Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Balancing Developer Productivity & Security

Rosemary Wang
June 15, 2021
Programming
0
150

Balancing Developer Productivity & Security

You’re ready to deliver your code and system to production when you receive a notification – you forgot to include a security requirement. In this talk, I’ll cover ways you can express and automate your policy as code to maintain developer productivity. By using policy as code, you can communicate security expectations across your organization as part of the development process instead of after delivery.

Rosemary Wang

June 15, 2021
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
13
People, process, and technology for ILM and SLM adoption
joatmon08
0
4
Secure Day 2 operations with Boundary and Vault
joatmon08
0
24
Can You Test Your Infrastructure as Code?
joatmon08
1
62
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
31
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
37
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
43
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
41
Building a Developer Platform? Ask these questions.
joatmon08
0
39

Other Decks in Programming

See All in Programming
2024年のkintone API振り返りと2025年 / kintone API look back in 2024
tasshi
0
150
いりゃあせ、PHPカンファレンス名古屋2025 / Welcome to PHP Conference Nagoya 2025
ttskch
1
220
DevinとCursorから学ぶAIエージェントメモリーの設計とMoatの考え方
itarutomy
1
400
アクターシステムに頼らずEvent Sourcingする方法について
j5ik2o
6
720
Linux && Docker 研修/Linux && Docker training
forrep
4
550
Azure AI Foundryのご紹介
qt_luigi
1
230
.NETでOBS Studio操作してみたけど…… / Operating OBS Studio by .NET
skasweb
0
130
ChatGPT とつくる PHP で OS 実装
memory1994
PRO
3
190
React 19でお手軽にCSS-in-JSを自作する
yukukotani
5
580
サーバーゆる勉強会 DBMS の仕組み編
kj455
1
320
Amazon Bedrock Multi Agentsを試してきた
tm2
1
120
ErdMap: Thinking about a map for Rails applications
makicamel
1
820

Featured

See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
52k
Scaling GitHub
holman
459
140k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Pragmatic Product Professional
lauravandoore
32
6.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.4k
Mobile First: as difficult as doing things right
swwweet
222
9k
Designing for humans not robots
tammielis
250
25k
Practical Orchestrator
shlominoach
186
10k
How to Think Like a Performance Engineer
csswizardry
22
1.3k
Learning to Love Humans: Emotional Interface Design
aarron
274
40k
GitHub's CSS Performance
jonrohan
1030
460k
How to train your dragon (web standard)
notwaldorf
89
5.8k

Transcript

  1. Balancing Developer Productivity & Security live@manning conferences | June 15,

    2021 1

  2. How fast can we deliver software to production? 2

  3. 3 Security Checklist ❏ No open network or ports? ❏

    Certificates for SSL? ❏ Remove development access to production data? ❏ Any vulnerabilities on the machines? ❏ No root access? ❏ ...and more.

  4. 6 weeks later… still not in production. 4

  5. How do you balance delivery with security? 5

  6. Rosemary Wang Developer Advocate at HashiCorp Author of Essential Infrastructure

    as Code @joatmon08 joatmon08.github.io 6

  7. 7 known unknowns known knowns unknown knowns unknown unknowns monitoring

    testing security / policy observability

  8. Teach the “unknown knowns”. 8

  9. Policy as Code 9

  10. Policy as Code The management of an organization’s policies with

    code to ensure the conformance of changes. 10 Push the change to production. Check if an environment conforms to our organization’s policies. Check if a change conforms to our organization’s policies.

  11. Also Known As (AKA) • Shift-left security testing ◦ Test

    configuration before production • Fitness functions for architectural conformance ◦ Evolutionary architecture • Static & dynamic analysis for security ◦ Configure the rules using infrastructure as code approach ◦ Continuous verification or remediation counts! 11

  12. Let’s try it! 12

  13. 13 Make a change. Check if network policy configuration conforms

    to our organization’s policies. Check if rule conforms to our organization’s policies. Change: Update a network policy rule to allow all traffic to all ports from 172.16.0.0/16. Policy: No network policy should allow traffic to all ports.

  14. 14 Policy as Code State of System Parse for fields

    JSON or metadata format Check field values Pass or fail

  15. Summary 15

  16. Drive secure developer productivity. 16

  17. Helpful Practices • Version control • Descriptive policy • Identify

    mandatory versus advisory • Manage policies as libraries • Make compliance and security accessible 17

  18. References • github.com/joatmon08/policy-as-code • youtu.be/mw-mEnLxNj4 • manning.com/books/essential-infrastructure-as-code Find these slides

    at joatmon08.github.io. 18