We also continued to highlight contributions from DevOps Institute Ambassadors throughout the month of September. You can see all of their contributions on our blog as well as our Medium publication, The Humans of DevOps, here.
To kick-off the DevSecOps festivities, several ambassadors hosted a Global DevOps Institute Ambassador CrowdChat. The CrowdChat was a great way to dive into the key components and themes of DevSecOps. See the full Crowdchat below:
On September 17, we hosted the main event – SKILup Day: DevSecOps! The one-day virtual conference centered around the people, process and technology aspects that are currently shaping DevSecOps. SKILup Day featured ‘how-to’ lessons from speakers Matt Stanchek, Janet Matsuda, Pawan Shankar, Saumya Upadhyaya, Gary Shaffer, Virag Mody, Sven Ruppert, Michele Mancioppi, Martyn Coupland, Hima Bindu Vejella, Savinder Puri, Mark Peters, Marudhamaran Gunasekaran, Mohammed Siyam, and James Wickett.
In addition to a full day of sessions, the event offered yoga, a scavenger hunt, networking lounge, exhibit hall, resource library, and even a DevOps inspired mixology class!
Didn’t get a chance to attend September’s SKILup Day dedicated to DevSecOps? We’ve got you covered with a quick round-up of the key themes that emerged from the sessions and conversations around the importance of the topic.
You may ask, why devote a full day of learning to DevSecOps?
As organizations try to stay relevant in today’s market landscape, they are under constant pressure to be quick, innovative and reliable. This means that organizations are facing new vulnerabilities. Security has become a significant issue in today’s digital world. With this in mind, security is an essential part of DevOps at all organizations. Security must be prioritized and embraced for modern business practices. Many organizations are left wondering how they can improve their cybersecurity and embrace DevSecOps practices. Thus, we’ve dedicated an entire day to learning about DevSecOps from a technical, process and cultural point of view.
What is DevSecOps?
Throughout September’s SKILup Day, many of the presenters discussed the meaning and principles of DevSecOps. Shannon Lietz of Intuit discusses this in depth during her presentation titled, “The History of DevSecOps.” Security is building trust and confidence and engineers need security to be integrated into their DevOps pipeline shares Lietz. “Security has to be built into software which means that it is part of the product development lifecycle and that’s a crucial thing to really remember.”
Matt Stanchek of Micro Focus also discusses the foundation and meaning of DevSecOps during his presentation titled, “A JDBC Library and the Day I Felt Like Jack Ryan.” Stanchek points out that the partnership between security and DevOps is crucial. Application development can not and should not be slowed down by manual reviews of security, making DevSecOps increasingly important.
“Working together to apply security right into the DevOps toolchain achieves the desired speed as well as the risk mitigation strategies necessary to protect customers and their data.”
DevSecOps requires empowerment.
Many of the presenters share the same sentiment: the people within an organization are a key factor of DevSecOps. Martyn Coupland of Ensono discusses this during his presentation “DevSecOps with Microsoft Azure.” He shares that empowering people and requiring them to be held accountable keeps everyone thinking about security throughout the entire development lifecycle.
He also shares the core concepts of DevSecOps, which are shift-left security, building confidence in your software supply chain, delivering on a secure platform, and managing access control.
Savinder Puri reiterated this during his session “Security Adds the Glitter to DevSecOps.” Puri says, “Today, security is everyone’s responsibility. Security is a mindset and you’ve got to take care of security in whatever you do in your role in the entire development lifecycle. DevSecOps requires empowered people to embrace security and integrate the principles and practices into everything they do.”
Once you embrace ‘Sec’, it often spreads organically.
“When everyone involved in the SDLC (Systems Development Lifecycle) is sprinkled with security and when you start embedding it into everything you do, then it just spreads organically everywhere,” shares Savinder Puri during his presentation.
Timothy Johnson reiterates this during his presentation, “Don’t Shift Security Left – Shift Security Everywhere!” He shares that when security is an integral part of your systems, it becomes commonplace. “It should just be baked in at an integral level to all of your processes. If you’re doing it right, the ‘Sec’ is silent,” says Johnson.
Tools can help you identify security breaches.
When implementing DevSecOps practices, it’s important to remember that there are tools that can help you identify security breaches. Sven Ruppert dove into the different tools that can be valuable when building out your toolchain. “You don’t need to reinvent the wheel. Use dependencies,” says Ruppert.
Advice for organizations looking to implement DevSecOps practices: Define success.
During a live panel, Shannon Lietz shared three tips for organizations getting started with DevSecOps: know what you have, organize it the way you want to defend it, and measure your success. When organizations embrace DevSecOps practices it leads to the ability to measure your security success and gives you insights into where you can improve.
Gary Shaffer of DLT chimed into the live panel, sharing that bringing all your teams together and defining what success looks like is a good place to start with security. From there you can work together to ensure successful adoption of DevSecOps practices.
Martyn Coupland shared during his presentation, “For me, I think the icing on the cake when it comes to DevSecOps and making better security within our organization is the ability to learn, measure, and forecast.”
When closing out SKILup Day, Jayne Groll was joined by Alan Shimel for a continuous chit chat. During which, Shimel dove into the key components of DevSecOps. “For organizations to be successful in a DevSecOps world, they need to realize that security is synonymous with quality,” says Shimel.
“Remember this is a growing practice,” shares Groll.
For a quick recap of all the sessions, check out the sketches below.
You can also still view the videos and download the slide decks by viewing the DevSecOps SKILup Day on-demand.
There are plenty of events, fresh content, and exciting announcements in the pipeline. We’ve designated October as AIOps and MLOps month! Stay tuned for details about our next Global Ambassador CrowdChat and be sure to join the next Virtual SKILup Day on October 15.