All You Need to Know about DevOps Connect: DevSecOps at RSAC Singapore

About DevSecOps at RSAC 2017 APJ

In the past two years a new community has begun to rear its head, the DevSecOps Community. In this year's DevOps Connect seminar at RSAC 2017 APJ, we'll be concentrating on how companies are beginning to incorporate security into the DevOps automated pipeline, what that can mean for your business and what the transformation process will look like.

Practitioners working through the DevSecOps journey will present their stories, giving real world examples of what you can expect, the obstacles they've overcome both technologically and culturally and what they anticipate will be the outcome of their initiatives.

Headlining the day’s speakers is John Willis (@batchogalupe), co-author of the DevOps Handbook, who will also be signing and giving out free copies of the handbook which contains case studies on over 40 DevOps transformations. After a full day of presentations, join us for a cocktail reception, DevOps Wine-ing (not Whining), as we co-mingle the DevOps and Security Tribes as part of the dynamic DevSecOps community.

Location

The conference is at the Marina Bay Sands, Singapore

Free Tickets

How to Get Discounted RSA Conference Full Conference Passes and Complimentary Visitor Passes

We have worked out a special arrangement with RSAC APJ so that you and your colleagues can attend the full day of DevSecOps sessions on July 25th for free if you register for an RSAC pass. You can either use registration code 1A7DEVOPSFCD to receive a $100 discount off an RSAC Full Conference pass, or you can choose a complimentary Visitor pass.

A Full Conference pass will allow you to attend all Conference activities including keynote sessions, track sessions and the Expo. A Visitor pass will give you access to the Exhibition for the duration of the Conference, plus keynotes on the Thursday and Friday.

Pick up your badge at the RSAC registration desks, the morning of the 25th and join us in the DevOps Connect: DevSecOps room starting at 9:00am.

Sessions and Speakers

Keynote: Breaking Bad Equilibrium
John Willis
Director of Ecosystem Development, Docker

Session Description
This is a study in what "Bad Equilibrium" looks like in an organization. During the session, John will borrow concepts from the fields of study of financial and economic dislocation (discontinuities), cognitive psychology and game theory. He'll look at cross pollination of ideas from other disciplines to help us understand and recognize systemic organizational issues in what Andrew Shafer calls a "Pareto Inefficient Nash Equilibrium". (Don't worry. I will explain this in the session). Once identified, how do we capitalize on these dislocation gaps to create competitive organizational performance. As a bonus, John will be using some examples from Michael Lewis' Moneyball to show how a famous "Bad Equilibrium" in baseball was used by a small few to change the game forever. 

About John Willis
John Willis has worked in the IT management industry for more than 35 years. Currently he is director of ecosystem development at Docker. Prior to Docker, Willis was the VP of solutions for Socketplane (sold to Docker) and Enstratius (sold to Dell).

Prior to to Socketplane and Enstratius, Willis was the VP of training and services at Opscode, where he formalized the training, evangelism, and professional services functions at the firm. Willis also founded Gulf Breeze Software, an award-winning IBM business partner, which specializes in deploying Tivoli technology for the enterprise.

John has authored six IBM Redbooks on enterprise systems management and was the founder and chief architect at Chain Bridge Systems.

A Tale of Three Horses
Stefan Streichsbier
Application Security Programs, Agile Security, DevSecOps, Red Teaming

Session Description
We all envy the unicorns like Amazon, Netflix, and Google. They have it all figured out and are light years ahead of the rest of the pack.This talk will explore security challenges that organizations encounter as part of their digital transformation journey and show that DevOps is a perfect opportunity to embed security.

The content of this talk is based on actual experience with three organizations in Asia that we have been working with.

About Stefan Streichsbier
Stefan has been focusing on information security since 2003. He is passionate about analyzing complex applications through architecture, design and source code reviews and improving their security posture. At Vantage Point he is working on revolutionary approaches to integrating security into Agile and DevOps with the goal to sustainably eradicate vulnerabilities from applications and empower development teams to continuously and securely deploy changes into production.

Stefan is a co-founder of the local DevSecOps Singapore Meetup group that is enjoying an active and ever growing community. Stefan is also one of the core organizers of DevOpsDays Singapore and DevSecCon Asia.

Teddy Bears and Security Blankets:
Working with Ambiguity
Paul Culmsee
Dialogue Mapper, Cloud Technologist, Decision Making, Wicked/complex problems

Session Description
Teddy bears and fetishes: could they possibly explain why the IT security industry sometimes holds on tightly to manual, antiquated practices? This talk examines the powerful, yet hidden force of ambiguity and how intolerance of it drives self-defeating behaviors in both the security industry and the devops movement…

Organizations are complex entities and it is unreasonable to expect security models, such as those that fit neatly into a policy or predetermined checklist, to work seamlessly in the real world. Indeed, expecting them to work as advertised is akin to coloring a paint-by-numbers Mona Lisa with the expectation of recreating Da Vinci’s masterpiece. Security has not been tamed: reality will still impose itself no matter how alluring the model is.

Ambiguity is a primal force that drives much of our behaviour, and security typically views it negatively - something to be avoided or to be controlled. This session shows you how ambiguity can be harnessed, so that Devops and Security practitioners can work together to put the Sec into DevSecOps.

About Paul Culmsee
Paul Culmsee (@paulculmsee) Paul is a management consultant, business strategist, sensemaker and award winning author with more than 25 years of experience. Based in Perth, Western Australia, he co-founded Seven Sigma Business Solutions (www.sevensigma.com.au) and specialises in sensemaking, helping organisations (re)discover their purpose, knowledge management, strategic planning, IT governance, facilitation and all facets of SharePoint and Office365 delivery.

Paul is one of only four Cognexus Certified Dialogue Mappers in the world. He and his wife have the best two children in the world and live in Perth, Australia.

DevOps: A How To for Agility with Security
Murray Goldschmidt and Michael McKinnon

Session Description
This presentation will cover advanced techniques on security automation across the service delivery lifecycle including static and dynamic code analysis to infrastructure and platform vulnerability management. The model addresses cyber security threats across various attack vectors including hacking, insider threats and denial of service.

About Murray Goldschmidt

Co-founder of Sense of Security, Murray Goldschmidt is an industry recognised expert for achieving security in a DevOps environment (putting the “sec” into DevSecOps), having presented on this topic at several events including the Australian Government’s flagship security conference, ACSC 2017, in Canberra Australia in March 2017. Murray is a CISSP, PCI QSA & IRAP assessor with 17+ years’ experience.

About Michael McKinnon

Michael has been working in the IT industry for over 20 years, with 15 years’ experience in security. Prior to joining Sense of Security, Michael was Global Security Awareness Director at AVG Technologies. Michael's experience developing & securing enterprise web applications has given him valuable early exposure to the challenges of incorporating security automation in DevOps environments.

DevOps After Deployment:
How does Operations and Security Keep Up?
Damon Edwards
DevOps and IT Operations, Rundeck

Listen to enough DevOps conference talks and it all starts to sound like: “deployment, deployment, deployment”. But what happens after deployment? What does DevOps mean for other traditional enterprise operations activities like incident response and problem management? 

In this presentation, Damon will be examining what happens when the “go fast” ethos of DevOps inspired delivery teams meets the “be stable, be secure, be compliant” mandate of traditional enterprise operations organizations. The focus will be on identifying DevOps-inspired principles and practices being leveraged by high-performing enterprises who are currently transforming their operations organizations to be better, faster, and cheaper.

About Damon Edwards
Damon Edwards is a Co-Founder of Rundeck, Inc., the makers of Rundeck, the popular orchestration and scheduling platform. Damon Edwards was previously a Managing Partner at DTO Solutions, a DevOps and IT Operations improvement consultancy. Damon has spent over 15 years working with both the technology and business ends of IT operations and is noted for being a leader in porting cutting-edge DevOps techniques to large enterprise organizations.

Damon is also a frequent conference speaker and writer who focuses on DevOps and operations improvement topics. Damon is active in the international DevOps community, including being a co-host of the DevOps Cafe podcast, an early core organizer of the DevOps Days conference series, and a content chair for Gene Kim’s DevOps Enterprise Summit.

Secure DevOps for Enterprise Cloud Apps:
Insights and Lessons Learned
Manish Prabhu and Sudhindranath Byna

As enterprises transition to cloud and devops, established security processes and techniques are being ignored due to the inevitable tension with new methodologies. How should we do security now? We talk about the approach we successfully adopted at Microsoft IT to left-shift and seamlessly integrate security into devops practices to enable ‘secure devops’ in an end-to-end manner. 

About Sudhindranath Byna
Sudhindranath Byna is a Senior Software Engineer in Security at Microsoft. He has varied working experience ranging from  eCommerce applications, Volume Licensing LOB apps, reporting platforms, designing Azure Applications, Cloud migrations etc.

Currently from last 2 years, he is majorly focused on designing and building various accelerators to drive Secure Azure Adoption at Microsoft. His recent work has been around creating a Secure DevOps toolkit for engineers migrating their applications to cloud.

About Manish Prabhu
Manish owns landing the secure devops strategy for Microsoft's transformation to the cloud. Of his 21 years at MS,Manish has spent 17 in Information Security working on security engineering of dev frameworks, eCommerce servers, embedded systems and line of business solutions and has contributed to Microsoft's Trustworthy Computing and SDL initiatives from the very beginning.

Compliance as Code:
Shifting Compliance Left in Continuous Delivery
Matt Ray
Manager, Solutions Architect - APJ, Chef Software

For too long audits and security reviews have been seen as resistant or even blocking the frequent release of software. Auditors require access to static systems and environments, which would seem to make continuous delivery impossible. Too frequently audits are a fire drill sampling of the current state and temporary fixes are put in place to appease the compliance audit without being integrated into future releases.

What if auditing, compliance, and security could be fully integrated into continuous integration and continuous delivery pipelines? What if we automated our compliance policies so they could be "shifted left" as part of the application and infrastructure lifecycle? This session will discuss real-world examples of how to translate security and compliance requirements into software and make them a proactive part of the software-delivery process. We can decrease risk by defining compliance rules as code and making them a part of the standard continuous delivery workflow.

About Matt Ray
Matt Ray is the Manager and Solutions Architect for Asia Pacific and Japan for Chef. He has worked in large enterprise software companies and startups in a wide variety of industries including banking, retail, and government. He has been active in open source communities for over two decades and has presented at and organized many conferences and meetups. He currently resides in Sydney, Australia after relocating from Austin, Texas.

Matt podcasts at SoftwareDefinedTalk.com, blogs at LeastResistance.net and is @mattray on Twitter, IRC, GitHub and too many Slacks.

Tyro Payments:
Using DevOps to Build Next Generation Banking
Edwin Kwan
Application and Software Security Team Lead,Tyro Payments

As Australia's Newest Bank, we need to innovate and move fast. We use an Agile methodology, build the NextGen Bank on a micro-services architecture and do continuous releases. Doing this securely, without making security a bottle neck, presents a unique challenge.

In this presentation, Edwin Kwan, will talk about Tyro's SSDLC (Secure Software Development Life Cycle) security journey. He will be talking about the security approaches that were taken; sharing what worked well, what didn't work(and why) and what they are trying now.

About Edwin Kwan
Edwin Kwan is Application and Software Security Team Lead at Tyro Payments in Australia. He is a Software Engineer with over 9 years experience developing large scale; real-time; high performance; high reliability software applications for major telecommunication vendors.

Edwin is also experienced in working with stakeholders from small to large organisations to design and develop innovation solutions to help manage and grow their business.

PaaS in the Government with DevSecOps
Fabian Lim
DevSecOps Engineer, GovTech Singapore

Singapore's government is known to be efficient and as its software engineers adopt DevOps as part of the software development methodologies, the pace of software releases and changes are faster than the previous "old-school" waterfall method. In order to keep up to pace with this rapid pace, apply security the DevSecOps way is essential. 

As the government manages different classification of data, there are different considerations and challenges to the architecture. As a DevSecOps engineer, these challenges are not easy to solve but it looks promising that the quality of Singapore government’s software is improving, and security is also a top priority. The talk will discuss some of the common challenges in government context and possible solutions to overcome them.

About Fabian Lim
Bio: http://about.me/fabian.lim
Born and brewed in Singapore; learned software engineering skills in the US. A contributing DevSecOps engineer, and currently working on a PaaS. What excites me most: cybersecurity, red teaming, fitness. And, of course, quality alcohol.
Practitioner of various martial arts, and Krav Maga