Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Balancing Developer Productivity & Security

Rosemary Wang
June 15, 2021
Programming
0
150

Balancing Developer Productivity & Security

You’re ready to deliver your code and system to production when you receive a notification – you forgot to include a security requirement. In this talk, I’ll cover ways you can express and automate your policy as code to maintain developer productivity. By using policy as code, you can communicate security expectations across your organization as part of the development process instead of after delivery.

Rosemary Wang

June 15, 2021
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
13
People, process, and technology for ILM and SLM adoption
joatmon08
0
4
Secure Day 2 operations with Boundary and Vault
joatmon08
0
23
Can You Test Your Infrastructure as Code?
joatmon08
1
61
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
30
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
36
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
41
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
41
Building a Developer Platform? Ask these questions.
joatmon08
0
38

Other Decks in Programming

See All in Programming
「とりあえず動く」コードはよい、「読みやすい」コードはもっとよい / Code that 'just works' is good, but code that is 'readable' is even better.
mkmk884
6
1.3k
Findy Team+ Awardを受賞したかった!ベストプラクティス応募内容をふりかえり、開発生産性向上もふりかえる / Findy Team Plus Award BestPractice and DPE Retrospective 2024
honyanya
0
130
Запуск 1С:УХ в крупном энтерпрайзе: мечта и реальность ПМа
lamodatech
0
910
Beyond ORM
77web
11
1.5k
KubeCon + CloudNativeCon NA 2024 Overview at Kubernetes Meetup Tokyo #68 / amsy810_k8sjp68
masayaaoyama
0
300
fs2-io を試してたらバグを見つけて直した話
chencmd
0
290
React 19でお手軽にCSS-in-JSを自作する
yukukotani
5
550
快速入門可觀測性
blueswen
0
490
Go の GC の不得意な 部分を克服したい
taiyow
3
1k
menu基盤チームによるGoogle Cloudの活用事例~Application Integration, Cloud Tasks編~
yoshifumi_ishikura
0
140
Stackless и stackful? Корутины и асинхронность в Go
lamodatech
0
1.3k
DevFest - Serverless 101 with Google Cloud Functions
tunmise
0
130

Featured

See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
230
52k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
27
1.5k
How GitHub (no longer) Works
holman
312
140k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Adopting Sorbet at Scale
ufuk
74
9.1k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
Music & Morning Musume
bryan
46
6.3k
Building Better People: How to give real-time feedback that sticks.
wjessup
366
19k
Raft: Consensus for Rubyists
vanstee
137
6.7k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
44
9.4k

Transcript

  1. Balancing Developer Productivity & Security live@manning conferences | June 15,

    2021 1

  2. How fast can we deliver software to production? 2

  3. 3 Security Checklist ❏ No open network or ports? ❏

    Certificates for SSL? ❏ Remove development access to production data? ❏ Any vulnerabilities on the machines? ❏ No root access? ❏ ...and more.

  4. 6 weeks later… still not in production. 4

  5. How do you balance delivery with security? 5

  6. Rosemary Wang Developer Advocate at HashiCorp Author of Essential Infrastructure

    as Code @joatmon08 joatmon08.github.io 6

  7. 7 known unknowns known knowns unknown knowns unknown unknowns monitoring

    testing security / policy observability

  8. Teach the “unknown knowns”. 8

  9. Policy as Code 9

  10. Policy as Code The management of an organization’s policies with

    code to ensure the conformance of changes. 10 Push the change to production. Check if an environment conforms to our organization’s policies. Check if a change conforms to our organization’s policies.

  11. Also Known As (AKA) • Shift-left security testing ◦ Test

    configuration before production • Fitness functions for architectural conformance ◦ Evolutionary architecture • Static & dynamic analysis for security ◦ Configure the rules using infrastructure as code approach ◦ Continuous verification or remediation counts! 11

  12. Let’s try it! 12

  13. 13 Make a change. Check if network policy configuration conforms

    to our organization’s policies. Check if rule conforms to our organization’s policies. Change: Update a network policy rule to allow all traffic to all ports from 172.16.0.0/16. Policy: No network policy should allow traffic to all ports.

  14. 14 Policy as Code State of System Parse for fields

    JSON or metadata format Check field values Pass or fail

  15. Summary 15

  16. Drive secure developer productivity. 16

  17. Helpful Practices • Version control • Descriptive policy • Identify

    mandatory versus advisory • Manage policies as libraries • Make compliance and security accessible 17

  18. References • github.com/joatmon08/policy-as-code • youtu.be/mw-mEnLxNj4 • manning.com/books/essential-infrastructure-as-code Find these slides

    at joatmon08.github.io. 18