Gene Kim’s ^ Through A Security Lens with Mark Nunnikhoven | @marknca @marknca
2013 2016 2018 2019 @marknca
2013 2016 2018 2019 Development and Operations should work together Here are tactics and playbooks to help Here’s data to help support the cultural transformation Development needs better tooling & support @marknca
Roadblocks Lack of understanding of what needs to be in place to deliver desired outcomes Getting data to where it can be used most effectively Opposition to cultural change @marknca
The Five Ideals Locality and simplicity Focus, flow, and joy Improvement of daily work Psychological safety Customer focus @marknca
Maxine @marknca
Gets hit with an outage Is Dealt an outrage Starts a maddening new journey Her experiences frame the cultural changes in the org Maxine @marknca
Maxine William (DevOps) (Security) @marknca
1 Locality and Simplicity @marknca
1 Maxine (DevOps) NOT local and NOT simple Licenses “I need to deploy” Code Access Resources Customers Stakeholders Stakeholders Stakeholders Stakeholders Stakeholders @marknca
1 Maxine (DevOps) “Please accomplish this goal” Stakeholders “I need to deploy” Customers Local and simple Access Code Licenses Resources @marknca
1 William Helping development (Security) “I have to approve/verify/audit” Code Access @marknca
1 William Helping development (Security) “I have to approve/verify/audit” Educate Code Access API/Self-service DON’T DO @marknca
1 William Helping yourself (Security) Centralize logging access/analysis Centralize audit access Setup guardrails for other teams @marknca
2 Focus, Flow, and Joy @marknca
2 Maxine (DevOps) Use tools that make solving problems easier Focus on solving the business problem Leverage platforms for immediacy and fast feedback @marknca
2 William Helping development (Security) Provide self-service for security Immutable platform DevOps Flow @marknca
2 William Helping yourself (Security) Automate absolutely everything …even the ones that are “special” …even the ones that are “impossible” @marknca
3 Improvement of Daily Work @marknca
Security is really bad at this. @marknca
3 Maxine (DevOps) “Stop all work” Experiment Fix Work Work Idea Feedback Innovation Flywheel Andon Cord @marknca
3 William Helping development (Security) Educate API/Self-service @marknca
3 William Helping yourself (Security) “Stop all work” Don’t accumulate technical debt Fix Don’t accumulate security debt Work Work Automate in place Andon Cord @marknca
4 Psychological Safety @marknca
4 Maxine (DevOps) Foster a culture where… • It’s ok to make a mistake • There’s no fear of reprisal • It’s normal to discuss problems openly @marknca
4 William Helping development (Security) Don’t assign blame Support a culture of teaching & learning Trust & enable…and yes, verify @marknca
4 William Helping yourself (Security) Foster a culture where… • It’s ok to make a mistake • There’s no fear of reprisal • It’s normal to discuss problems openly @marknca
5 Customer Focus @marknca
5 Maxine (DevOps) Focus on the core of the business, not context “Does this matter to our customer?” as a guiding light Remove work that doesn’t matter @marknca
5 William Helping development & yourself (Security) Focus on the core of the business, not context “Does this matter to our customer?” as a guiding light Remove work that doesn’t matter @marknca
Keys To Success @marknca
The Five Ideals Locality and simplicity Focus, flow, and joy Improvement of daily work Psychological safety Customer focus Apply equally to security & development @marknca
5 Your Security Practice Focus Educate development about security concerns Provide self-service/API driven security tools Improve your daily work through relentless automation @marknca
Thank You Mark Nunnikhoven Vice President, Cloud Research Trend Micro @marknca | https://markn.ca @marknca
Recommend
More recommend