ANNE MARIE ZETTLEMOYER

Hacker summer camp is an annual weeklong trek into the blistering heat of Las Vegas in August where more than 10,000 security pros and fans gather to rub elbows, share ideas, and reconnect over a series of security conferences, mainly BsidesLV, DEF CON, and Black Hat. It's a family reunion of sorts, where memories are made (and forgotten) and ideas are formed, argued, developed, and matured.

It was at this event a few years ago where I had conversation after conversation around security by design—DevSecOps to some (security should be in the definition!), definitely not DevSecOps for others (DevOps must be held pure!), and to all the endeavor to “shift left” and bring security to the beginning of the development process versus bolting it on at the end. It's the noble effort to include “secure” in the definition of quality and “safe” in the definition of ready and to do so efficiently and effectively throughout the product life cycle. Whether you're a DevOps purist or a DevSecOps advocate, despite the many debates on labels, we can all agree that the things we create should be safe and stay safe for as long as they are in use.

Obviously…right?

If you've ventured into the space of application security or security by design, you'll have seen that the notion of securing something up front is many times met with a lot of head nodding (oh yes, that's a great idea!), only to result in even more head shaking ...