Root-Causing Culture Impact on the Secure-by-Design Transformation


We built a dashboard that aggregates feeds from various security-specific tools in our DevSecOps Tool Chain. The result was an eye opener on the effect of organizational culture and individual behavior on the application security posture. The Developer Dashboard collects data from tools such static code analysis, dynamic app-scan, open source scan, JIRA, source code repository/version control, LMS (training), LDAP, and others. The data is visualized to help identifying root cause for repeated introduction of vulnerable code or poor quality code as related to effort that includes the adoption of secure coding practices, management endorsement of the secure-by-design mentality, availability or lack of proper training, legacy apps with dead or obsolete code, or applications with no active development or support. The capabilities of the dashboard provide a view all the way from the individual contributor up to the CIO (navigating the LDAP hierarchy) to help establish a scope of the problem whether (isolated or wide-spread) and help in identifying a proper remedy across teams and organizations where similar conditions existed.

The aggregated data into a single dashboard rendered the information more accessible and helped in addressing some important concerns and questions: - Measuring indicators of the secure-by-design transformation - Explain the significant variations in the Vulnerability Density and relation to obsolete/dead code clean-up - Rate of reusing common code and its implications on the cost of remediation vs. overall risk and probability of discovery of vulnerabilities - Defining a custom vs. standard training program to yield a higher ROI - Managing remediation through a risk-reduction vs. compliance approach - Building awareness about real threats and cyber-attacks in the wild - Prioritizing the remediation of vulnerabilities (e.g., OWASP Top 10, exploitability, severity) - Distribution of roles and skills in the org (Management vs. individuals, doers vs. management, junior vs. senior, …) - Impact of geographical distribution of team on other indicators

The dashboard was never meant to be a glorified, metric-driven to-do list. Rather, it was intended, through the use of data visualization and pattern correlation, to help in understanding the key drivers of an accelerated and needed culture change.



Manah Khalil

Manah has over 20 years of software engineering in various roles including architecture, design, testing, and security. That helped me look at application security and its impact, seen from the various stakeholders of application systems: IT, Management, Legal, Business Partners, Security and others. The cost of Security on IT is significant, taking away expensive capacity from the business. In my experience the solution was to prioritize the spending on security related initiative equally between tools and technical debt, and ways to change and measure the organizational culture. In the last two years at Verizon I spent my time and effort on standing up the IT Application Security team, and building self-service tools and processes to promote the security “shift-left” culture. As part of this initiative I had to measure and quantify the result of that work and ended up designing a dashboard that can help in identifying the effect of that work on indicators of culture change.

Proven track record of 20+ years of experience in software development and IT operations with Fortune 100 companies. Driving the implementation of the IT Application Security Strategy across various business units, the rollout of DevSecOps and the IT Security Awareness Program. Directly contributed to increasing the Close Rate on new sales of the Verizon FiOS TV service by 8% between 2010 and 2011. Implemented the Verizon National Call Routing strategy in 2013, enabling over $21M in annual cost savings. Two-time Verizon Credo Award recipient for work related to improving sales and efficiency in call centers. A Microsoft Gold Star Award recipient for work associated with the Microsoft BizTalk Server. Always looking to leverage my strategic insight and technical expertise in IT, Application Security, mobility, e-commerce, and telecom to support and drive shareholders’ value.