[2020.06 Meetup] [Talk] Patrick Debois - Trust Me, We're Doing DevSecOps

Transcript

1. Trust me we're doing DevSecOps Patrick Debois | Director of

   Dev❤Ops Relations | [email protected]
2. None

3. https://www.slideshare.net/jedi4ever/future-ofdevopsv2 The future of Devops - Austin devopsdays 2013

4. 10(+1) years of DevOps

5. Agile TDD Scrum ITIL Ticket Systems Devops CAB Infra as

   Code Continuous Delivery People Process Tools Idea Reductionism
6. None
7. None
8. None
9. None
10. None
11. None
12. None

13. https://www.slideshare.net/jedi4ever/from-serverless-to-service-full-how-the-role-of-devops-is-evolving

14. Technogical determism https://en.wikipedia.org/wiki/Technological_determinism

15. The law of Amplification "Technology amplifies underlying human forces." https://www.amazon.com/Geek-Heresy-Rescuing-Social-Technology/dp/161039528X

16. Kranzberg's Law(s) "Technology is neither good or bad ; nor

    is it neutral" https://www.jstor.org/stable/3105385?seq=1
17. None

18. Say DevSecOps Tools 0ne more T1me

19. Traditional Security thinking

20. DevSecCops

21. TLS Chain of Trust

22. https://www.ssllabs.com/projects/ssl-threat-model/

23. https://www.ssllabs.com/projects/ssl-threat-model/

24. https://www.ssllabs.com/projects/ssl-threat-model/

25. None
26. None
27. None

28. https://developers.facebook.com/tools/ct/search/

29. CAA Record

30. https://github.com/docker/for-mac/issues/3800

31. https://t.co/eOU5cQrie5?amp=1

32. None
33. None

34. https://blog.npmjs.org/post/172999548390/new-pgp-machinery

35. DEEP ..... SIGH

36. https://darkport.co.uk/blog/ahh-shhgit!/

37. The cost of Distrust @johncutlefish @johncuttlefish

38. https://www.youtube.com/watch?v=4gJoVWyOXM4

39. • You are an Agent • You make promises to

    others in the system • Your promises should be verifiable • A promise does not guarantee an outcome • It needs to be mutually agreed upon (no obligation) • Other agents can make promises to you • Their promises should be verifiable • You can not make promises on behalf of other agents • Promises can be conflicting • To keep a promise you should have a choice

40. Are we building Confidence or Trust with our pipelines ?

    https://medium.com/@ashutosh/solving-for-trust-vs-confidence-50a048c6db42

41. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

42. None

43. https://vimeo.com/341144396 Human is part of the system

44. How rigid is your process - Degrees of freedom https://www.youtube.com/watch?v=2LoirYkkhUc

    @botchagalupe State of DevSecOps The Seventh Deadly Disease

45. https://jessitron.com/2019/05/13/principles-of-collaborative-automation/

46. Humans & Tools Day to day activities https://livablesoftware.com/development-process-in-github-basic-infographic/

47. https://www.rsaconference.com/usa/agenda/how-to-grc-your-devops @sueallspaw

48. Patrick Lencioni's model of the Five Dysfunctions of a Team

    https://www.quality-assurance-solutions.com/Team-Building-Books.html

49. The Thin Book of Trust https://www.thinbook.com/thin-books-2/trust-at-work-cards

50. OSS Library "competence" Number of CVE's Static Analysis Follows Semantic

    Versioning Number of Issues (tech) Authority of Author(s) read source code number of tests technical documentation Issues after each release

51. OSS Library "reliability" No Minor API breaches (~docs , ~issues)

    Last commit , release Release cadence Number of github stars Number of people blog about it Other projects using this library Number of Active Contributors Search google for articles
52. None

53. OSS Library "sincere" Is there good documentation Changelog/ Readme Governance

    in place Is there a logo Code of Conduct Guidelines for PRs Openess over the build process

54. OSS Library "care" Number of open Pull Requests Time spent

    with community Patience with new people How long till vulnerability gets fixed Abusive language

55. Security wants developers to Make security a shared Responsibility Get

    better at security practices Make security a part of the definition of done Be considering security during sprint planning

56. Developers wants security to Make delivery a shared Responsibilty Explain

    the technical security issue Be available when stories are reviewed Be considerate of other priorities on the backlog

57. https://www.youtube.com/watch?v=o1f5BU6z-Kg Become Non-blocking self-service

58. Not a binary secure YES|NO How long are pull requests

    open? Last commit date ? How many active contributors? How long till CVE's fixed Does it have tests? Does it have documentation? Commiters reputation Is there a Changelog? Did it do a 3rd party audit? Is it understandable code? Are there issues after releases? How often do they release? Other libraries using this one? Do they follow their code of conduct? How do they reply to pull requests? Are they friendly to new people? Are they open for new ideas?

59. We generally judge others to be less trustworthy than ourselves

60. "We judge ourselves by our intention and others by their

    behaviour"

61. It's a slow process "Trust arrives walking and departs riding."

62. Evaluate your own behaviour Become Trust Worthy https://www.thinbook.com/thin-books-2/trust-at-work-cards

63. The Iron Law of Evaluation and other metallic rules https://www.gwern.net/docs/sociology/1987-rossi#:~:text=The%20Iron%20Law%20Of%20Evaluation%20And%20Other%20Metallic%20Rules,fail%20or%20have%20small%20effects.

64. "The first step of transformation is the individual" - Deming

    https://quotes.deming.org/authors/W._Edwards_Deming/quote/10214

65. HOMEWORK

66. Thank you for thinking with me @patrickdebois