Abstract: If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
Learning Outcomes: - Understand challenges of bringing Security into DevOps in the most challenging situations
- Experience a detailed story of a team going from "Done" to "Deployed" - in a painful 9 months!
- Consider the structural changes which didn't work and the human hacks that did
- Come away with lessons for starting an initiative and where *not* to compromise
- Develop a sympathy for the conditions of US government technology
Attachments: