.png?width=610&name=J1_ModernCybersecurityBook_Promo%201200x628%20v2@2x%20(1).png)
Stand Out All Day DevOps Sessions
All Day DevOps has been an event that I’ve been looking forward to every year since the conference came online 3 years ago. Not only did I speak at the 2018 conference, I had the absolute honor to be a moderator on the DevSecOps track where I had the opportunity to introduce many amazing speakers with riveting talks. The event has come and gone and with the sessions now available online, I’ve spent the last few months watching the ones I missed while drinking excessive amounts of Green Tea and.Matcha.
As I watched each talk I was looking for future thinkers, disruptive approaches that change traditional security ideals, innovative ways to enhance culture, and techniques that refine the practices of DevOps and DevSecOps. I wanted to see something different - a talk that had the potential to grow from a seed into a thunderstorm. I’m not talking about tools here, rather culture and technique.
Even though my current focus is in DevSecOps, I’ve taken on various roles in my career so it was extremely difficult to comment only on the DevSecOps track of the event. One other presentation that resonated with me was a talk in the Cultural Transformation Track by Shira Rubinoff.
Although every session throughout the 24 hour event provided fantastic insight, lessons learned, and technology discussion, the following are the standouts that caught my attention which I feel are worth sharing with the community.
The Stand Outs
How To Create The Proper Cybersecurity Culture Within Your Business - The Human Factors Approach - Shira Rubinoff
Track - Cultural Transformation
In my opinion, Culture is the number one success factor for true DevOps adoption and success and Shira’s talk provided a perspective on fostering culture I hadn’t heard before. She gave a unique view into the psyche of a team and discussed various generational differences that organizations need to understand in order to be successful in today’s world. When differences are understood then management can target instruction and continuous training programs in a way that resonates with the needs and understanding of employees.
Why did I love this presentation so much?
Empathy.
Shira made empathy feel like a first class citizen in the world of culture. We all need to embrace the individuality of personalities in our workplace and put ourselves in each other’s shoes. DevOps and DevSecOps begins with people defining value and ends with delivering value to our customers. A supportive culture that enables people through targeted and relevant training, and can resonate with the differences we have, benefits the business, and all those who make it successful.
This must watch session can be viewed here.
DevSecOps Kata - John Willis
Track - DevSecOps
John Willis. Enough said. I’ve had the privilege to have many a beer (not plural - assumed) with John over the years and think he is one of the most fascinating individuals I’ve ever met. If you haven't heard of him you may have been sleeping under a rock for the past decade as John is one of the Original Gangsters of DevOps and DevSecOps.
In this talk John gives a great talk about the importance of security and culture in DevSecOps and paints a story that can be appreciated by both the business and developers in any organization. One of my favorite parts of the presentation was when John talked about how not to engage executives. Walking into a C-Level’s office and saying that their software sucks isn't an effective way to begin a productive conversation about cultural and Technology logical transformation.
Check John’s session out here.
Blue By Default: Extract the Value From Security Investment - Aubrey Stern
Track - DevSecOps
Absolutely an amazing talk. I was shocked when Aubrey said that she didn’t work in security - considering we just finished a book on DevSecOps which we co-authored with 6 other speakers.
Pay careful attention to this presentation as you’ll hear about DevSecOps from a person that epitomizes what it means to be a practitioner. Aubrey discusses Development, Security and Operations in a seamless manner throughout her talk and presents content that is relevant so any technical team producing software.
Aubrey rocks the mic here.
Docker Image Provenance with Notary - Defending Against Attacks on Docker Images and Registries - Adam Lewis
Track - DevSecOps
I had the great privilege of introducing Adam Lewis's presentation on Docker image Providence with notary. I was looking forward to this presentation because I see notarization of images as one of the key components of a DevSecOps pipeline. I believe that signing images as they pass through security controls provides irrefutable evidence to auditors that every piece of software deployed to the customer has gone through each control is required to go through.
Adam gave a great overview of the origin of the tooling and technology and the value it provides. I loved that Adam went for the live demo approach. I’m not sure if his sacrifice to the demo gods was completely accepted, but watching how easy it was to implement signing and verification of signed images was one of the highlights of the DevSecOps track.
Check Adam’s session out here.
Shameless Plugs
Show me the Dev$ecOp$ - Mark Willis
Track - DevSecOps
Huge disclaimer here: Mark is both a great friend, and my manager at our current employer. That being said, this review isn’t meant to promote a salary increase for myself, nor is it being influenced by the fact he’s sitting behind me as I write this paragraph. Mark has fostered a culture on our team that is second to none.
His talk is all about the dollars and cents that can be saved by adopting DevSecOps, but I think he is just trying to justify the budget for the crazy ideas that come out of my head. His session may validate this statement.
Mark’s talk can be seen here.
Don’t Fear the Four Horsemen of the DevSecOpalypse - DJ Schleen
Track - DevSecOps
I couldn’t write this without plugging my talk. It was a fun one to do as I love trashing SAST and DAST toolsets.
Find out about the fifth horseman here.
A Wealth of Knowledge
Every presentation during the 24 hour event provided unique insight and valuable knowledge to anyone with either a technical or non-technical background that have interest in adopting DevOps or DevSecOps practices.
I encourage everyone to view the On Demand talks that are relevant to the challenges they are facing on a daily basis. You won’t be disappointed.
The Story Never Ends
As I travel around the world and speak a different events I love hearing stories about the successes and epic failures that the DevOps and DevSecOps community deal with in their organizations. The challenges we all face as we expand our technical security knowledge is truly common everywhere. Not only do I hear stories about the cultural and technological transformation occurring in other organizations, I hear about tools and techniques that I can use to expand the effectiveness of DevSecOps programs where I work.
In conclusion, now that the registration for All Day DevOps 2019 is open, I implore you to join the community and tell your story. Share your knowledge and contribute to the vision of creating safer software sooner.
We all have stories to tell and we all want to hear yours.
