no no. But you know long the head. This is why this has been so complex. And what's made Wabbi really a pioneer in it. Let me take a step back because I used a phrase that most people may not be familiar with. We're all familiar with SDLC, right? The software development lifecycle. Application security is no different. There's an application security lifecycle, different things. It's not just the testing. This is where I would say the fallacy of DevSecOps was that, hey, you've got a DevOps tool, I've got a tool to secure it, and now we're doing DevSecOps. All that did was create more data without information. The application security lifecycle really looks at it at the development of the product and says, what is the thing that has to be done at the right time? And it's not just testing. A lot of times, I'm sure folks on in your audience are familiar with the term secure coding. There's no test for that. We just need to say, hey, you're dealing with PII, so you need to put a 15 minute timeout on. That's just a best practice. Or there could be gates that are put in that in the singular of a policy not being followed, it would be fine. But maybe you have 20 policies that weren't followed across an entire team or product, and that's when security would want to stop it. And when we talk about the application security lifecycle, I'll use a simple analogy. Something that we all share is that we go into buildings every day. And we trust that we go into those buildings every day and they're safe because the right set of checks and balances has been applied. And when something needs to get fixed, it also gets put onto a punch list should start feeling very DevOps, right? This is the world of application security. And so that's when we talk about that end-to-end and what Wabbi does is we manage that whole set of checks and balances. And on top of it, as we know in development, nothing ever goes to plan. Software is perfect. When something doesn't go to plan, we also manage that set of chutes and ladders, so to speak, of where it needs to get routed. Organizations, just like the way we make educated decisions about what's good enough to ship today from a quality perspective and from a feature perspective, can also do that from a security perspective. That's when we talk about that application lifecycle. It marries exactly to the SDLC. It's just a different set of rules.
[00:13:18] Joe Colantonio Gotcha. So is it like a compliance application then where a company's each company may have different standards that they want to follow and you would merge. They would put it into the application that would manage then compliance as well?
[00:13:32] Brittany Greenfield Correct. You've hit on a couple three very important points. I'm going to pick on the word compliance because compliance is a dirty word. If you're only doing security to do compliance then you're just doing check the box security right. But you redeemed yourself in the next statement. Which was every company has their different set of standards right. And those standards are obviously sometimes driven by regulatory standards or frameworks that they choose to. But the way a company chooses to implement that standard is different. Those standards say something like use a firewall and check it on a regular basis. And just like humans, your risk profile and my risk profile are different. Regular is different. And so that gets to that nuance. And sort of the third point on that is that each company, especially in large enterprises, treat also their applications with different risk. If I'm a bank, to the end user, an end user sees bill pay and wire transfers as the same thing. I'm sending money to somebody. The bank sees that very differently, even if nothing else, because the wire transfer platform is separately regulated. But also wires are instantaneous. Bill pay is batched. As you start to think about the world of risk that you're willing to accept on that, you're going to implement those standards differently. And that's why this gets very nuanced, very, very quickly as we think about the ways that are a lot of times security's thinking about how the outside world is trying to get it in. And what our risk profile is on the outside world. And development really aligns with the business customer promise delivery risk. How do you marry those two? So that's why I say compliance is a dirty word because you're not thinking about business risk and customer risk if you only think about compliance.
[00:15:30] Joe Colantonio Right, right. I used to work for a health care company and they would sell radiology machines to different regions, different countries. And they all have two different regulations. And we could be audited by the FDA. So it sounds like having a tool like this would help automate that process rather than having like a checklist that could kind of.
[00:15:47] Brittany Greenfield Correct.
[00:15:49] Joe Colantonio Involve with you as well as regulations change also.
[00:15:52] Brittany Greenfield Exactly right. The world that we're living in is very dynamic so changes are going to happen. And that checklist this is you asked earlier about the reality of DevSecOps having been adopted. This is how people are doing application security by checklist now. And you want to know what happens? Security calls development. And they go, hey, did you do that thing I asked you to do? Which was probably a month ago. Yeah, yeah. Of course. We worked with one large telco said, look, we accept the fact that nine out of ten times we gave development the pass because we haven't been able to effectively communicate to them the standards in real time. So that's on us, not on them to not have informed them. And then we can't follow up. We can't collaborate. And again, this should all feel very familiar. This was the same challenge Dev and Ops had at the very beginning. That was creating a drag on actually delivering the product.
[00:16:54] Joe Colantonio love it. I know a lot of developers have a large definition of done like security just checkbox. Yeah, sure. But this sounds like it's a little more, it could catch a lot of things that you may not even thought of when you were checking in the code.
[00:17:05] Brittany Greenfield Exactly. And I think there's been such an emphasis, we talked about the scale issue on trying to shift a lot of security to development, which best of intention, there's a big company out there that has done this. Best of intention, but it just creates a mess in a different place because we're not expecting developers to suddenly become security experts. The same way we wouldn't expect security experts to become experts in development. And I think that's where we're well past that cultural transformation part. And that's really where our world of application security lives in the process transformation part. And then we support with the tools.
[00:17:45] Joe Colantonio Right. So the role of developer really has a lot of pressure on, like you said, a lot some companies that you do everything you do the testing, you do the security, you do the performance, the whole shebang. So do you see security experts still being involved in in the process, like with your application, do they work with the application? Do they work with the teams for training or like do they do the heavy lifting?
[00:18:05] Brittany Greenfield No. I think it to become strategic and become really more part of the team. We've got a problem. How do we solve it? So there's two ways that security teams get to better interface with development teams with ASPM, one is rather than having to wait for your friendly security person to respond to your e-mail or your slack or whatever. The developers actually getting that information in real time. And so that's one. For the security teams, you're actually seeing a huge reduction in the manual work effort. So one of our customers saw their manual work flipped from part of their team's workload flipped from being about 75% manual and 25% automated to being 25% manual and 75% automated with our platform. And the reason the manual work wasn't going away, and they were perfectly fine with it because that manual work then became strategic. Are we delivering the best policies to our developers that actually align with how they develop? I use the example of a policy might be something like you're dealing with PII, so you need a 15 minute timeout. Well maybe it's a bulk import and a 15 minute timeout wouldn't work on it. So let's triage this together and figure out how to come up with a better policy. Or we have come up with a blocker. And how we're going to work around it. One of our customers uses a library from a well-known software publisher. And that customer said, hey, you have a vulnerability. We need you to fix it. And the software publisher said it's not a vulnerability to ask. It's not high risk to us. And so they then, so the development and the security teams at our customer then were able to get together and say, how are we going to manage this? What are the guardrails we're going to put in and to do that. And that's again, sort of where we step in where the guardrails, the security teams got to do the strategy side. And Wabbi does the guardrails, do the orchestration and the automation. And then development gets the information fed to them. And if needed they can make the link back to security to be able to work on it together.
[00:20:12] Joe Colantonio All right. What's the current situation without Wabbi? If I'm a security expert, does it mean like they have to manually look through their policies that manually doing code reviews defining an issue that running it over to the dev team. Hey, can you fix that. They fix it. They fix it. They check in, they go back, they review it. Is that the manual type of workflow that that this replace?
[00:20:30] Brittany Greenfield Correct. Right. That's if they can get there in time. I mean.
[00:20:34] Joe Colantonio Right.
[00:20:35] Brittany Greenfield Much more tactically. You get and these are in well-educated DevSecOps teams right. One of our customers is develops essentially DevOps software. And they said, hey, my teams are actually very aware of this. And I get ten emails a day saying, is this the test I need to run now? Or do you need me to fix this vulnerability? That's a bunch of time that he may or may not have. And that's exactly what's happening today. I could pull up a 12 sheet workbook that one of our customers uses or used. That was the security code review checklist before they could do it and want to know what it did? It referenced a bunch of thick PDFs that nobody knew what it was. And what does it mean for me in this moment? And that's where we're really trying. And we do take the need for expertise out, and we spoon feed the information the right place, right time, right person. And so that way, as things change, you don't have to be. Not that we won't all still always need security training, but you don't have to be reeducated on what the new policy is. But yes, what you describe is exactly how application security happens today without Wabbi.
[00:21:44] Joe Colantonio This might have been a bad implementation, but when I used to work with, and we had security scans, there'd be like a lot of false positives. And then there's so many, so much information, so many things that people didn't know, like what to focus in on, what was real, what wasn't, and they were just ignored at some point. The solves as well, I would think, right. Like how does it solve this issue?
[00:22:04] Brittany Greenfield And that's a key, I mentioned it earlier. If we think about application security posture management. It really deals with three realms. And that's the realm of vulnerability management, which is really if you just think about it, a specialized kind of debt. You're starting to see the new buzzy term risk-based vulnerability management. And again, that's just criticality plus severity. What do I need to fix and in what order do I need to fix it. And that we absolutely do. But you've got to have it as part of the whole puzzle. Right. Because if you're just doing vulnerability management, like if you're just doing a backlog in a closet by yourself, what doesn't matter. And that vulnerability management, the big thing that people have accepted, which was tough and is tough in a lot, most organizations that are still doing exactly what you described, that will feel very normal to a lot of people in your audience. They were getting all this data thrown out at them. And first of all, it wasn't aggregated and across tools and time. And the second thing, it wasn't contextualized for that company or for that application. And so you need one record. And this is how Wabbi approaches. We have one record. We can roll it up and even see the vulnerabilities in different assets, because you may even have a shared asset between a low value application and a high value application. And that would change the rules that you'd want to apply. And then across time and then we reprioritize it to say, hey, we actually care a lot about this vulnerability that needs to go in the 5% that we're going to fix this month, and then there's 10% to maybe even 15% that we can fix later. What are the SLAs around that? And then what about that 80% that we just need to sit and monitor so that it doesn't become something bad? And maybe there's a different future rule, but that actually never needs to end up back in the developer's backlog because we're fine accepting that risk because we can't fix everything.
[00:24:00] Joe Colantonio Love it. All right, so here's a long question. I don't even know if it's going to make sense, but let me try and unravel. I run a News Show on automation and DevOps, and I've been seeing a lot of news recently around the security, like with the white House. I think they unveiled a fiscal plan recently, and it was like $13 billion of injection to the federal cybersecurity budget. And they also released something called back to the Building Blocks report, where they said the burden of cybersecurity is should fall on the shoulders of a tech companies and the federal government rather than individual users. And on top of this, you mentioned that Gartner mentioned ASPM as a transformative technology coming into play. Is this a convergence of like, is this where we're all heading? And is this why people should really pay attention now? Like every time I see the government releasing any reports, even though they said they're not going to, feeling of stop poking their fingers into it, and that's going to cause companies really take notice.
[00:24:52] Brittany Greenfield This one I have not minded too much, so I'm going to split up that question.
[00:24:57] Joe Colantonio Okay.
[00:24:58] Brittany Greenfield First, one of the thing problems of application security is that it's always been a little bit of red headed stepchild. It look to develop B2B security. Right. Because it's proactive. It's about the process. And in development we set a process because that's how we get things out and make decisions about it. And then look to security ish to be development. And so it's sort of been out on its own. But the harsh reality that nobody ever talked about and why I'm glad it's getting so much spotlight now, even if it does mean one more government report, is that nine out of ten breaches begin due to defects. You rarely, rarely hear about it in the news reporting because it'll be something like ransomware. The hackers did this kind of filtration, MITM, whatever it is. And but what it was was that defect in the code, that vulnerability that wasn't fixed or wasn't found, provided the entry way for them to be able to execute on their attack. And so now application security as the building blocks, I actually thought they did a phenomenal job with this report, as the building block of security is where we're starting to see this convergence that I say application security is all security, right? Because if you need a taller wall in a deeper mode, and this is a little bit where they get into the burden falls on the tech companies. Because remember, every company is a tech company today, even the government in its very word ways. And but if you want a taller wall and a deeper mode, right, okay, firewalls and better network security and API security and AI security and stuff, you've got to work with the development team to execute that. There's very little security nowadays that exist without collaborating with development. And that's really why you're seeing application security posture management become this transformative, hot button and technology that people want because you can't bring together all those pieces. And I go back to sort of our starting conversation about DevOps. At the end of the day, all of this is just good development because it's about good collaboration and breaking down silos.
[00:27:04] Joe Colantonio Love it. And at the speed of development nowadays, this is almost like automating the gap between developer and security, almost sounds like.
[00:27:12] Brittany Greenfield Correct. Exactly, right. We're not expecting, nor should we developers to suddenly start doing different things. They've got good workflows. Those will evolve as development evolves. Same with security, they've got their own workflows. Developers crave autonomy and information so that they can execute on that autonomy and security professionals crave accountability. Do the thing that we're supposed to do to make us safe. And this has always been our philosophy and our pillar here around how you actually integrate security into development is let everybody do their own thing. And the way that they want to do it and find a way to translate the two into each other. And that's really the future of how we address this problem.
[00:27:57] Joe Colantonio Nice. So if someone's listening, Wabbi, like I have to check this out, how hard is it to integrate it into existing systems? A lot of times I think I used to work for health care insurance companies, older companies, they kind of have the legacy things like how hard is it to implement?
[00:28:10] Brittany Greenfield It's interesting you bring up the legacy things. Don't worry, we're 100% cloud. I guarantee you have a server sitting in a cloud somewhere.
[00:28:21] Joe Colantonio Absolutely. Yes.
[00:28:22] Brittany Greenfield And it's something that we actually said, if we're going to make this work right, we have to make it very easy. So obviously, we're API-centric. But one of the things we did because we realized our customers being very large, Midmarket fortune 500 some and DoD, they have that complexity that says, hey, I've got the system. Don't worry. We're going to sunset it one day.
[00:28:44] Joe Colantonio Right.
[00:28:44] Brittany Greenfield We actually developed an agent that allows if somebody needs to connect to an on prem system. Sometimes it has to do with sensitivity of data and other things. And so for us, the analogy I like to use about Wabbi and how we work is we rely on those connections. But what you want to connect to is going to change over time. And it's kind of like if you remember pictures of the old telephone operators when I'd call and say, hey, I want to be connected to Pennsylvania three, four, five. And they go, okay, sure. Hold on a second. That's how we were built to be able to say, hey, look, I'm actually had a different phase in my development transformation, and now I'm using serverless. I want to connect to a serverless security program. Can I do that? Great. We can build an integration for it if we don't already have it. And now you have that serverless or the other side could be, hey, we're going to serverless. And we just need attestation. We just want to know because we're still experimenting. Cool. Wabbi can do that. And it's the recognition that everybody is a special snowflake and your program is going to be different. And we've got to be flexible to roll with that.
[00:29:54] Joe Colantonio Okay. Brittany, before we go, is that one piece of Actionable advice you can give to someone to help them with their DevOps security efforts? And what's the best way to find contact you and learn more about Wabbi?
[00:30:04] Brittany Greenfield Yeah, the actionable insight, I would say pick up a phone and call an application security manager. I really mean this. And I don't mean to sound Oh kumbaya, but if you're a developer or in a development organization, ask them what they are trying to achieve with their application security program. No different than what we discussed here where you said, I think of application security, I think of testing. It's such a much bigger puzzle and ask what you can do to help that. That's the one actionable piece of information I think I can give that's going to move the ball forward a lot faster, because right now, both teams are getting inundated with too much data, and they don't have the context to turn that into information. And if you can start with that conversation, you're going to find that the ball starts rolling pretty quickly and you can figure out how to facilitate those feedback loops. And when you're ready to facilitate those feedback loops, Wabbi is here, with our full continuous security platform that can manage the end-to-end implementation of your security into your software development lifecycle, you can visit us at our website www.Wabbisoft.com. That's two Bs or feel free to reach out to me on LinkedIn. I love having this conversation with anybody, wherever you are in your DevSecOps journey. Just reach out and mention that you heard me on Joe's podcast and you want to have a conversation. I'd love to continue it.
[00:31:26] Remember, latency is the silent killer of your app. Don't rely on frustrated user feedback. You can know exactly what's happening and how to fix it with BugSnag from SmartBear. See it for yourself. Go to BugSnag.com and try it for free. No credit card is required. Check it out. Let me know what you think.
[00:31:48] And for links of everything of value we covered in this DevOps Toolchain Show. Head on over to Testguild.com/p142. And while you're there make sure to click on the Smart Bear link and learn all about Smart Bear's awesome solutions to give you the visibility you need to deliver great software that's Smartbear.com. That's it for this episode of the DevOps Toolchain Show. I'm Joe. My mission is to help you succeed in creating end-to-end full-stack DevOps Toolchain Awesomeness. As always, test everything and keep the good. Cheers.
[00:32:23] Hey, thanks again for listening. If you're not already part of our awesome community of 27,000 of the smartest testers, DevOps, and automation professionals in the world, we'd love to have you join the FAM at Testguild.com and if you're in the DevOps automation software testing space or you're a test tool provider and want to offer real-world value that can improve the skills or solve a problem for the Guild community. I love to hear from you head on over to testguild.info And let's make it happen.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.