a practitioner's tale: uniting dev, sec, and ops tribes
TRANSCRIPT
![Page 1: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/1.jpg)
A Practitioners Tale: Uniting Dev, Sec, And Ops TribesCurtis YankoSr. Principal Architect
![Page 2: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/2.jpg)
A Bit About Me
• Started programming in the 1970’s• I’ve seen the rise of and used…
• ...OOP, 4th Gen languages, UML, XP, Agile, ERP, SOA, CI, CD...• Started programming proffessionally in the 1990’s
• ...like a lot of junior programmers I got stuck with the build/SCM• Did Enterprise CI at a Fortune 25 company• Did CI/CD at a Fortune 100 company• Launched a DevOps Center of ‘Enablement’
For Fun
• Night Hikes• Board game night• Ultimate Frisbee• Volunteer for ECAD to help raise
and train service dogs• @onCommit• DevOps in the Enterprise on
![Page 3: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/3.jpg)
Agenda
• Why we should care• Practitioners Tale
![Page 4: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/4.jpg)
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
![Page 5: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/5.jpg)
Seriously?
![Page 6: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/6.jpg)
Count of exploited CVE’s in 2014 by year published
![Page 7: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/7.jpg)
8 years later, vulnerable versions of Bouncy Castle were downloaded…
5.8M times
CVE-2007-6721CVSS Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0
2007 2015
USE THE HIGHEST QUALITY PARTS
![Page 8: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/8.jpg)
Why Sec hates Dev
Security can’t keep up with the pace of modern development practices and the complexities of component dependencies.
![Page 9: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/9.jpg)
229,898downloads
orders
5,275components - all versions
parts
2,071components
suppliers
Analysis of 3,000 organizations
![Page 10: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/10.jpg)
![Page 11: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/11.jpg)
Why Dev hate Sec
Developers don’t like security slowing them down by dumping scan reports on them weeks or months after the fact
![Page 12: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/12.jpg)
SOFTWARE IS MANUFACTURED FROM PARTS
![Page 13: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/13.jpg)
“Software is eating the world”
-- Marc Andreesen
![Page 14: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/14.jpg)
“If you want to make enemies, try to change something”
-- Woodrow Wiilson
![Page 15: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/15.jpg)
Empathy
![Page 16: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/16.jpg)
A pictureCI CD
Public Repos
Binary RepoBuild
Source Code Deploy
Dev
QA
UAT
Prod
Software Factory & Component Based Development
![Page 17: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/17.jpg)
INNOVATION WAVE IN YOUR SOFTWARE
FACTORY
![Page 18: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/18.jpg)
WhatvsHow There is a difference
between Policies and Governance
![Page 19: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/19.jpg)
AUTOMATE AUTOMATE AUTOMATE
![Page 20: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/20.jpg)
DESIGN A FRICTIONLESS APPROACH
@sonatype
![Page 21: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/21.jpg)
CREATE A SOFTWARE BILL OF MATERIALS
bit.ly/softwareBOM@sonatype
![Page 22: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/22.jpg)
ZTTR (Zero Time to Remediation)
EMPOWER DEVELOPERS FROM THE START
@weekstweets
![Page 23: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/23.jpg)
Say Hello to Your Software Supply Chain…
Automate your software supply chain with three proven principles:
Use higher quality parts
Use better & fewer suppliers
Track what you use and where
![Page 24: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/24.jpg)
Fast Forward
![Page 25: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/25.jpg)
Forrester Report
![Page 26: A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes](https://reader035.vdocument.in/reader035/viewer/2022070509/589bcc891a28ab92618b4cf5/html5/thumbnails/26.jpg)
Thank You!