June 20, 2019
All Day DevOps has been an event that I’ve been looking forward to every year since the conference came online 3 years ago. Not only did I speak at the 2018 conference, I had the absolute honor to be a moderator on the DevSecOps track where I had the opportunity to introduce many amazing speakers with riveting talks. The event has come and gone and with the sessions available online, I’ve spent the last few months watching the ones I missed while drinking excessive amounts of Green Tea and Matcha.
As I watched each talk I was looking for future thinkers, disruptive approaches that change traditional security ideals, innovative ways to enhance culture, and techniques that refine the practices of DevOps and DevSecOps. I wanted to see something different - a talk that had the potential to grow from a seed into a thunderstorm. I’m not talking about tools here, rather culture and technique.
Even though my current focus is in DevSecOps, I’ve taken on various roles in my career so it was extremely difficult to comment only on the DevSecOps track. One specific presentation that resonated with me was a talk in the Cultural Transformation Track by Shira Rubinoff.
Although every session throughout the 24 hour event provided fantastic insight, lessons learned, and technology discussion, the following are the standouts that caught my attention which I feel are worth sharing with the community.
You Think Big, You Get Big
Before reading any further, head over to the All Day DevOps and register so you can view all the 2018 sessions on demand. Once registered, check out these stand out presentations.
The Stand Outs
How To Create The Proper Cybersecurity Culture Within Your Business - The Human Factors Approach - Shira Rubinoff
Track - Cultural Transformation
In my opinion, Culture is the number one success factor for true DevOps adoption and success and Shira’s talk provided a perspective on fostering culture I hadn’t heard before. She gave a unique view into the psyche of a team and discussed various generational differences that organizations need to understand in order to be successful in today’s world. When differences are understood then management can target instruction and continuous training programs in a way that resonates with the needs and understanding of employees.
Why did I love this presentation so much?
Empathy.
Shira made empathy feel like a first class citizen in the world of culture. We all need to embrace the individuality of personalities in our workplace and put ourselves in each other’s shoes. DevOps and DevSecOps begins with people defining value and ends with delivering value to our customers. A supportive culture that enables people through targeted and relevant training, and can resonate with the differences we have, benefits the business, and all those who make it successful.
DevSecOps Kata - John Willis
Track - DevSecOps
John Willis. Enough said. I’ve had the privilege to have many a beer (not plural - assumed) with John over the years and think he is one of the most fascinating individuals I’ve ever met. If you haven’t heard of him you may have been sleeping under a rock for the past decade as John is one of the Original Gangsters of DevOps and DevSecOps.
In his talk John shares his thoughts about the importance of security and culture in DevSecOps and tells a story that can be appreciated by both the business owners and developers in any organization. One of my favorite parts of the presentation was when John talked about how not to engage executives. Walking into a C-Level’s office and saying that their software sucks isn’t an effective way to begin a productive conversation about cultural and technology transformation.
Blue By Default: Extract the Value From Security Investment - Aubrey Stern
Track - DevSecOps
Absolutely an amazing talk. I was shocked when Aubrey said that she didn’t work in security - considering we just co-authored a book on DevSecOps with 6 other industry advocates.
Pay careful attention to this presentation as you’ll hear about DevSecOps from a person that epitomizes what it means to be a practitioner. Aubrey discusses Development, Security and Operations in a seamless manner throughout her talk and presents content that is relevant so any team producing software.
Docker Image Provenance with Notary - Defending Against Attacks on Docker Images and Registries - Adam Lewis
Track - DevSecOps
I had the great privilege of introducing Adam Lewis’s presentation on Docker Image Providence with notary. I was looking forward to this presentation because I see notarization of images as one of the key components of a DevSecOps pipeline. I believe that signing images as they pass through security controls provides irrefutable evidence to auditors that every piece of software deployed to the customer has gone through each control it is required to go through.
Adam gave a great overview of the origin of the tooling and technology and the value it provides. I appreciate that Adam went for the live demo approach. I’m not sure if his sacrifice to the demo gods was completely accepted, but watching how easy it was to implement signing and verification of signed images was one of the highlights of the DevSecOps track.
Shameless Plugs
Show me the Dev\$ecOp\$ - Mark Willis
Track - DevSecOps
Huge disclaimer here: Mark is both a great friend, and my manager at our current employer. That being said, this review isn’t meant to promote a salary increase for myself, nor is it being influenced by the fact he’s sitting behind me as I write this paragraph. Mark has fostered a culture on our team that is second to none.
His talk is all about the dollars and cents that can be saved by adopting DevSecOps, but I think he is just trying to justify the budget for the crazy ideas that come out of my head. His session may just validate this statement.
Don’t Fear the Four Horsemen of the DevSecOpalypse - DJ Schleen
Track - DevSecOps
I couldn’t write this without plugging my talk. It was a fun one to do as I love trashing SAST and DAST toolsets. Many of them are based on antiquated architectures, require you to take a second mortgate on your house to pay for, and watching paint dry is way more exciting than waiting for them to finish scanning for vulnerabilities. If you know of a product that can scan source for vulnerabilities in less than 45 seconds per million lines of code let me know. That’s a unicorn.
Interested in what comes after the Four Horsemen are operational in your organization? Time to bring out the Monkeys with Chaos Engineering and Moving Target Defense.
A Wealth of Knowledge
Every presentation during the 24 hour event provided unique insight and valuable knowledge to anyone with either a technical or non-technical background that have interest in adopting DevOps or DevSecOps practices.
I encourage everyone to view the on demand talks that are relevant to the challenges they are facing on a daily basis. You won’t be disappointed.
The Story Never Ends
As I travel around the world and speak a different events I love hearing stories about the successes and epic failures that the DevOps and DevSecOps community deal with in their organizations. The challenges we all face as we expand our technical security knowledge are truly common everywhere. Not only do I hear stories about the cultural and technological transformation occurring in other organizations, I hear about tools and techniques that can be used to expand the effectiveness of DevSecOps programs where I work.
Even though the call for papers for All Day DevOps 2019 is closed I implore you to submit a talk and tell your story next year. Share your knowledge and contribute to the vision of creating safer software sooner.
We all have stories to tell and we all want to hear yours.
About DJ Schleen
DJ is a DevSecOps pioneer, advocate, and Security Architect, and provides thought leadership to organizations adopting DevSecOps practices. DJ specializes in architecting DevSecOps pipelines and automating security controls in DevOps environments.
DJ has worked to streamline development pipelines and practices for many Fortune 100 organizations by focusing on culture, technique, the right technology, and the goals of business owners. He is an international speaker, blogger, instructor and author in the DevSecOps community and encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.