The Divine and Felonious Nature of Cyber Security – Introduction to DevSecOps
When one of the most celebrated authors in DevOps, John Willis, took the stage, the audience expected nothing but brilliance and he delivered just that. With more than 35 years of IT experience under his belt, he is the Vice-President of DevOps and Digital Practices at SJ Technologies. He has multiple feathers in his embellished cap from being the Director of Ecosystem Development at Docker to helping multiple early startups find their way in this competitive world.
He started the DevOps Summit by explaining the importance of introducing security early in the life cycle of application development, commonly called DevSecOps. 11 years ago, he was one of the first private cloud evangelists and the milestones kept coming since.
Through his presentation, he explains how vulnerable data is today and how cyber security is somehow not being taken seriously so far. Embellished with examples, numbers, and a lot of data, John successfully explains that DevSecOps can make or break businesses.
In this video John talks about:
- Data and statistics related to Cyber Security
- Explaining the Andon Chord
- DevOps Automated Deployment Pipeline
- DevSecOps as a Supply Chain
- Security in the software supply chain
- Best practices for DevSecOps
- Knowing adversities and motivations
Data and statistics
8-10% of the billions of Java modules downloaded every year are vulnerable. John takes examples and statistics of various vulnerabilities, and exploits that lead to the downfall various organizations. He digs deep into the CVEs created and the timelines from discovery and action, to remediation.
Explaining the Andon Chord
What is the Andon Chord? What was its significance in Toyota’s success over General Motors? John wonderfully explains it with a few real incidents.
DevOps Automated Deployment Profile
To explain the Andon Chord further, John goes on to explain the DevOps Automated Deployment Profile in which a process is followed until there is a red flag. At that point, deployment stops for rectification. You go back, fix the problem, and then continue the process.
DevSecOps as a Supply Chain
It is important to ensure that developers have all the tools, resources, education about security required to deliver software that is fast, resilient, and safe. This is DevSecOps. It becomes a part of the supply chain and makes it secure with an extra layer of protection.
John also explains how security does not slow down the process but actually makes it smoother, and thereby, faster.
Security in the Software Supply Chain
Using DevOps and DevSecOps as examples, side-by-side, John helps us understand the difference and the importance of security in the software supply chain. He provides a new and improved “Goldilocks Zone” governed by DevSecOps.
Best Practices for DevSecOps
Towards the conclusion, John throws light on the best practices of DevSecOps, which include tracking security issues, training development teams to develop secure code, automating security tests in the build process, and injecting failure to ensure security is hardened, etc
Knowing Adversities and Motivators
John concludes the highly informative presentation with the economic motivation of adversities. Shedding light on the number of adversities identified and prevented can definitely serve as motivators.
This was indeed a robust and energetic way of starting off the DevOps Summit. John Willis’ insights are truly helpful and valuable.