Interview with Tracy Bannon, Senior Principal/DevOps Architect at MITRE
In a recent LinkedIn post, Tracy Bannon, a pioneering DevSecOps expert and senior principal software architect with MITRE, advocates for structuring training into development programs. As she wrote in the post, “We cannot allow our people and our teams to be completely self-taught in their free time!”
For starters, she suggests structuring security training around the 70:20:10 model: 70% on the job experience, 20% informal, and 10% formal training. She also advocates letting developers break things so they can learn to improve quality. Tracy, who prefers the title, “real technologist,” calls this “training with intentionality,” and it should be embedded into every DevOps organization.
She is a proponent of team and individual learning and feels that training should be a formal part of any DevOps employment program. In that training, encourage them to break applications as one method of learning, such as an interactive hackathon. As she says, “Let’s DAST it together, and let’s have a team cheer when someone finds or breaks something.”
In this video interview, we discuss how to utilize training effectively while encouraging continuous education.
Additional Resources:
- Get Coaching and Training with CodeSecure’s Technical Services
- Shift Left Academy interview with Adam Shostack, author of the book, “Threat Modeling for Security”
- OWASP cheat sheet for threat modeling during the design phase and app lifecycle