A Practitioners Tale: Uniting Dev, Sec, And Ops
Tribes
Curtis Yanko
Sr. Principal Architect
A Bit About
Me
• Started programming in the 1970’s
• I’ve seen the rise of and used…
• ...OOP, 4th Gen languages, UML, XP, Agile, ERP, SOA, CI, CD...
• Started programming proffessionally in the 1990’s
• ...like a lot of junior programmers I got stuck with the build/SCM
• Did Enterprise CI at a Fortune 25 company
• Did CI/CD at a Fortune 100 company
• Launched a DevOps Center of ‘Enablement’
For Fun
•
•
•
•
Night Hikes
Board game night
Ultimate Frisbee
Volunteer for ECAD to help raise
and train service dogs
• @onCommit
• DevOps in the Enterprise on
Flipboard
Agenda
• Why we should care
• Practitioners Tale
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Seriously?
Count of exploited CVE’s in 2014 by year published
Why Sec
hates Dev
Security can’t keep up with
the pace of modern
development practices
and the complexities of
component dependencies.
Why Dev
hate Sec
Developers don’t like
security slowing them
down by dumping scan
reports on them weeks or
months after the fact
Forrester
Report
How not to
make
friends
Empathy
Software Factory & Component Based
Development
Public Repos
A picture
CI
Source
Code
CD
Build
Binary
Repo
Dev
QA
Deploy
UAT
Prod
Shift Left
< MTTD
< MTTR
IDE. Eclipse and RAD plugins allow
component meta-data to flow left
into the construct phase.
Developer sees a prioritized list of
policy violations
Source
Code
Build
Nexus
RM
Dev
QA
Deploy
UAT
Prod
Say Hello to Your Software Supply Chain…
Automate your software supply chain with three proven principles:
Use better & fewer
suppliers
Use higher
quality parts
Track what you use
and where
Homework