This talk will cover the lessons learned from a 2-year journey starting an appsec program at a small-medium sized DevOps driven company that previously had no security program. This will be an honest look at what worked, what didn't work, as well as a follow-up analysis. There will be plenty of stories, common sense perspective, as well as discussion around goal setting and execution.

This will be the talk I wish I had two years ago when I was starting this adventure. From this talk, you'll walk away with:

- Honest assessments of "best practices" and how they apply to security in DevOps environments (and a call to action to think critically about best practices!)

- Recommendations of how to setup a DevOps oriented security program

- Practical ideas on where to spend time and what to delay

- Some entertainment at the expense of some of my failures in learning these lessons

John is currently a senior manager of application security at Oracle, NSGBU. His previous positions have been focused on secure software engineering, in the technology, financial and defense sectors. He has spent his entire career in software development and security. In his spare time, he volunteers with OWASP.