Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Balancing Developer Productivity & Security

Balancing Developer Productivity & Security

You’re ready to deliver your code and system to production when you receive a notification – you forgot to include a security requirement. In this talk, I’ll cover ways you can express and automate your policy as code to maintain developer productivity. By using policy as code, you can communicate security expectations across your organization as part of the development process instead of after delivery.

Rosemary Wang

June 15, 2021
Tweet

More Decks by Rosemary Wang

Other Decks in Programming

Transcript

  1. 3 Security Checklist ❏ No open network or ports? ❏

    Certificates for SSL? ❏ Remove development access to production data? ❏ Any vulnerabilities on the machines? ❏ No root access? ❏ ...and more.
  2. Policy as Code The management of an organization’s policies with

    code to ensure the conformance of changes. 10 Push the change to production. Check if an environment conforms to our organization’s policies. Check if a change conforms to our organization’s policies.
  3. Also Known As (AKA) • Shift-left security testing ◦ Test

    configuration before production • Fitness functions for architectural conformance ◦ Evolutionary architecture • Static & dynamic analysis for security ◦ Configure the rules using infrastructure as code approach ◦ Continuous verification or remediation counts! 11
  4. 13 Make a change. Check if network policy configuration conforms

    to our organization’s policies. Check if rule conforms to our organization’s policies. Change: Update a network policy rule to allow all traffic to all ports from 172.16.0.0/16. Policy: No network policy should allow traffic to all ports.
  5. 14 Policy as Code State of System Parse for fields

    JSON or metadata format Check field values Pass or fail
  6. Helpful Practices • Version control • Descriptive policy • Identify

    mandatory versus advisory • Manage policies as libraries • Make compliance and security accessible 17