Learnings from DevSecOps Meetup Melbourne — S01E01- Jan,2018

Yesterday, we held the first DevSecOps Meetup for 2018- S01E01. These are the highlights from what I learned from the meetup.

Talk 1:
Seth van Buren
Principal DevOps Consultant, Versent

Seth, spoke about how his passion for making his team not login into a server, unless it’s a break-glass scenario, lead him to Netflix Bless.

Netflix Bless, in their own words “an SSH Certificate Authority that runs as a AWS Lambda function”

The talk was about his journey on how he spent 2 days reading, implementing and automating portions of the Netflix Bless setup, request cert and cert cleanup process.

There was a lot of sweat, tears of joy experienced throughout the journey by Seth and the demo-gods smiled at him for a demo of his automated solution. As part of his demo, he used AWS Cloudformation to setup the Netflix Bless server and a bash script to store his private key in Unicreds which was used to request a new temporary certificate from the Bless server. The steps were as follows:

It takes a bit to understand the deeper working of the solution. Hats off to Seth to take the time to understand the solution and automate a lot of it.

If you have any questions, do reach out to him on Linkedin

Talk 2:
Adrian Kitto
Independent Security Architect

Adrian talked about “SHIFTING SECURITY TO THE LEFT”. Adrian has been quite a strong advocate of encouraging security to work with the DevOps team and vice-versa. He shared his experience on how traditionally security has been branded as the “No-sayers”. There are under-lying comments to each side of the story

Traditional approach:

Corporate Security — “We are brought in 2 or less days before production deployment and when we see a problem, we are frowned upon for saying No”

DevOps — “← Fill rants from internet about why security is a blocker→ ”

New approach:

Shift security to the left, this is his advice for both sides:

Advise for Security

Advise for Developers

Very similar to Security folks :)

The attendees loved this presentation had the presented approach to security is different to what people have seen in their organisations. There was a lot of questions on how others can reach out to people in the community e.g Adrian Kitto, yours truly :) who are leading by example on how security can become an enabler if all of us work together.

Other News:

Please feel free to reach out, if I have mis-represented anything here.

Peace out!

Security expert with a goal to make security an enabler instead of a blocker in the exciting world of cloud and machine learning. www.ashishrajan.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store