This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
- # ask-the-speaker-plenary (1226)
- # ask-the-speaker-track-1 (411)
- # ask-the-speaker-track-2 (347)
- # ask-the-speaker-track-3 (540)
- # ask-the-speaker-track-4 (399)
- # birds-of-a-feather (17)
- # bof-american-airlines (2)
- # bof-arch-engineering-ops (10)
- # bof-covid-19-lessons (1)
- # bof-cust-biz-tech-divide (10)
- # bof-leadership-culture-learning (4)
- # bof-next-gen-ops (8)
- # bof-overcoming-old-wow (3)
- # bof-project-to-product (2)
- # bof-sec-audit-compliance-grc (37)
- # bof-transformation-journeys (1)
- # bof-working-with-data (2)
- # demos (78)
- # games (43)
- # general (249)
- # happy-hour (195)
- # hiring (20)
- # lean-coffee (47)
- # project-to-product (1)
- # psychological-safety (10)
- # summit-help (76)
- # summit-stories (23)
- # xpo-delphix (25)
- # xpo-digitalai-accelerates-software-delivery (3)
- # xpo-harness (1)
- # xpo-hcl-software-devops (5)
- # xpo-infosys-enterprise-agile-devops (6)
- # xpo-instana (4)
- # xpo-itmethods-manageddevopssaas (1)
- # xpo-itrevolution (18)
- # xpo-launchdarkly (6)
- # xpo-logdna (2)
- # xpo-moogsoft (4)
- # xpo-muse (2)
- # xpo-nowsecure-mobile-devsecops (6)
- # xpo-opsani (7)
- # xpo-pagerduty (19)
- # xpo-pc-devops-qualifications (3)
- # xpo-plutora-vsm (3)
- # xpo-redgatesoftware-compliant-database-devops (6)
- # xpo-servicenow (14)
- # xpo-snyk (3)
- # xpo-sonatype (7)
- # xpo-split (2)
- # xpo-sysdig (15)
- # xpo-tasktop (43)
- # xpo-teamform-teamops-at-scale (4)
- # xpo-transposit (11)
- # xpo-tricentis (1)
Hi everyone. Where I can find the "canonical" definition of Segregation of Duties? Or the next best thing? Is it within the SOX act text (I didn't find it there)?
Implementations seem to range from "requiring any 2+ people to approve a change" (like any code review) to "require 2 or 3 people from 2 or 3 different roles" (dev and ops and biz)
I always interpreted this as, ‘it should take an act of collusion to commit fraud’, or ‘no one person should be able to commit fraud’.
Historically implemented as dev can’t deploy with the idea that if only Ops can deploy the code then no dev can sneak stuff in.
More recently though folks use the ‘four eyes’ principal (code reviews) to approve code changes which is much more effective.
https://nvd.nist.gov/800-53/Rev4/control/AC-5. Though to be clear, it does not explicitly mandate separate people/roles. But the language walks so close to requiring it that most people implement it that way. (Even though it has more to do with auditing vs building than the deployment process) Agree that 'four eyes' or what I call the "nuclear code" model (two keys required to launch) is a better system.
The NIST definition really walks very close to require separate roles. Point (ii) seems the most strong on it. And most definitions/descriptions I've seem from regulations (or interpretations/guides to regulations) do walk that close.
Do you have knowledge of any material that specifically discuss the validity of the "four eyes" approach to separation of duties?
The Acellerate book show a case like that (four eyes review for SOD), but it does not dive much in "convincing material" for discussing it with auditors/etc.. It always seems a understading that you will have to build with your governance team and auditors. One that won't be easy to build 😄
@dmorales I've never seen someone commit to writing that 'four eyes' is a control - but there is where partnership with your auditor is key. In a past life, we were able to show an auditor that developer could deploy - only through the automated tool - and only after reviews/automated checks - and that the pipeline was immutable (developers could not circumvent it) and the audit log was immutable (developers did not have rights to change it) so it had the effect of meeting the separation of concerns by having different people for development vs audit. Make friends with your auditor, is what I'm saying 😅
Btw, does anyone know of an open and permanent forum/community on the Internet focused on devops+compliance/audit/grc ?
All Day DevOps has a slack community that is open all year. Within that workspace there is a DevSecOps channel.
You can access it at http://alldaydevops.com and click on the Slack logo at the top of the page.
I would also do google searches for other Slack communities as there are many to find out there.
Things we discussed in the first BOF session on Tuesday:
• how to integrate security teams into development? Team meetings, training, tooling, etc.
• how to implement automated ATOs (authority to operate into DevOps environments)
• how to get Compliance and Audit to sign off on an automated set of rules/guardrails that support better and more consistent compliance
• How to best educate developers on the wide variety of compliance requirements in heavily regulated industries
• How can small security/AppSec teams best serve large development organizations? (i.e., we’re outnumbered, help!)
• Who is using DevSecOps scoring, grading, or gamification to influence behaviors
interested in this we are talking about this today
Have any of these questions yourself? Come join this BOF later today.
<!here> Hi everyone! I’ll be hosting tonight’s Security-Audit-Compliance-GRC session. Looking forward to talking with you all as this is always an exciting topic: Here’s the Zoom info for BOF session starting at 2:45pm PT / 5:45pm ET: https://sonatype.zoom.us/j/96981266419 Meeting ID: 969 8126 6419 One tap mobile <tel:+16468769923,,96981266419#|+16468769923,,96981266419#> US (New York) <tel:+13017158592,,96981266419#|+13017158592,,96981266419#> US (Germantown)
Great conversation tonight around: • how to integrate security into DevOps without slowing down the process, or becoming the "bad guys" • GDPR/California/SOX Compliance • Segregation of Duties (SOD) • using containers and pipelines to help ensure compliance Also check out: https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/
One more session tomorrow afternoon Thursday 10/15 @ 2:45pm PST / 5:45pm EST on all of your security, audit, compliance and DevSecOps questions. Dont miss it!
Have a generic question on Risk Management tools -- How is the risk score calculated in the IT risk management tools? What attributes is the risk score based on?
I am guessing that would be subjective. Other than general IT controls, its hard to have a common framework for scoring
Agree. In our experience we found Risk scoring not to be that helpful. Instead we created cross functional safety teams who engaged across 1 or more value streams on a continual basis. Instead of a Risk score the team agreed through discussion which quarterly Outcomes needed their attention and what Risk Stories to place in the backlog.
More detail in Sooner Safer Happier (one of the free download books)