Fork me on GitHub
#ask-the-speaker-track-2
<
2022-05-10
>
Andy Giles07:05:04

Hello to all the "Track 2" community, looking forward to an interesting few days

❤️ 1
👍 3
Slackbot11:05:08

Reminder: The breakout sessions are starting in 5 minutes. Get in front of your browser and start navigating your way to whichever session you’re attending. https://devopsenterprise.slack.com/files/UATE4LJ94/F01D34MC2KS/image.png

Ann Perry - IT Revolution11:05:00

Back from the break, we're introducing @dhruba.chaudhuri and @leena.pradhan from TCS, here to present Scaling DevSecOps adoption in a Large IT Services Firm

👏 4
👍 1
Eliza Kruszelnicka11:05:45

has it started yet? i clicked on the session but nothing is playing.

Eliza Kruszelnicka11:05:05

had to log in again. it's working now

🙌 1
Sascha Schärich (DevOps Evangelist at Deutsche Telekom IT)12:05:08

How do you continuously adapt your framework, as DevOps methods and best practices change over time? How often do you adapt this?

👍 2
Eliza Kruszelnicka12:05:07

how often do you benchmark?

👍 1
DHRUBA CHAUDHURI12:05:00

As we capture the practices in digitized mode and often interact with practitioners after we spot those. On the other hand, we keep watching what practices and tools are trending in the industry... so about 6 months of such observation may lead to an enriched version

DHRUBA CHAUDHURI12:05:12

Based on the insights we derive from the bench-marking exercise, we continuously update the assessment method and questions/ responses

DHRUBA CHAUDHURI12:05:10

Projects are advised to take the re-assessment in 4-6 months time after they implement the recommendations and post contextualization based on their context

Leena Pradhan12:05:15

Thanks for attending the session!

DHRUBA CHAUDHURI12:05:16

Thank You all so much to join and listening to our story

Ann Perry - IT Revolution12:05:00

Excited to introduce @ann.marie.99 and @siddharth.pareek here to present, Rebuilding Security Culture with Security Champions: Our experience at IBM, Red Hat &amp; NatWest Group

thankyou 1
❤️ 1
Ann Marie Fred - Red Hat12:05:23

Hi everybody! Welcome to our Security Champions talk. Siddharth and I have prepared some questions for you too, and we hope you’ll enjoy it.

👏 1
Siddharth, NatWest Group, DevOps CoE (he/him)12:05:44

Hello and welcome all to hear @ann.marie.99 and my story of building Security Culture. hope it motivates and help the community globally 🙂

❤️ 1
Ann Marie Fred - Red Hat12:05:03

So, where are people joining us from today? Flag emojis?

1
🇺🇸 3
1
🇩🇪 1
1
Siddharth, NatWest Group, DevOps CoE (he/him)12:05:07

Which industry people are from ? Will start - Banking and Finance Industry.

🏦 1
Ann Marie Fred - Red Hat12:05:49

Software and Cloud. :-)

☁️ 1
Ann Marie Fred - Red Hat12:05:00

Have you ever done Threat Models or a Pen Test more than 2 months before shipping a product? Or do you leave them until the last minute too?

jeff.gallimore (CTIO - Excella, he/him)12:05:00

that stat lines up with what i’ve heard dev:ops:security = 100:10:1

👍 3
BMK-BNZ-ValueStreamArchitect12:05:26

We need our security folks to also learn, appreciate, understand, support DevOps, flow 🙂

💯 3
Siddharth, NatWest Group, DevOps CoE (he/him)12:05:51

Is that being covered in your VSM practices BMK ?

BMK-BNZ-ValueStreamArchitect12:05:57

In some organizations - this is slow area (upskilling rate) - modern cloud, distributed, cloud-native architecture

BMK-BNZ-ValueStreamArchitect12:05:35

@siddharth.pareek - They asked to me come back after 3 months 🙂 LOL

BMK-BNZ-ValueStreamArchitect12:05:08

Jokes apart - but yes we are working closely with our ISM/ICS teams

Ann Marie Fred - Red Hat12:05:46

You’re right. A security professional who also has a deep understanding of cloud and DevOps is even more rare (and wonderful). We’re working on it. What helps is a lot is that we try to have the same security architect stay with the same group of related applications over time.

Ann Marie Fred - Red Hat12:05:28

We also brought back our same pen testing team 3 years in a row, and we found that they got more creative with their free-form testing from year to year.

Ann Marie Fred - Red Hat12:05:00

I could see the value in a different pen testing team each year as well, though. Fresh set of eyes and all.

Siddharth, NatWest Group, DevOps CoE (he/him)12:05:31

the statistic that there’s only 1 full-time security professional per developer, does that hold true for your org? Roughly how many security professionals do you work with?

Ann Marie Fred - Red Hat12:05:56

Our poor overwhelmed security architect. Yes he’s 1 person to about 100 developers.

jeff.gallimore (CTIO - Excella, he/him)12:05:50

when devs said “security is a pain point”, what specifically was the pain for them?

Ann Marie Fred - Red Hat12:05:39

I’ll talk about it a little later, but it was mostly compliance fatigue. They were spending so much of their time doing, frankly, BORING security and privacy work.

😩 1
Ann Marie Fred - Red Hat12:05:02

It was also difficult for them to keep up with new vulnerabilities that were constantly being reported, every week.

💯 1
BMK-BNZ-ValueStreamArchitect12:05:12

GRC is a challenging topic for Devs - I agree with you @ann.marie.99

Ann Marie Fred - Red Hat12:05:39

What does GRC stand for, @lbmkrishna?

BMK-BNZ-ValueStreamArchitect12:05:04

Governance, Risk, Compliance

Ann Marie Fred - Red Hat12:05:19

Ah, thanks! Good abbreviation to know.

😂 1
BMK-BNZ-ValueStreamArchitect12:05:41

BTW - I am BMK 🙂 cc - @ann.marie.99

Ann Marie Fred - Red Hat12:05:32

What does BMK stand for? 🙂

Giulio Vian, Unum12:05:37

and use of OSS libraries to compose application is increasing, so problem will only be worse

💯 2
BMK-BNZ-ValueStreamArchitect12:05:47

Curiosity - I want to understand how fast your organization addressed the LOG4J issue; In terms of hours, $$ effort; Anyone interested in sharing some stats?

Siddharth, NatWest Group, DevOps CoE (he/him)12:05:14

Ideally when each version came it was done quick. However after each version new vulnerabilities were identified. So it became cyclic resolution . And now we have lined up.

👍 1
Ann Marie Fred - Red Hat12:05:50

I had moved from IBM to Red Hat at the time and we didn’t have much running software in our new application, so I’m a bad example. I did see chatter on the mailing lists that Red Hat had to address it, I think, three times in quick succession, as new vulnerabilities were reported. And that’s from the outside; it was treated as an embargoed defect first, which I wasn’t privy to.

👍 1
BMK-BNZ-ValueStreamArchitect12:05:32

One of the stat I heard - one of the org spent 5000 Hrs to address this issue; So I want to understand the numbers from other institutions, verticals

Giulio Vian, Unum12:05:32

we are still cleaning up tons of false positive

Giulio Vian, Unum12:05:52

in internal systems

👍 1
Ann Marie Fred - Red Hat12:05:33

We had Whitesource at IBM scanning all of our repos, so I imagine the teams could address it within a day each time, for the repos instrumented with Whitesource.

Giulio Vian, Unum12:05:37

that is great for apps you own and build it is a nightmare for apps you do not own and do not build

💯 2
Ann Marie Fred - Red Hat12:05:34

The best you can do in that case is to get a notification right away when the vendor makes a patch available, and then apply the patch quickly. But it’s not entirely in your hands. Sometimes you can apply a mitigation in a Web Application Firewall.

Ann Marie Fred - Red Hat13:05:13

Also - let me know if you want me to tag your feedback on my Twitter account! I would just need your Twitter handle to do that.

Ann Marie Fred - Red Hat12:05:31

Do any of you already have a program similar to what we’re describing here? Do you use the same terms or different terms to describe it?

Andrew Salt - ScholarPack12:05:57

We are looking at the IKEA Cyber-Jedis concept @lloyd.passingham

👍 1
Lloyd P12:05:11

Yeah! we're in the process of getting together a pilot scheme by end of Q2 similar to what IKEA showcased from last years summit

👍 1
Giulio Vian, Unum12:05:16

our InfoSec team is starting one this year

👏 1
Ann Marie Fred - Red Hat12:05:17

Cyber-Jedis is a fun title. 🙂

Lloyd P12:05:04

Is that 10-15hrs of security training as a one-off? how can we help teams keep up to date with changes in security?

Siddharth, NatWest Group, DevOps CoE (he/him)12:05:12

It was as a foundation basics. and as people move the ladder exp. there are other programs.

👍 1
Ann Marie Fred - Red Hat12:05:58

The 10-15 hours is really basic foundational knowledge that won’t change too quickly. But the Secure Engineering Guild is how we keep people up to date on the latest info. Coming up next in the talk. 🙂

Lloyd P12:05:53

A huge core component of how we're building our champions program is that "The goal of any security champion is to grow and inspire more security champions"

Siddharth, NatWest Group, DevOps CoE (he/him)12:05:58

the goal is to build Security Culture. Having more security champions is one of the objectives how it can be achieved.

Ann Marie Fred - Red Hat12:05:01

I like it - teach the teachers!

Ann Marie Fred - Red Hat13:05:26

Also - let me know if you want me to tag your feedback on my Twitter account! I would just need your Twitter handle to do that.

Siddharth, NatWest Group, DevOps CoE (he/him)12:05:20

Do you have training plans that you use now, or that you would recommend? Love to hear.

👍 1
Lloyd P12:05:39

I love the idea of using time in meetings to do learning!

👍 1
Ann Marie Fred - Red Hat12:05:20

For example, when we were about to re-assess our application security, we’d talk about how to use the assessment tool for a bit. Or when we were about to start threat models, we’d talk about what to include in our architecture diagrams.

Lloyd P12:05:55

This is a really good idea, security is such a large and complex beast that skill fade can be a real problem within teams. I'll definitely be looking for ways to include ideas like this going forward 🙌

❤️ 1
Ann Marie Fred - Red Hat12:05:55

• Here are some training programs we found: ◦ OpenSSF - Open Source Security Foundation ▪︎ Free Security Software Development Fundamentals Courses https://openssf.org/training/courses/ ◦ Security Journey ▪︎ Paid: White and Yellow Belts https://tryus.securityjourney.com/journey ◦ Security Compass ▪︎ Paid: Software Security Practitioner https://www.securitycompass.com/training/software-security-practitioner-ssp-suites/ ◦ O’Reilly ▪︎ Paid: Software Security: Building Security In https://www.oreilly.com/library/view/software-security-building/0321356705/pt01.html ◦ Skillsoft Paid: https://www.skillsoft.com/

🙌 2
❤️ 1
📝 1
🔖 1
Siddharth, NatWest Group, DevOps CoE (he/him)12:05:41

How have you presented your business case for Security Champions? Was it successful ?

Ann Marie Fred - Red Hat12:05:10

What challenges have you faced with similar programs, and how have you addressed them?

Christian Warnholz12:05:32

Hi Ann, great talk! I am the security champion in my dev team. We develop features on Salesforce SaaS platform with no-code solutions. So my challenge is that many security topics don't apply to our development or are handled by Salesforce. So I can't related to my peers on other DevOps teams. I am in a sort of unique position so there is no collaboration regarding security topics :/

Ann Marie Fred - Red Hat12:05:34

I suppose things like the OWASP Top 10 would be difficult to translate when you’re not working with applications/APIs directly.

Ann Marie Fred - Red Hat13:05:35

I bet learning about validating input and escaping output might help? Letting people choose from a list of options vs. freeform text? Thinking about what you’re letting into your DB or file system?

Ann Marie Fred - Red Hat13:05:40

Are you picking up any useful nuggets here at the conference, I hope? ❤️

Ann Marie Fred - Red Hat13:05:38

Also - let me know if you want me to tag your feedback on my Twitter account! I would just need your Twitter handle to do that.

Ann Marie Fred - Red Hat13:05:25

By the way @christian.warnholz - did you see that there’s a Birds of a Feather session about low-code/no-code starting in an hour? 🙂

Ann Marie Fred - Red Hat13:05:13

I’m going to waltz over to the “Security, Audit, Compliance, GRC” BoF myself.

Christian Warnholz13:05:04

Thank you for your replies. I think BoF starts in one hour if my time zone is correctly configured 🙂

Ann Marie Fred - Red Hat14:05:40

Darn it, I got pulled into something at work for the next hour. Maybe tomorrow. 😞

jeff.gallimore (CTIO - Excella, he/him)12:05:31

“10% of our developers became SMEs” 🙌 that’s a big lift!

1
💯 1
😊 1
Ann Marie Fred - Red Hat12:05:31

I had really bad allergies when we recorded this. :-/

🤧 1
Virginia Laurenzano NSA/MARFORCYBER12:05:07

loved how practical that talk was. thank you!

Ann Marie Fred - Red Hat13:05:34

If you can use some of it back at work, then we succeeded. 🙂

👍 1
Siddharth, NatWest Group, DevOps CoE (he/him)12:05:19

Do you have any unanswered questions or wish to reach out to us later - @pareeksiddharth on Twitter https://www.linkedin.com/in/siddharthpareek/

👍 1
Lloyd P12:05:20

Great talk guys! thank you 🙂

Ian Richards12:05:33

Great talk thank you

Ann Marie Fred - Red Hat13:05:17

Glad you enjoyed it. 🔒

Ann Marie Fred - Red Hat12:05:34

If you’d like to reach out after the conference, I’m @DukeAMO on Twitter. My LinkedIn is https://www.linkedin.com/in/amfred/ . And of course we’re here in Slack!

Ann Marie Fred - Red Hat12:05:06

Thank you all for the great conversation! Now I’m going to have to circle back to some of the earlier bits; you kept us hopping.

❤️ 1
Slackbot13:05:02

Reminder: The breakout sessions are starting again in 5 minutes. Get in front of your browser and start navigating your way to whichever session you’re attending. https://devopsenterprise.slack.com/files/UATE4LJ94/F01D34MC2KS/image.png

Ann Perry - IT Revolution13:05:00

And now, the team from ING – @aurel-george.proorocu @mihai.roman2 and @misupriest1 – presenting Cybersecurity During Dark Times

Benedict Dodd14:05:48

Great session - thank you all :thumbsup:

👍 1
jeff.gallimore (CTIO - Excella, he/him)14:05:12

“don’t look at your colleague as someone who will slow you down”. yes. that. we’re all on the same team.

jeff.gallimore (CTIO - Excella, he/him)14:05:49

your help needed: i think there a lot of people in this community who could share stories about this. ❤️

jeff.gallimore (CTIO - Excella, he/him)14:05:51

btw, there’s a birds of a feather session each day on security, audit, compliance, etc. during the networking time. @shaunnorris is hosting today’s.

❤️ 1
Ann Perry - IT Revolution14:05:00

🌟 And now, a warm welcome to @ben.dodd and Fliss Bennee, presenting A Data Problem the Size of Wales 🌟

👏 2
Benedict Dodd14:05:03

Fliss can't make it today, but I'm here to answer any questions you have, and any I can't I'll pass to Fliss and get back to you!

Andy Giles14:05:58

Love Fliss's intro

Andy Giles14:05:33

Great photo Ben

Benedict Dodd14:05:13

Listening to yourself speaking is a special kind of torture...

👏 1
5
andy henderson14:05:06

Always a great size analogy Fliss (size of Wales is an excellent unit of measure) :)

👍 1
Benedict Dodd14:05:33

There are some really interesting dataset available e.g. https://www.google.com/covid19/mobility/

Stephen Thomas14:05:38

Nothing like a good existential crisis to engender change and pull together a cross functional team

1
Andy Giles14:05:16

https://www.digitalmarketplace.service.gov.uk/ GCloud = A service catalogue for the UK Public Sector

Vlad Ukis15:05:57

How is that used in practice?

Andy Giles09:05:02

@vladyslav.ukis it is used like an Amazon shopping portal. Users search for a service and they are presented by options from a range of vendors. I'd happily share more details with you if you are interested.

Andy Giles09:05:35

One part of the Siemens organisation are set-up as vendors, see link below; https://www.digitalmarketplace.service.gov.uk/g-cloud/services/683529678881203

Vlad Ukis12:05:57

Cool! I will pm you.

👍 1
Benedict Dodd14:05:55

"And because we were in an emergency, there wasn’t time to shoot ourselves in the foot trying to spec up our needs, instead we just leapt right in to a partnership"

👍 1
Quinn Daley14:05:47

I love “important that they look horrible” as a way to be clear that input is needed

👍 1
andy henderson14:05:00

have had plenty of debate in the past about sharing prototype UI using corporate themes, refined visualisations etc, - if it looks 'almost done' then the conversation dries up as you only get suggested tweaks not detailed conversation about 'what's most important'

1
Benedict Dodd14:05:33

This is sometimes difficult for me as a Graphic Designer by trade (a long time a go) but as part of a design thinking discovery process it's SO important ☝️

👍 2
Quinn Daley14:05:24

it’s great for me as someone with rapid software prototyping skills and precisely zero graphic design skills

1
Quinn Daley14:05:12

because this was such a rapid deployment and “internal” in some ways (at least wrt the public), did you find you had to cut corners on things like quality/security in order to ship it at the speed that the government needed it?

Benedict Dodd14:05:35

We "built the quality in from the start"; the Ci/CD pipeline had security, performance testing etc allowing each commit to be a release candidate

❤️ 1
Quinn Daley14:05:40

and you enforced new coverage (at least of the most common paths) of tests for every new feature/commit?

Quinn Daley14:05:06

it’s very inspiring to see this being done at speed but still “well” - we often do the “well” but not the speed

Benedict Dodd14:05:40

Yes, Day2Ops on Day1 etc is a key practice for us

1
Vlad Ukis09:05:54

Could you pls explain "Day2Ops on Day1" in a bit more detail?

Benedict Dodd10:05:24

"Day2Ops" are the things you need to do to run the application or service the day after you launch it (Day 2 of it's life) with customers - so things like operability / observability (logging, tracing, real user metrics etc etc), the ability to make changes to production safely and quickly, performance testing, disaster recovery etc. Considering these from day one (the first day of development) can, firstly, affect how and what you build and, secondly, dramatically improve the quality and agility of the service you end up providing. These are also likely very costly elements to retrofit into your services once it's been built. @vladyslav.ukis So having a delivery team that can balance feature delivery and service quality is essential to long term success and avoiding drop-offs in lead time and maintainability that a lot of teams see soon after launch day

Vlad Ukis12:05:26

Understood. Yes, of course. Agree fully.

Benedict Dodd14:05:44

But yes, architecting for security by managing the blast radius or limiting / removing PII data, for example, is also key

❤️ 1
Andy Giles14:05:59

Thanks @ben.dodd

Quinn Daley14:05:07

thank you both - really exceptional stuff

Benedict Dodd14:05:28

It was a key motivation for the whole team that we could move fast with real TRUST that made this such a rewarding experience - "We've learnt that uncertainty is not something to be feared, it’s something to be explored. Exploring uncertainty together brings us to understand ourselves and our organisations. And being open about what we do and how we do it with our users, our partners, our consumers helps us to travel the same road to certainty, it builds trust. Trust lasts longer than contracts, and it lets us do amazing things."

👏 2
Benedict Dodd14:05:49

Thank you everyone! This is a fantastic community to be part of. Our profiles are here: https://doeseurope2022.sched.com/speaker/fliss.bennee & https://doeseurope2022.sched.com/speaker/bendodd / https://www.linkedin.com/in/bendodd/ and if you have any questions, please email me at <mailto:ben.dodd@armakuni.com|ben.dodd@armakuni.com> or ping me directly on Slack

Slackbot16:05:06

Reminder: The plenary sessions are starting again in 5 minutes. Start making your way back to your browser and join us in #ask-the-speaker-plenary to interact live with the speakers and other attendees. https://devopsenterprise.slack.com/files/UATE4LJ94/F01D34MC2KS/image.png

Slackbot17:05:29

Reminder: Please submit your feedback for the talks you attended. It’s so valuable for us and the speakers. And after all, feedback is a gift and sharing is caring! Enter your feedback for those talks here: https://members.itrevolution.com/live/schedule https://devopsenterprise.slack.com/files/UATE4LJ94/F03E48CJRF1/image.png