Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[2020.06 Meetup] [Talk] Patrick Debois - Trust ...

[2020.06 Meetup] [Talk] Patrick Debois - Trust Me, We're Doing DevSecOps

DevOps Lisbon

June 15, 2020
Tweet

More Decks by DevOps Lisbon

Other Decks in Technology

Transcript

  1. Agile TDD Scrum ITIL Ticket Systems Devops CAB Infra as

    Code Continuous Delivery People Process Tools Idea Reductionism
  2. Kranzberg's Law(s) "Technology is neither good or bad ; nor

    is it neutral" https://www.jstor.org/stable/3105385?seq=1
  3. • You are an Agent • You make promises to

    others in the system • Your promises should be verifiable • A promise does not guarantee an outcome • It needs to be mutually agreed upon (no obligation) • Other agents can make promises to you • Their promises should be verifiable • You can not make promises on behalf of other agents • Promises can be conflicting • To keep a promise you should have a choice
  4. Are we building Confidence or Trust with our pipelines ?

    https://medium.com/@ashutosh/solving-for-trust-vs-confidence-50a048c6db42
  5. How rigid is your process - Degrees of freedom https://www.youtube.com/watch?v=2LoirYkkhUc

    @botchagalupe State of DevSecOps The Seventh Deadly Disease
  6. Patrick Lencioni's model of the Five Dysfunctions of a Team

    https://www.quality-assurance-solutions.com/Team-Building-Books.html
  7. OSS Library "competence" Number of CVE's Static Analysis Follows Semantic

    Versioning Number of Issues (tech) Authority of Author(s) read source code number of tests technical documentation Issues after each release
  8. OSS Library "reliability" No Minor API breaches (~docs , ~issues)

    Last commit , release Release cadence Number of github stars Number of people blog about it Other projects using this library Number of Active Contributors Search google for articles
  9. OSS Library "sincere" Is there good documentation Changelog/ Readme Governance

    in place Is there a logo Code of Conduct Guidelines for PRs Openess over the build process
  10. OSS Library "care" Number of open Pull Requests Time spent

    with community Patience with new people How long till vulnerability gets fixed Abusive language
  11. Security wants developers to Make security a shared Responsibility Get

    better at security practices Make security a part of the definition of done Be considering security during sprint planning
  12. Developers wants security to Make delivery a shared Responsibilty Explain

    the technical security issue Be available when stories are reviewed Be considerate of other priorities on the backlog
  13. Not a binary secure YES|NO How long are pull requests

    open? Last commit date ? How many active contributors? How long till CVE's fixed Does it have tests? Does it have documentation? Commiters reputation Is there a Changelog? Did it do a 3rd party audit? Is it understandable code? Are there issues after releases? How often do they release? Other libraries using this one? Do they follow their code of conduct? How do they reply to pull requests? Are they friendly to new people? Are they open for new ideas?
  14. "The first step of transformation is the individual" - Deming

    https://quotes.deming.org/authors/W._Edwards_Deming/quote/10214