Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Balancing Developer Productivity & Security

Balancing Developer Productivity & Security

You’re ready to deliver your code and system to production when you receive a notification – you forgot to include a security requirement. In this talk, I’ll cover ways you can express and automate your policy as code to maintain developer productivity. By using policy as code, you can communicate security expectations across your organization as part of the development process instead of after delivery.


Rosemary Wang

June 15, 2021

More Decks by Rosemary Wang

Other Decks in Programming


  1. Balancing Developer Productivity & Security live@manning conferences | June 15,

    2021 1
  2. How fast can we deliver software to production? 2

  3. 3 Security Checklist ❏ No open network or ports? ❏

    Certificates for SSL? ❏ Remove development access to production data? ❏ Any vulnerabilities on the machines? ❏ No root access? ❏ ...and more.
  4. 6 weeks later… still not in production. 4

  5. How do you balance delivery with security? 5

  6. Rosemary Wang Developer Advocate at HashiCorp Author of Essential Infrastructure

    as Code @joatmon08 joatmon08.github.io 6
  7. 7 known unknowns known knowns unknown knowns unknown unknowns monitoring

    testing security / policy observability
  8. Teach the “unknown knowns”. 8

  9. Policy as Code 9

  10. Policy as Code The management of an organization’s policies with

    code to ensure the conformance of changes. 10 Push the change to production. Check if an environment conforms to our organization’s policies. Check if a change conforms to our organization’s policies.
  11. Also Known As (AKA) • Shift-left security testing ◦ Test

    configuration before production • Fitness functions for architectural conformance ◦ Evolutionary architecture • Static & dynamic analysis for security ◦ Configure the rules using infrastructure as code approach ◦ Continuous verification or remediation counts! 11
  12. Let’s try it! 12

  13. 13 Make a change. Check if network policy configuration conforms

    to our organization’s policies. Check if rule conforms to our organization’s policies. Change: Update a network policy rule to allow all traffic to all ports from Policy: No network policy should allow traffic to all ports.
  14. 14 Policy as Code State of System Parse for fields

    JSON or metadata format Check field values Pass or fail
  15. Summary 15

  16. Drive secure developer productivity. 16

  17. Helpful Practices • Version control • Descriptive policy • Identify

    mandatory versus advisory • Manage policies as libraries • Make compliance and security accessible 17
  18. References • github.com/joatmon08/policy-as-code • youtu.be/mw-mEnLxNj4 • manning.com/books/essential-infrastructure-as-code Find these slides

    at joatmon08.github.io. 18