Having manual processes outside of your DevOps automation like breaking a lot of eggs and not ending up with a tasty omelette. Security is no exception, putting teams’ hard work into automation, only to have manual security steps remove any productivity benefits can reduce morale, cause rifts between devs and security teams and lead to a worsening security posture.
But before we set sail towards the happy land of DevSecOps, we need to take a look at what actually needs adding to address the "Sec" in DevSecOps, and how historically those tools have been aimed at a very different group of engineers than your development teams.
The necessary inputs to security tools to prevent a "crap-in, crap-out" situation, to comprehending and actioning the very output produced, may be a world away from the developers day to day, and with "Shift Left" and "DevSecOps" often sounding like "it’s now the developers problem", it seems we need to do a better job of making security tools look like developer tools!
In this session, we’re going to work backwards, from running services in production, to writing infrastructure code in a developers IDE, to see how and where we can provide useful, developer-focused security information to make the "Sec" a helpful, productive addition to a dev’s daily dose of DevOps!