Explore a comprehensive approach to securing DevOps pipelines in this 43-minute LASCON conference talk. Learn why a tools-first approach often falls short and discover a risk-based methodology for enhancing application security. Understand the importance of considering business risks, threat models, and required security controls before selecting tools. Gain insights into essential security components for CD pipelines, strategies for building organizational momentum, and overcoming common challenges through industry case studies. Examine a high-level maturity model for setting goals and tracking progress in fast-paced application security programs. Delve into topics such as requirements interfaces, approval processes, security reference architectures, end-to-end testing, static analysis, and security test coverage to develop a more robust and effective DevOps security strategy.