List of videos

Peter Maddison Managing Partner @ Xodiac In highly regulated environments, governing bodies of the organization can quickly get in the way of your delivery. What I present is a straw man for architecture, compliance, security and development to come to agreement on their minimum viable bureaucracy. TACO stands for Traceability, Access, Compliance, and Operations and is a set of 20 controls I use as a guideline for helping organizations define automated governance for their software delivery pipelines. However, the primary purpose of TACO is to provide a common language for the organization to understand what "good" pipelines mean for them and how to get there. This model allows for the creation of opinionated pipelines and helps create a common understanding across teams as to what is required in order to be secure. Taking a TACO approach can be considered a part of implementing a DevSecOps program and I’ve used this approach at multiple banks. Having this baseline helps build organizational confidence in the automation of software delivery. During the talk, I’ll run through the different categories of controls, how they are implemented, what the purpose of them is, how to create robust feedback loops for controls. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

[Speaker's Name] Developer Advocate @ Cyral Have your security needs taken a back seat to "run fast and break things"? Join us for this deep dive into adding container scanning to a DevOps pipeline and production monitoring. You can achieve a robust security posture and still release continuously. Have you struggled to get security baked into your DevOps process or have your security needs taken a back seat to "run fast and break things"? Just because we’re moving fast doesn't mean we can’t be secure. Join us for this deep dive into adding container scanning to a DevOps pipeline. We'll enumerate the security tool categories, and give you tips for adding these tools to your development workflow, build pipeline, and production monitoring setup. You can achieve a robust security posture and still release continuously. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Sven Ruppert Developer Advocate @ JFrog A question occurred to me that I get asked again and again at conferences, meetups or workshops: The question is almost always: What are the quick wins or low hanging fruits if you want to deal more with the topic of security in software development? And I want to answer this question right now! Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Adarsh Shah CEO of CompuZest Infrastructure as Code(IaC) has made managing infrastructure easier in a lot of ways, but there are many challenges that companies accept as the cost of adopting IaC especially when scaling. IaC is good at provisioning individual resources (or a few of them together) but engineering teams want an entire environment with various components like networking, platform (ec2/eks), database, s3 buckets, etc. to deploy and operate their applications. To provision and tear down an entire environment, these teams have two options. They can either hand roll pipelines to manage individual resources and then manage complex dependencies between these resources within those pipelines or create a monolith IaC for the entire environment. These approaches are inefficient and slow down feature development and innovation. They also make replicating, visualizing & understanding environments difficult. What if there were a better way? This talk digs into these challenges to try to better understand them and then look at how to resolve them. We will introduce Environment as Code (abstraction over IaC) that enables teams to provision & teardown entire Environments in an efficient way and promotes best practices like loosely coupled infrastructure resources. Key Takeaways: Challenges scaling Infrastructure as Code What is Environment as Code? How Environment as Code can help resolve those challenges? Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Eran Bibi CPO @ Firefly Immutable architecture is the backbone of infrastructure as code, to ensure production environments cannot be changed during runtime. While this has the benefits of its inherent safety measures, this can also be restrictive, all while creating new challenges for security. Immutable concepts are much more effective when it comes to securing cloud native environments and infrastructure, which is becoming an increasingly more complex task. This talk will focus on some of the fundamentals of immutable architecture, best practices and recommended design patterns to work around its limitations and enhance security, as well as what you most certainly should not be doing when running immutable architecture both from an infrastructure and security perspective. This will be demonstrated through a real-world example of deploying a single-tenant SaaS in an automated pipeline, typical challenges encountered, and what was learned on the way, through a Terraform, Kubernetes and step functions example. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Senthil Raja Chermapandian [Job Title] @ [Company] All Enterprises across different Industries have begun to rely on Data to enable Business decisions, processes and workflows. Data comes in different types and there are a plethora of data storage solutions for cloud-native applications. Data is stored and processed in a highly distributed fashion to fuel Analytics, AI/ML, Edge/IoT use cases. These factors open up challenges in securing the data and protecting the sensitive information. Encryption is the de-facto mechanism to protect data from malicious users. Encrypting Data at Rest is a fundamental requirement for many Organizations. This talk will introduce you to the different patterns for achieving Data encryption at rest, the relative merits and de-merits of the approaches, challenges and solutions. Attendees will benefit from this talk by gaining a good understanding of the different techniques and which ones to use for different use cases. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Matty Stratton Staff Developer Advocate @ Pulumi We have been talking about devops for years. Along the way, we’ve added various syllables to the portmanteau “devops” to include all the practices and disciplines that are key to doing this effectively. What if DevOps, DevSecOps, and all the other variants have been about the same idea all along? Cloud Engineering is an emergent way of expressing how we use and enhance software engineering practices in a cloud world. This goes beyond application design and architecture, but includes how we build, deploy, and manage the services and applications that provide value to our users and customers. In this talk I will step through the evolution of devops and how the practice of Cloud Engineering is a natural progression. I will take the traditional expression of CALMS (Culture, Automation, Lean, Measurement, and Sharing) and connect them to the build, deploy, and manage practices reflected in the Cloud Engineering discipline. Cloud Engineering isn’t “the new DevOps”. It’s the evolution of everything we have been talking about for the last ten years (and more). Let’s learn how we can provide innovation, scale, reliability, security, and compliance by harnessing the practices across all of the associate disciplines. And maybe, along the way, “take DevOps back” to what it’s really been about all this time. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Jonathan Williams Product Manager @ Twilio IoT Here’s the sobering reality: Across the Internet of Things (IoT), security has been overlooked. An amazing 1.51 billion IoT devices were breached in the first 6 months of 2021, an increase from 639 million in the same time period in 2020. With the anticipated number of connected devices worldwide predicted to reach 50B by 2030, there is still a lot that needs to be done to ensure that these devices are protected from attacks, this includes ensuring the security of your connected devices and data lives up to the promise you make to your customers. The impact of your devices being compromised is a big one and can often be ignored until it is too late. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Manuel Schuller Senior DevOps Evangelist Especially for banks, releasing controlled software is not only a must, but a business priority. In this session we will present and discuss: - Implementing DevOps processes - made possible through a set of tools - to ensure that every piece of software released into production complies to the required level of control - How this level of control is defined not by the projects, but by transverse teams who make sure all controls are compliant with the state of the art - How these controls become company-wide best practices, so that these transverse groups are meant to disappear after the Culture and Best Practices are disseminated within the organization" Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk