Posts Tagged ‘DeveloperFirst’
[AWSReInventPartnerSessions2024] Institutionalizing Developer-First DevSecOps at Scale: The Intercontinental Exchange Transformation
Lecturer
Clinton Herget serves as Field CTO at Snyk, championing security integration within developer workflows. Craig Lambert is Senior Director of Application Security and Red Team at Intercontinental Exchange (ICE), overseeing security for 1,600 applications supporting 4,000 developers.
Abstract
This examination contrasts traditional and modern software paradigms, detailing ICE’s cultural and technical DevSecOps transformation using Snyk. It explores incentive realignment, risk score consolidation, business-contextualized inventory, and future declarative security models. The shift from post-build audits to continuous integration demonstrates velocity-security equilibrium.
Software Risk Evolution
Legacy: waterfall, silos, monoliths, minimal supply chains. Modern: continuous deployment, platform teams, microservices, opaque dependencies.
DevSecOps integrates security continuously, but legacy tools—separate scans, PDF reports, understaffed security—persist.
ICE Transformation Strategy
Developer Empowerment: IDE/CI/CD real-time feedback via Snyk. Incentives: Gamification, champions, product owner accountability.
Risk Consolidation: Unified SAST, DAST, SCA, IaC metrics. Contextualization: Business criticality mapping.
\# Snyk CI/CD integration
security_scan:
stage: test
script:
- snyk auth $SNYK_TOKEN
- snyk test --severity-threshold=high
- snyk container test $IMAGE
allow_failure: false
Gaps: SAST-DAST correlation, declarative threat models, AI workflow orchestration.
Future State
ML-correlated signals enable “security as code”—developers declare tolerances, platforms enforce.
Implications: accelerated innovation, systematic risk reduction, cultural ownership.