Different ways to find common ground - and wins - with Security and Developers. The superficial tension between security and agile devops can be stripped away by getting back to its roots - security baked into the tooling, with speed
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Carrot hammer olivebranch.devopseast.20.2019nov08
1. T H E H A M M E R , T H E
C A R R O T & T H E O L I V E
B R A N C HW A Y S S E C U R I T Y M A K E S W I N S . . . A N D F R I E N D S W I T H
D E V S
J U L I E T S A I , H E A D O F I N F O S E C @ R O B L O X
D E V O P S E A S T : D E V S E C O P S S U M M I T
O R L A N D O — N O V . 8 , 2 0 1 9
2. A G I L E + D E V O P S : A N E A S Y
A L L I A N C E
silo-busting for, well, agility
metrics that speak across domains
technology as pervasive enabler
3. A G I L E + D E V S E C O P S ? U N E A S Y
A L I G N I N G
speed?
new vocab (or jargon)?
technophiles or technophobes?
4. A R E W E F R I E N D S Y E T ?
Yet… Something In Common: Give up Control
of Something for Influence over Everything
5. L E T M E C O U N T T H E W A Y S I :
T H E C A R R O T ( S )
6. L E T M E C O U N T T H E W A Y S I I :
T H E H A M M E R
7. L E T M E C O U N T T H E W A Y S I I I :
T H E O L I V E B R A N C H
STARTER
SOLUTION
partners
articulate
needs in
their own
words -
dev, ops,
product,
compliance,
marketing,
etc.
all parties
part of the
resolution
??
open-ended
questions
??
good
faith
rewarded
8. T H E H O W M A T T E R S :
R E L A T I O N S H I P O V E R T A S K
9. T H E W H Y M A T T E R S :
F R O M E X T R I N S I C T O I N T R I N S I C
R E W A R D S
10. D E V S E C O P S I S
D E V O P S ’ E S S E N T I A L E V O L U T I O N
11. R E F E R E N C E S & I M A G E C R E D I T S
REFERENCES
1.https://www.infosecurity-magazine.com/news/isc2congress-role-play-brings/
IMAGE CREDITS
slide 4: https://www.pinterest.com/pin/18084835974424623/, courtesy Pinterest Terms of Use
slide 5: bonus - https://www.123rf.com/photo_53668719_stock-vector-cartoon-business-team-with-
bonus-money-bag.html
slide 5: certs - http://www.radicalcompliance.com/2018/06/07/compliance-certifications-decoder/
slide 5: handshake -
https://www.reddit.com/r/exmormon/comments/8h79dm/masons_got_a_few_extra_secret_handshakes
_us/
slide 6: going public - https://www.greenbiz.com/article/esg-performance-also-matters-pre-ipo-
companies
slide 6: gavel - https://www.cannalawblog.com/cannabis-administrative-law-101/
slide 6: zuckerberg - https://www.youtube.com/watch?v=mZaec_mlq9M
slide 7: dove olive - https://www.sciencephoto.com/media/383041/view/white-dove-carrying-olive-
branch
slide 8: climber - https://www.bolstglobal.com/3-cultural-top-tips-for-doing-business-in-the-middle-east/
slide 9: keep calm - https://keepcalms.com/p/keep-calm-and-do-quality-work/
slide 10: foundation - https://jugmountainranch.com/building-a-strong-foundation/
Editor's Notes
foobarfoo
Reference 1
3 case studies (*t)
Security — or DevSecOps — is not a compulsory chore or merely a checklist (as valuable as they are)
Not just about the tenets of Security & Dev & Ops and aligning functional silos - it’s also bettering org quality of product, efficiency, and quality of life
Doing things right earlier and up-front is cheaper, higher accuracy, and way more enjoyable
Forcing function back to value streams- it can’t be 2 (or 3) for one, tools, deployment, or prototyping, or giving keys to devs
More than above-and-beyond devops, it forces it back to its true nature