SKILupDay

   10 months ago
#SKILupDayObservability #SKILupDayDiscussing Observability and Upskilling in DevOps ahead of SKILup Day
   8 months ago
#SKILupDayAIOps and MLOps #SKILupDayDiscussing AIOps and MLOps ahead of SKILup Day on October 15
Anshul Lalit
If you’re doing DevOps correctly then DevSecOps is already a part of it. Do you agree? If yes/no, why?
Marc Cluet #BLM
Yes, it should be part of it, otherwise you're just creating another silo #DevSecOps #DevOpsInstitute #SKILupDay
savinderpuri
Absolutely. But it gets more attention if you call if DevSecOps :-)
Jack Maher MSIS, PMP, DOL, CAL, SRE
I'd say that you can't say you're doing Continuous Delivery if you really can't release your code.
Siddharth
not agree though as correctly doing #DevOps means different thing to different people. May be security is not part of it and next best thing to be focused on. #DevSecOps
Vishnu Vasudevan
Not really. static code scanning, dynamic code scan and Container scan needs to be mandated with thresholds managed by the CISO's and also not taking the control from the engg teams. If there is no thresholds, developers can push it to prod by mistake/error
Helen Beal 🐝
Yes I would BUT DevOps didn't have a very good record of bringing security peeps to the party - for me, it's the opportunity to rightsize the effort that was neglected and sometime, hopefully, it'll fade away. But it's a big topic and there's still a lot of learning
felipe dueñas
Yes, but it is important to measure
Mark Peters
yes but. Only if teams agree security is part of value process. Compliance needs also often call for specialized experts and audit
Daysha DevOps
and that includes security requirements in the backlog and treated as equal with features #SKILupDay#DevSecOps
Vishnu Vasudevan
@TinyCyber with Digital transformation and cloud journey security must be part of the process and it cannot be left out or cannot be a after thought.
Helen Beal 🐝
Thanks Anshul :-)
Manny Varela
Yes, but "Continuous Monitoring" is essential!
Mark Peters
@vishnube needs to be more than just scans. Teams have to understand why that process matters and where. Too easy to set scan for passing
Mark Peters
@vishnube agreed. Often teams feel like new feature overweighs security checks. We’ve done two releases without sec fixes because. Welll. FEATURE!
DevOps Institute
How do you define DevSecOps?
Marc Cluet #BLM
Shift left of the Security paradigm, ensuring that Security is integral day zero participant in the full process, embedding in teams and participating in the release cycles #DevSecOps #DevOpsInstitute

(edited)

Siddharth
as individual worries about the code from start till the delivery of value, let's have similar empathy to the security as well :) #SKILupDay #DevSecOps
Mark Peters
cultural integration of your fullstack team to create value
Helen Beal 🐝
Bringing security to the DevOps party through cultural change and shifting security left into the value stream and DevOps toolchain
Jack Maher MSIS, PMP, DOL, CAL, SRE
You can't actually deploy anything to production without doing at least minimum security hygiene. But it was not explicitly called out early on...
Jayne Groll
Security is everyone's responsibility thereby requiring every role, team and function to develop core security skills
savinderpuri
adding security through the SDLC and not just as a release end activity
Vishnu Vasudevan
Bringing the Security team part of the operations reduces the risk at greater level by providing the control and visibility across the organisation.
Shlomo Bielak
Finding the model to effectively collaborate with other stateholders
Mark Peters
fun is not secure. Business value today depends on effective security
Anshul Lalit
to build the mindset that everyone is responsible for security and ensuring it as a continuous process
felipe dueñas
Security is a fundamental part of DevOps
Vishnu Vasudevan
Implementing DevSecOps gives biz & Tech a chance to validate their security & compliance against their organization goal and will give an opportunity to continuously improve on their goals around security to avoid hefty penalties as result of audit, legal& compliance
Vishnu Vasudevan
More adoption now to open source components and cloud adoption, security becomes inevitable and security cannot be an after thought for the engineering teams.
Simone Jo Moore
Security built in as something as automated like breathing.
Mark Peters
Absolutely like breathing. But more like exercise. Still have to understand why
Mark Peters
more like yoga. Movement and breath need to happen together to create balanced processes
Siddharth
What do you see as the single biggest DevSecOps challenge right now, and what is your advice for overcoming it? #SKILupDay #DevOps

(edited)

Marc Cluet #BLM
Integrating security with policy-as-code which is a very nice way to join both worlds and ensure escalation by exception #DevSecOps #DevOpsInstitute #SKILupDay
Shlomo Bielak
Engineering talent constraints that understand security. Overcoming it is more about removing toil from the talent you have,
Helen Beal 🐝
There are so many! It's either going to be the exponential rise in threats or the cyber security shortage in the market
Jack Maher MSIS, PMP, DOL, CAL, SRE
the idea within the InfoSec world that they shouldn't be black ops, that they will give up capability in a distributed event.
felipe dueñas
Cooperation culture
savinderpuri
Security team not wanting to do it :-)
Simone Jo Moore
Culture around security responsibility
Daysha DevOps
ensuring the delivery teams are aware of emerging security threats
Helen Beal 🐝
How do you go about removing toil?
savinderpuri
@bealhelen Got the CIO to tell them - my way or the highway! Easy, peasy!!
Jack Maher MSIS, PMP, DOL, CAL, SRE
to address this resistance, once the new approach is considered and understood, there is significantly less resistance (at the individual security professional level).
savinderpuri
@BealHelen Got the CIO to tell them - my way or the highway! Easy, peasy!!
Suma Puligella
I would say implementing CI/CD. In order for DevSecOps to be successful, one cannot expect new DevOps processes and tools to adapt to old methods of security.
Vishnu Vasudevan
Policy based pipeline (security as a policy) with control to security teams so that no code is pushed to prod without their sign off.
Mark Peters
@dayshaitpm basics first, understand your attack surface and risks, then threats. Most problems ate old stuff