►
From YouTube: Lightning Talk: It’s pronounced ‘DevOps.’ The ‘Sec’ is silent. - Dormain Drewitz, VMware Tanzu
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Lightning Talk: It’s pronounced ‘DevOps.’ The ‘Sec’ is silent. - Dormain Drewitz, VMware Tanzu
A common roadblock in realizing DevOps outcomes is security. In this lightning talk, hear how the security landscape has changed and is forcing a DevSecOps mindset to achieve DevOps outcomes.
A
And
I'm
going
to
jump
right
into
it,
because
this
is
a
lightning
talk
and
it's
going
to
go
by
fast.
Today,
I'm
going
to
talk
to
you
a
little
bit
about
why,
if
you're
doing
devops
right,
you
should
be
solving
for
security
and
that's
where,
of
course,
a
lot
of
these
cloud
native
security
concepts
and
technologies
come
into
play
in
terms
of
being
able
to
deliver
those
outcomes.
A
Now
we
can't
have
a
talk
about
devops
without
defining
devops
and
we
could
spend
all
day
or
all
year
on
this,
because
if
you
ask
10
people
what
devops
means
you'll
get
maybe
20
answers,
but
if
we
take
a
look
at
the
wikipedia
definition,
because
no
one's
allowed
to
argue
with
wikipedia
what
you'll
see
is
that
there's
an
emphasis
on
the
practices?
Yes,
there
is
a
tool
chain,
but
it's
really
about
the
practices
that
lead
to
this
outcome:
shorter,
shorten,
the
development
systems,
development
life
cycle
and
you
get
high
quality
software.
A
Why
does
this
matter
from
a
security
perspective
which
is
actually,
if
you
look
at
the
number
of
common
vulnerabilities
and
exposures
that
are
getting
reported
every
week,
you
see
that
over
the
last
10
or
so
years,
basically,
since
devops
was
born,
there's
been
a
3
to
4x
increase
in
how
many
of
these
cves
are
getting
reported
every
week.
Part
of
this
is
just
we
have
more
software
we've
been
kind
of
in
this.
A
You
know
explosion
and
growth
of
the
software
industry,
taking
over
all
kinds
of
industries
or,
as
mark
andreessen
said,
software
is
taking
over
the
world
software's
eating
the
world.
That
was
his
quote
from
about
10
years
ago,
and
what
we
can
see
is
that
that
brings
along
with
it
a
lot
of
vulnerabilities,
more
code
means
more
vulnerabilities,
and
how
do
we
manage
all
of
it
now?
A
If
you
kind
of
deal
with
that
sort
of
at
the
end
of
your
software
development
life
cycle,
you
get
this
kind
of
kind
of
crazy
effect
where
you're
just
getting
hammered
with
the
amount
of
code
that
needs
to
be
scanned
and
remediated,
and
it
feels
a
little
bit
like
the
scene.
A
Out
of
I
love
lucy
when
they're
in
the
chocolate
factory
and
they
can't
keep
up
so
the
conclusion
that
we
have
here
is
that
we
need
some
amount
of
automation,
it's
essential
when
you
factor
in
just
the
growth
in
the
number
of
cves
out
there,
the
growth
in
the
amount
of
code
that's
trying
to
get
out
into
production,
and
then
you
take
into
effect
things
like
containers
as
sort
of
one
of
the
staples
of
devops
tool
chains
and
how
they're
very
ephemeral
so,
instead
of
patching
and
hardening
a
vm
that
we're
going
to
keep
in
production
for
a
long
time,
we
want
to
throw
it
away
and
rebuild
it
again.
A
So
we're
going
to
need
a
lot
of
automation
to
deal
with
that
now,
there's
kind
of
looking
at
this
is
we
can't
just
automate
at
the
end.
We
need
to
sort
of
cause
security
to
happen
in
more
places.
Some
people
talk
about
this
as
shifting
left
or
expanding
left
and
there's
a
couple
things
to
consider
here.
A
One
is
just
on
the
design
side,
and
how
do
you
educate
more
developers
to
be
mindful
about
security
practices,
but
there's
also
thinking
about
how
do
we
automate
in
security
points
of
control
along
the
entire
development
and
deployment
life
cycle?
And
that's
really
where
you
start
to
kind
of
get
into
some
of
these
cloud
native
security
technologies?
Where
you
can
think
about
hey?
How
do
I
get
code
from
development
into
the
into
the
hands
of
customers
and
in
front
of
users?
And
what
are
my
points
of
control
in
that
life
cycle?
A
Knowing
that
we're
going
to
go
around
it
again
and
again
and
again
now,
even
the
best
laid
plans,
if
you
develop
a
system
to
do
this,
if
it's
painful
to
use
developers
are
going
to
go
around
it
and
take
the
gumdrop
path
and
that's
not
because
they're
bad
people,
but
it's
because
they're
just
trying
to
get
their
job
done
now.
This
was
actually
a
really
great
insight
that
was
shared
in
the
state
of
devops
report
from
last
year,
which
is
really
about.
A
You
you
spend
all
this
effort
to
do
that,
but
then
you
don't
want
developers
to
go
around
it,
so
you
have
to
have
them
in
mind
as
the
customer.
So
how
do
you
make
it
a
developer
friendly
thing,
so
this
is
kind
of
the
the
formula
to
think
about
the
the
mathematical
proof.
If
you
will,
that
gets
you
to
when
you
think
about
the
outcomes
you're
trying
to
achieve
the
challenges
that
security
brings
in
as
well
as
things
like
the
ephemeral
nature
of
containers
and
behaviors
that
developers
exhibit.
A
A
So
at
the
end
of
the
day,
if
you're
doing
devops,
right
and
you're
doing
it
on
an
ongoing
basis,
then
you've
solved
for
these
security
challenges.
Now,
if
this
was
interesting
to
you,
I
have
a
43
minute
version
of
this
talk
that
you
can
find
you
can.
Google
it's
pronounced,
devops
the
sec
is
silent,
because
this
bright
talk
url
is
probably
going
to
be
impossible
to
memorize.