Chris Graham spoke about his DevOps and DevSecOps journey
There was an full house last night when, we played the Season 1 Episode 04 of the DevSecOps meetup for the attendees. The speaker of the night was Chris Graham who shared his insight on DevOps, DevSecOps and NoOps.
Sponsor shoutout before heading into the presentation learnings:
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
The presentation started with a brief history of “the Past” — mainframes, IBM virtual machines, servers, data centres, cloud and as we progressed through each of these phases in technology — “the skills to run” “physical or virtual machines became” “commoditized”.
Everyone wanted to go faster and cheaper from this traditional approach which had been on-goingly failing us. This slide below from his presentation share some insight into the horrors of what trying to scale in a traditional world would seem like.
Talking about the present phase that technology is in, the current state of DevOps is mostly still silos in few organisations.
DevOps need to be a cultural change and not just a business change as per Chris’s recommendation.
What model of roles would work for DevOps and DevSecOps
For DevOps — Developers need to write test case for their unit test.
For DevSecOps — A loaned security specialist who works with the team through development of a feature/product to help make security decisions early.
One of the attendees asked about having a separate devsecops team was something that was considered?
Enterprise DevSecOps and why is it different? You guessed it — it’s the G word.
As a startup governance can be an afterthought as the focus is to get the MVP out and make a product available for consumers at the earliest. However, for an enterprise governance is an on-going thing which leaves a scar throughout the organisation years after a governance incident.
DevSecOps and DevOps — The Future
- Use of BigData for understanding patterns of malicious behaviour with the help of machine learning and predictive threat analysis.
One of the attendess mentioned an Android market place bug where the hackers designed the app to self improve itself each time it was detected by an anti-malware software as malicious. Is there anything being done by the blue team for such upcoming ML driven attacks?
- Fully Automated DevOps leading to NoOps
One of the attendees question was around his concern for lost art of basic troubleshooting because of such high level of abstraction from users?
The talk concluded with a real world example of secret and key management problems in an enterprise and how automation can help solve some these problems.
Personal question that I took away from the talk —
DevSecOps and DevOps — Is security really my problem when I have a team whose actual job it is to ensure exactly that throughout the organisation? was an interesting question for me personally from the talk as someone who promotes the shift left
As always feel free to reach out if you have something that you would like to share or talk about at the next meetup. :)