Australia’s best female secure coder is “weirdly passionate” about DevSecOps

People skills as important in driving secure software culture as development skills, says Hannah McKelvie, manager of DevOps & Code Security at Telstra

Hannah McKelvie still isn’t sure who nominated her for the award she won – Australia’s Best Female Secure Coder for 2019 – but the Perth-based manager was happy to take one for the team.

It has been that team, after all, that has responded enthusiastically to her efforts to formalise DevSecOps practices within Telstra’s " target="_blank">Secure Code group – an internal centre of excellence dedicated to promoting secure development across the myriad software teams within the company.

McKelvie was a quick study in security, a field that she admits she had little formal experience in until she began talking with predecessor Kate McInnes, who " target="_blank">headed up Secure Code until McKelvie began managing the group in March.

McInnes impressed upon McKelvie how important it was to build secure practices into the development lifecycle from the beginning – and it was a restriction whose importance she was quick to grasp.

McInnes “was the security brick wall I would run into” whilst working together at a previous company,  McKelvie – an IT professional for more than 15 years – recalls. “I would say ‘I want to make this go live’ and she just said ‘no’.”

The two began working together to identify and remediate security issues before the code went to production.

“I loved working with her because she had a brilliant mind,” McKelvie recalls, “and she was pleasantly surprised that she had found a project manager that was taking her criticism of the solution seriously.”

Her role within the team helped formalise three key capabilities that had never before existed within Telstra’s development processes, including code scanning, scanning of third-party libraries, and scanning ‘secrets management’ tools to ensure that passwords and other credentials are stored securely.

“It was game-changing for cybersecurity,” she says, “to really want to engage with the customer, sort out their development pipeline, and deliver this brand-new code service. My interest was in solving a lot of the cultural organisational change aspects around introducing security into this DevOps world.”

McKelvie admits that her “slightly people focused skills kept coming back to haunt me.”

“I have always believed it’s important to have a range of skills in your team, and that everybody plays a part,” she says. “As ridiculous as it sounds, there is a very strong case in the Secure Code team for some members to not have a depth of knowledge around application security.”

That process included loads of proactive engagement, in which McKelvie and her colleagues found themselves reaching out to developers and, for example, identifying security champions within DevOps teams and acknowledging where people have “made a really dedicated investment in improving the security posture of their service.”

By bringing senior executives into the conversation – and having them name and acknowledge security champions for their achievements – McKelvie has found the security culture has steadily become the norm.

“People need a boost and a pat on the back when they’ve done something, and it’s good for executives to hear about what we are doing in DevOps & Code Security. Some things that cybersecurity does can be very hard to measure, but this helps justify that we are making changes and promoting excellent behaviour.”

The key to getting the ball rolling was finding ways “to open up the conversation”, McKelvie says.

“It’s no more a developer coming to knock on the door wondering what we were going to say,” she explains. “It would be a real conversation, and constant dialogue with these really motivated people.”

The work has been rewarding enough but being named as Australia’s Best Female Security Coder was a “surprise” validation of McKelvie’s ability to bring the DevOps & Code Security teams along with her on her journey to passionately embrace secure development.

“It was an incredible confirmation for me that I am doing the right thing, and gave me a boost that I am doing good things to help the people here,” she says.

“I am weirdly passionate about this given that I just started in cyber. It has taken me by surprise how much I have taken to this space.”