Akira Brand

Camp Counselor

Security is Everbody's Job

Event Logo

Monday, January 16, 2023 - 8:30 PM UTC, for 1 hour.

Regular, 60 minute presentation

Room: Campsite 4

I’m here to argue that DevOps is the best thing to happen to application security since OWASP. And by the end I hope that you will agree that security is truly everybody’s job. Let’s start! In DevOps everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job. AppSec is a Thing, and it needs to be taken seriously: Current status: causes around 1/4 of incidents (you know, those scary things you read about on the news) Usual ratio for Dev/Ops/AppSec is 100 > 10 > 1 Security is not taught thoroughly in schools Waterfall never really worked, and the security model around it “stop while we do this” is slow and untenable, and certainly not possible in DevOps (Dinosaurs in a waterfall)

Prerequisites

It's good if you already have some DevOps or development experience, but this talk is quite broad and can inspire beginners as well.

Take Aways

  • Security, DevOps, Security Principles, and a resolve to incorporate security into their every day work
favorited by:
Arana Fireheart Caleb Jenkins Noah Jenkins Eric Smalling Robert Derman Kris Boedigheimer Cori Drew Allen Zaudtke Brendan Enrick