Everything is Terrible: Three Perspectives on Building, Configuring, and Securing Software

Presented at AppSec USA 2016, Oct. 13, 2016, 9:30 a.m. (60 minutes)

Developers, operations, and security all have differing agendas and benchmarks for success. One is tasked with building new features, the next with delivering and making them available, and the third is tasked with mitigating the risks associated with the previous two. Core to the DevOps movement is the idea of building empathy with people in other teams in order to align for business success. Providing the perspectives from three engineers who have each lived primarily in one of Dev, Ops, or Security, but have also worked collaboratively to try not to kill each other. They will talk about their backgrounds, provide practical examples from daily experiences, and share suggestions on building common tooling that minimizes friction and enhances collaboration. This talk will discuss - The misalignment of priorities that organisations often force upon these groups - Struggles with collaboration and working cultures - Common bottlenecks associated with release cycles and security processes - Building empathy and optimizing for communication that doesn't involve fisticuffs (or other 19th century combat styles) The audience will come away with: - Ideas for handling these complicated situations - Approaches for building workflows and possible tooling suggestions to minimize the tire fires - A new appreciation for those on the other sides of the silo walls

Presenters:

• Bill Weiss - Sr Manager of SysOps - Puppet
  As a red-and-blue-team member turned sysadmin herder, Bill Weiss had an early introduction to automation in security, and he's spent the rest of his career trying to bring that idea to more places. He started out working in the .gov, moved to Chicago to spend several years at a financial services SaaS, and finally made it to Portland in 2015 to join Puppet as the Manager of SysOps, which he thinks is a way better term than "sysadmin".
• Adrien Thebo - Puppet
  Adrien is a software engineer at Puppet. He started in IT Ops in 2005 and started writing code to automate everything, inadvertently becoming one of the earliest devops hipsters (he did devops before it was cool). Adrien joined Puppet in 2011, first on the Operations team where he helped cause frequent outages, and then transferred to the Engineering team in 2013 to where he helped break the build. The original author of r10k and other client tools for Puppet, these days Adrien works on the security development team yelling at openssl documentation and refining ways to protect systems and infrastructure.
• Chris Barker - Puppet
  Turning in his pager for an airline miles membership, Chris Barker now helps fellow system administrators refine and automate their infrastructure. In his past life as a systems administrator, he has administered Linux, Windows, and OS X systems in infrastructure ranging from small businesses to Fortune 500 companies. He was drawn to Puppet due to his automation-driven creativity. When not traveling for Puppet, he resides in Portland, OR automating parts of his house and deconstructing cocktails.

Links:

• https://appsecusa2016.sched.com/event/7t9Q/everything-is-terrible-three-perspectives-on-building-configuring-and-securing-software
• https://www.youtube.com/watch?v=gTh1t7hrRtM

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Security v. Ops: Bridging the Gap
• Black Hat USA 2017 / (in)Security in Building Automation: How to Create Dark Buildings with Light Speed
• ShmooCon XIV (2018) / Building a GoodWatch