This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2022-05-10
Channels
- # ask-the-speaker-track-1 (139)
- # ask-the-speaker-track-2 (146)
- # ask-the-speaker-track-3 (126)
- # ask-the-speaker-track-4 (176)
- # bof-arch-engineering-ops (9)
- # bof-leadership-culture-learning (3)
- # bof-project-to-product (3)
- # demos (3)
- # discussion-royal-ballroom (637)
- # games (39)
- # games-self-tracker (6)
- # gather (7)
- # happy-hour (48)
- # help (20)
- # hiring (12)
- # lean-coffee (1)
- # networking (2)
- # summit-info (93)
- # xpo-bmc-ami-devops (4)
- # xpo-cloudbees (5)
- # xpo-cockroachlabs (2)
- # xpo-github-for-enterprises (7)
- # xpo-gitlab-the-one-devops-platform (7)
- # xpo-itrevolution (1)
- # xpo-launchdarkly (10)
- # xpo-lightstep-observability-incidentresponse (2)
- # xpo-linearb-automate-dev-team-improvement (5)
- # xpo-planview-tasktop (2)
- # xpo-snyk (6)
- # xpo-sonatype (2)
- # xpo-split (5)
- # xpo-stackoverflowforteams (5)
- # xpo-synopsys-sig (5)
- # xpo-tricentis-continuous-testing (8)
Hello to all the "Track 2" community, looking forward to an interesting few days
Reminder: The breakout sessions are starting in 5 minutes. Get in front of your browser and start navigating your way to whichever session you’re attending. https://devopsenterprise.slack.com/files/UATE4LJ94/F01D34MC2KS/image.png
⭐ Back from the break, we're introducing @dhruba.chaudhuri and @leena.pradhan from TCS, here to present Scaling DevSecOps adoption in a Large IT Services Firm ⭐
How do you continuously adapt your framework, as DevOps methods and best practices change over time? How often do you adapt this?
As we capture the practices in digitized mode and often interact with practitioners after we spot those. On the other hand, we keep watching what practices and tools are trending in the industry... so about 6 months of such observation may lead to an enriched version
Based on the insights we derive from the bench-marking exercise, we continuously update the assessment method and questions/ responses
Projects are advised to take the re-assessment in 4-6 months time after they implement the recommendations and post contextualization based on their context
⚡ Excited to introduce @ann.marie.99 and @siddharth.pareek here to present, Rebuilding Security Culture with Security Champions: Our experience at IBM, Red Hat & NatWest Group ⚡
 1
 1Hi everybody! Welcome to our Security Champions talk. Siddharth and I have prepared some questions for you too, and we hope you’ll enjoy it.
Hello and welcome all to hear @ann.marie.99 and my story of building Security Culture. hope it motivates and help the community globally 🙂
So, where are people joining us from today? Flag emojis?
Which industry people are from ? Will start - Banking and Finance Industry.
Have you ever done Threat Models or a Pen Test more than 2 months before shipping a product? Or do you leave them until the last minute too?
that stat lines up with what i’ve heard dev:ops:security = 100:10:1
We need our security folks to also learn, appreciate, understand, support DevOps, flow 🙂
Is that being covered in your VSM practices BMK ?
In some organizations - this is slow area (upskilling rate) - modern cloud, distributed, cloud-native architecture
@siddharth.pareek - They asked to me come back after 3 months 🙂 LOL
Jokes apart - but yes we are working closely with our ISM/ICS teams
You’re right. A security professional who also has a deep understanding of cloud and DevOps is even more rare (and wonderful). We’re working on it. What helps is a lot is that we try to have the same security architect stay with the same group of related applications over time.
We also brought back our same pen testing team 3 years in a row, and we found that they got more creative with their free-form testing from year to year.
I could see the value in a different pen testing team each year as well, though. Fresh set of eyes and all.
the statistic that there’s only 1 full-time security professional per developer, does that hold true for your org? Roughly how many security professionals do you work with?
Our poor overwhelmed security architect. Yes he’s 1 person to about 100 developers.
when devs said “security is a pain point”, what specifically was the pain for them?
I’ll talk about it a little later, but it was mostly compliance fatigue. They were spending so much of their time doing, frankly, BORING security and privacy work.
It was also difficult for them to keep up with new vulnerabilities that were constantly being reported, every week.
GRC is a challenging topic for Devs - I agree with you @ann.marie.99
and use of OSS libraries to compose application is increasing, so problem will only be worse
Curiosity - I want to understand how fast your organization addressed the LOG4J issue; In terms of hours, $$ effort; Anyone interested in sharing some stats?
Ideally when each version came it was done quick. However after each version new vulnerabilities were identified. So it became cyclic resolution . And now we have lined up.
I had moved from IBM to Red Hat at the time and we didn’t have much running software in our new application, so I’m a bad example. I did see chatter on the mailing lists that Red Hat had to address it, I think, three times in quick succession, as new vulnerabilities were reported. And that’s from the outside; it was treated as an embargoed defect first, which I wasn’t privy to.
One of the stat I heard - one of the org spent 5000 Hrs to address this issue; So I want to understand the numbers from other institutions, verticals
We had Whitesource at IBM scanning all of our repos, so I imagine the teams could address it within a day each time, for the repos instrumented with Whitesource.
that is great for apps you own and build it is a nightmare for apps you do not own and do not build
The best you can do in that case is to get a notification right away when the vendor makes a patch available, and then apply the patch quickly. But it’s not entirely in your hands. Sometimes you can apply a mitigation in a Web Application Firewall.
Also - let me know if you want me to tag your feedback on my Twitter account! I would just need your Twitter handle to do that.
Do any of you already have a program similar to what we’re describing here? Do you use the same terms or different terms to describe it?
We are looking at the IKEA Cyber-Jedis concept @lloyd.passingham
Yeah! we're in the process of getting together a pilot scheme by end of Q2 similar to what IKEA showcased from last years summit
Is that 10-15hrs of security training as a one-off? how can we help teams keep up to date with changes in security?
It was as a foundation basics. and as people move the ladder exp. there are other programs.
The 10-15 hours is really basic foundational knowledge that won’t change too quickly. But the Secure Engineering Guild is how we keep people up to date on the latest info. Coming up next in the talk. 🙂
A huge core component of how we're building our champions program is that "The goal of any security champion is to grow and inspire more security champions"
the goal is to build Security Culture. Having more security champions is one of the objectives how it can be achieved.
Also - let me know if you want me to tag your feedback on my Twitter account! I would just need your Twitter handle to do that.
Do you have training plans that you use now, or that you would recommend? Love to hear.
For example, when we were about to re-assess our application security, we’d talk about how to use the assessment tool for a bit. Or when we were about to start threat models, we’d talk about what to include in our architecture diagrams.
This is a really good idea, security is such a large and complex beast that skill fade can be a real problem within teams. I'll definitely be looking for ways to include ideas like this going forward 🙌
• Here are some training programs we found: ◦ OpenSSF - Open Source Security Foundation ▪︎ Free Security Software Development Fundamentals Courses https://openssf.org/training/courses/ ◦ Security Journey ▪︎ Paid: White and Yellow Belts https://tryus.securityjourney.com/journey ◦ Security Compass ▪︎ Paid: Software Security Practitioner https://www.securitycompass.com/training/software-security-practitioner-ssp-suites/ ◦ O’Reilly ▪︎ Paid: Software Security: Building Security In https://www.oreilly.com/library/view/software-security-building/0321356705/pt01.html ◦ Skillsoft Paid: https://www.skillsoft.com/
How have you presented your business case for Security Champions? Was it successful ?
What challenges have you faced with similar programs, and how have you addressed them?
Hi Ann, great talk! I am the security champion in my dev team. We develop features on Salesforce SaaS platform with no-code solutions. So my challenge is that many security topics don't apply to our development or are handled by Salesforce. So I can't related to my peers on other DevOps teams. I am in a sort of unique position so there is no collaboration regarding security topics :/
I suppose things like the OWASP Top 10 would be difficult to translate when you’re not working with applications/APIs directly.
I bet learning about validating input and escaping output might help? Letting people choose from a list of options vs. freeform text? Thinking about what you’re letting into your DB or file system?
Are you picking up any useful nuggets here at the conference, I hope? ❤️
Also - let me know if you want me to tag your feedback on my Twitter account! I would just need your Twitter handle to do that.
By the way @christian.warnholz - did you see that there’s a Birds of a Feather session about low-code/no-code starting in an hour? 🙂
I’m going to waltz over to the “Security, Audit, Compliance, GRC” BoF myself.
Thank you for your replies. I think BoF starts in one hour if my time zone is correctly configured 🙂
Darn it, I got pulled into something at work for the next hour. Maybe tomorrow. 😞
“10% of our developers became SMEs” 🙌 that’s a big lift!
Do you have any unanswered questions or wish to reach out to us later - @pareeksiddharth on Twitter https://www.linkedin.com/in/siddharthpareek/
If you’d like to reach out after the conference, I’m @DukeAMO on Twitter. My LinkedIn is https://www.linkedin.com/in/amfred/ . And of course we’re here in Slack!
Thank you all for the great conversation! Now I’m going to have to circle back to some of the earlier bits; you kept us hopping.
Reminder: The breakout sessions are starting again in 5 minutes. Get in front of your browser and start navigating your way to whichever session you’re attending. https://devopsenterprise.slack.com/files/UATE4LJ94/F01D34MC2KS/image.png
✨And now, the team from ING – @aurel-george.proorocu @mihai.roman2 and @misupriest1 – presenting Cybersecurity During Dark Times ✨
Hello everyone! Thank you for attending our talk! If you have any questions we are here on Slack or on Twitter: https://twitter.com/AurelProorocu / https://twitter.com/mrmihaipopa / https://twitter.com/mihai_roman & LinkedIn: https://www.linkedin.com/in/aurelp / https://www.linkedin.com/in/mihai-iulian-roman / https://www.linkedin.com/in/mihaivalentinpopa
“don’t look at your colleague as someone who will slow you down”. yes. that. we’re all on the same team.
your help needed: i think there a lot of people in this community who could share stories about this. ❤️
btw, there’s a birds of a feather session each day on security, audit, compliance, etc. during the networking time. @shaunnorris is hosting today’s.
🌟 And now, a warm welcome to @ben.dodd and Fliss Bennee, presenting A Data Problem the Size of Wales 🌟
Hello everyone 👋 thank you for joining our session: https://doeseurope2022.sched.com/event/11f3M/a-data-problem-the-size-of-wales
Fliss can't make it today, but I'm here to answer any questions you have, and any I can't I'll pass to Fliss and get back to you!
Always a great size analogy Fliss (size of Wales is an excellent unit of measure) :)
There are some really interesting dataset available e.g. https://www.google.com/covid19/mobility/
Nothing like a good existential crisis to engender change and pull together a cross functional team
https://www.digitalmarketplace.service.gov.uk/ GCloud = A service catalogue for the UK Public Sector
@vladyslav.ukis it is used like an Amazon shopping portal. Users search for a service and they are presented by options from a range of vendors. I'd happily share more details with you if you are interested.
One part of the Siemens organisation are set-up as vendors, see link below; https://www.digitalmarketplace.service.gov.uk/g-cloud/services/683529678881203
"And because we were in an emergency, there wasn’t time to shoot ourselves in the foot trying to spec up our needs, instead we just leapt right in to a partnership"
I love “important that they look horrible” as a way to be clear that input is needed
have had plenty of debate in the past about sharing prototype UI using corporate themes, refined visualisations etc, - if it looks 'almost done' then the conversation dries up as you only get suggested tweaks not detailed conversation about 'what's most important'
This is sometimes difficult for me as a Graphic Designer by trade (a long time a go) but as part of a design thinking discovery process it's SO important ☝️
it’s great for me as someone with rapid software prototyping skills and precisely zero graphic design skills
There is an article with a little more detail here; https://www.ukauthority.com/articles/welsh-platform-supports-data-led-policies-on-covid-19/
because this was such a rapid deployment and “internal” in some ways (at least wrt the public), did you find you had to cut corners on things like quality/security in order to ship it at the speed that the government needed it?
We "built the quality in from the start"; the Ci/CD pipeline had security, performance testing etc allowing each commit to be a release candidate
and you enforced new coverage (at least of the most common paths) of tests for every new feature/commit?
it’s very inspiring to see this being done at speed but still “well” - we often do the “well” but not the speed
"Day2Ops" are the things you need to do to run the application or service the day after you launch it (Day 2 of it's life) with customers - so things like operability / observability (logging, tracing, real user metrics etc etc), the ability to make changes to production safely and quickly, performance testing, disaster recovery etc. Considering these from day one (the first day of development) can, firstly, affect how and what you build and, secondly, dramatically improve the quality and agility of the service you end up providing. These are also likely very costly elements to retrofit into your services once it's been built. @vladyslav.ukis So having a delivery team that can balance feature delivery and service quality is essential to long term success and avoiding drop-offs in lead time and maintainability that a lot of teams see soon after launch day
But yes, architecting for security by managing the blast radius or limiting / removing PII data, for example, is also key
It was a key motivation for the whole team that we could move fast with real TRUST that made this such a rewarding experience - "We've learnt that uncertainty is not something to be feared, it’s something to be explored. Exploring uncertainty together brings us to understand ourselves and our organisations. And being open about what we do and how we do it with our users, our partners, our consumers helps us to travel the same road to certainty, it builds trust. Trust lasts longer than contracts, and it lets us do amazing things."
Thank you everyone! This is a fantastic community to be part of. Our profiles are here: https://doeseurope2022.sched.com/speaker/fliss.bennee & https://doeseurope2022.sched.com/speaker/bendodd / https://www.linkedin.com/in/bendodd/ and if you have any questions, please email me at <mailto:ben.dodd@armakuni.com|ben.dodd@armakuni.com> or ping me directly on Slack
Reminder: The plenary sessions are starting again in 5 minutes. Start making your way back to your browser and join us in #ask-the-speaker-plenary to interact live with the speakers and other attendees. https://devopsenterprise.slack.com/files/UATE4LJ94/F01D34MC2KS/image.png
Reminder: Please submit your feedback for the talks you attended. It’s so valuable for us and the speakers. And after all, feedback is a gift and sharing is caring! Enter your feedback for those talks here: https://members.itrevolution.com/live/schedule https://devopsenterprise.slack.com/files/UATE4LJ94/F03E48CJRF1/image.png