Balancing Developer Productivity & Security

Slide 1

Slide 1 text

Balancing Developer Productivity & Security live@manning conferences | June 15, 2021 1

Slide 2

Slide 2 text

How fast can we deliver software to production? 2

Slide 3

Slide 3 text

3 Security Checklist ❏ No open network or ports? ❏ Certificates for SSL? ❏ Remove development access to production data? ❏ Any vulnerabilities on the machines? ❏ No root access? ❏ ...and more.

Slide 4

Slide 4 text

6 weeks later… still not in production. 4

Slide 5

Slide 5 text

How do you balance delivery with security? 5

Slide 6

Slide 6 text

Rosemary Wang Developer Advocate at HashiCorp Author of Essential Infrastructure as Code @joatmon08 joatmon08.github.io 6

Slide 7

Slide 7 text

7 known unknowns known knowns unknown knowns unknown unknowns monitoring testing security / policy observability

Slide 8

Slide 8 text

Teach the “unknown knowns”. 8

Slide 9

Slide 9 text

Policy as Code 9

Slide 10

Slide 10 text

Policy as Code The management of an organization’s policies with code to ensure the conformance of changes. 10 Push the change to production. Check if an environment conforms to our organization’s policies. Check if a change conforms to our organization’s policies.

Slide 11

Slide 11 text

Also Known As (AKA) ● Shift-left security testing ○ Test configuration before production ● Fitness functions for architectural conformance ○ Evolutionary architecture ● Static & dynamic analysis for security ○ Configure the rules using infrastructure as code approach ○ Continuous verification or remediation counts! 11

Slide 12

Slide 12 text

Let’s try it! 12

Slide 13

Slide 13 text

13 Make a change. Check if network policy configuration conforms to our organization’s policies. Check if rule conforms to our organization’s policies. Change: Update a network policy rule to allow all traﬀic to all ports from 172.16.0.0/16. Policy: No network policy should allow traﬀic to all ports.

Slide 14

Slide 14 text

14 Policy as Code State of System Parse for fields JSON or metadata format Check field values Pass or fail

Slide 15

Slide 15 text

Summary 15

Slide 16

Slide 16 text

Drive secure developer productivity. 16

Slide 17

Slide 17 text

Helpful Practices ● Version control ● Descriptive policy ● Identify mandatory versus advisory ● Manage policies as libraries ● Make compliance and security accessible 17

Slide 18

Slide 18 text

References ● github.com/joatmon08/policy-as-code ● youtu.be/mw-mEnLxNj4 ● manning.com/books/essential-infrastructure-as-code Find these slides at joatmon08.github.io. 18