►
Description
Presented by: Leonid Stolyarov
In order to reduce friction between developers and security teams, it’s helpful to think of security as a product that serves developers, and not just a set of policies or series of tasks to be completed after a project has already shipped. In this session, Leonid Stolyarov, Engineering Director at KPMG, will discuss how the enterprise organization turned security into a product by embracing tools like GitHub Advanced Security and GitHub Actions to automate compliance and surface vulnerabilities earlier in the process, before they are shipped into production.
As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub
Thanks!
Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github
About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com
A
Hello
welcome
and
thank
you
very
much
for
listening
to
this
talk.
My
name
is
Leo
stollerov
and
I'm.
An
engineering
director
here
at
KPMG
PMG
is
a
Global
Network
of
Professional
Services
firms
providing
audit
tax
and
advisory
services
and
technology
is
at
the
heart
of
everything
we
do
and
part
of
the
very
DNA
of
our
business,
specifically
our
engineering
business
at
KPMG,
UK
built
and
runs
cutting-edge
solutions
for
clients
all
across
the
world,
using
the
latest
technology
with
skills
across
Cloud
engineering,
software
development
and
automation.
A
We
act
as
a
focal
point
delivering
high
quality
services
that
support
businesses
to
innovate
and
address
a
variety
of
complex
challenges.
I
personally,
love
collaborating
with
people
on
complex
problems
and
enabling
big
ideas
through
code
today,
I'll
talk
about
how
Enterprises
can
manage
risk
and
need
compliance
requirements
while
accelerating
the
pace
of
delivery
of
business
initiatives.
If
you're
a
developer,
I
hope
you
take
away
file,
automation
can
Empower
Engineers
to
build
more
secure
software.
A
If
you're,
a
security,
professional
I'll
demonstrate
how
security
and
compliance
policies
can
be
automated
to
provide
developers
immediate
and
actionable
feedback,
and
if
you
manage
sets
of
Technology
teams,
I
will
aim
to
demonstrate
how
those
teams
can
accelerate
the
delivery
of
projects
and
Innovations
without
introducing
addition
risk
to
your
business.
The
technology
landscape
continues
to
evolve
quickly.
At
the
same
time,
organizations
are
also
expected
to
ship
technology
features
faster
than
ever,
and
there
are
currently
three
significant
security
related
challenges
that
are
facing
the
tech
industry.
A
Firstly,
developers
and
security
teams
remain
siled
and
most
developers
are
not
empowered
with
the
required
security
knowledge
to
address
security
themselves.
Secondly,
there
is
an
application
security,
skill
Gap
and
a
growing
developer
shortage.
According
to
U.S
Labor
Statistics,
as
of
December
2020,
the
Global
Talent
shortage
amounted
to
40
million
skilled
workers
worldwide
by
2030.
The
Global
Talent
shortage
is
expected
to
reach
85
million
companies
worldwide
risk
losing
more
than
8
trillion
dollars
in
Revenue
because
of
the
lack
of
skilled
Talent.
A
Finally,
traditional
ways
of
meeting
an
organization's
security
and
compliance
requirements,
negatively
impact
developer,
workflow
and
productivity.
These
challenges
and
current
High
Dem
man
for
technology
Talent
highlight
the
need
for
healthy
and
effective
engineering
practices
to
motivate
and
retain
talent
and
to
deliver
productive
engineering
outcomes.
It
is
essential
to
create
an
environment
in
which
developers
can
be
effective
where
they
can
use
their
time
well,
applying
their
energy
and
creativity
to
build
valuable
working
software
for
their
users
and
optimizing
developer.
A
Effectiveness
involves
improving
the
core
feedback
loops
that
developers
and
teams
experience
such
as
time
to
launch
service
time
to
productivity
for
new
employees
and
other
qualitative
measures
of
developer
satisfaction.
We
will
zoom
in
on
approaches.
Organizations
can
take
to
embed
security
into
development
practices,
I'll
discuss
how
KPMG
empowers
teams
to
securely
and
rapidly
innovate
on
software
and
customer
experiences
that
drive
business
results
and
maximize
developer.
Effectiveness
KPMG
uses
GitHub
Enterprise
Cloud
to
boost
collaboration,
ensuring
amongst
its
many
member
firms
due
to
member
from
structure.
A
Github
Enterprise
Cloud
allows
us
to
delegate
the
appropriate
level
of
control
of
organizations
Administration
down
to
individual
member
firms,
while
still
being
able
to
collaborate
through
internal
repositories.
In
order
to
achieve
that,
we
needed
to
give
secure,
Administration
patterns
for
member
firms
to
adopt
and
have
heavily
relied
on
existing
code
driven
approaches
such
as
safe
settings
projects
and
many
others.
We
also
needed
to
put
in
place
a
mechanism
to
legally
share
codes
across
organizations,
and
this
has
led
us
to
create
a
few
KPMG
MIT
style
license
types.
A
This
is
how
the
KPMG
code
platform
was
born.
It
is
our
internal
initiative
to
unite
our
developers
on
a
single
engineering
platform.
We
use
this
platform
to
intersource,
standardize
our
engineering
practices,
tear
down
barriers
and
improve
team
communication
and
collaboration.
Our
recommendation
to
other
organizations
is
to
focus
on
creating
a
culture
that
Embrace
this
automation
so
automating
as
much
as
possible
and
streamlining
what
is
not
encourages,
curiosity
and
learning
and
invests
in
Secure
devops
practices
to
save
time.
A
In
the
long
term,
this
Focus
will
allow
Engineers
to
ship
code,
features
quicker
and
make
the
organization
more
competitive
writing
code
faster
is
great,
but
that
needs
to
come
with
the
ability
to
mitigate
constant
software,
security
risks
and
traditional
approaches
to
managing
security
risks
such
as
manual
point
in
time.
Assessments
combined
with
often
cumbersome
and
outdated
controls
can
lead
to
delays
in
delivering
value
and
cause
significant
friction
between
information,
security
and
Engineering.
A
One
way
to
reduce
this
friction,
while
ensuring
that
you
can
securely
deliver
value
through
technology
is
productizing
security
and
introducing
it
earlier
into
your
software
development
life
cycle.
In
other
words,
you
should
start
to
treat
your
security
policy
as
an
integral
part
of
cold
production.
Taking
this
approach,
we
at
kpmguk
were
able
to
automate
many
of
our
compliance
checks
and,
of
course,
GitHub
actions
and
GitHub.
Advanced
security
became
extremely
powerful
tools
for
achieving
this.
A
Previously
Security
checks
would
happen
late
in
the
product
development
life
cycle
burdening
Engineers
to
fix
problems
long
after
they
thought
they
were
finished
writing
out.
In
addition,
most
security
tools
were
built
for
Security
Professionals,
not
software
developers.
Now
GitHub
Advanced
security
allows
us
to
consistently
automate
our
security
and
compliance
posture
and
provide
immediate
feedback
to
developers.
Github
had
made
it
easy
to
spot
compliance
issues
and
vulnerabilities
in
a
cold
and
dependencies
early
in
the
software
development
life
cycle
before
any
code
is
even
shipped.
A
In
addition,
interacting
with
a
single
portal
throughout
the
life
cycle
has
reduced
contact,
switching
and
toil
for
developers
and
now
enables
them
to
remediate
these
vulnerabilities
quickly
through
automatically
generated
pull
requests.
Today,
KPMG
UK
manages
rest
at
an
Enterprise
level,
with
GitHub
Advanced
security,
using
tools
like
Dependable
code,
ql
secret
scanning
with
push
protection
and
GitHub
actions.
Dependable
offers
insight
into
the
state
of
KPMG
security,
allowing
us
to
identify
and
prioritize
dependency
vulnerabilities.
A
Cold
KL
provides
us
with
a
wealth
of
pre-written
code,
ql
queries
and
it
was
effortless
for
KPMG
to
get
started
out
of
the
box.
In
a
matter
of
minutes,
we
can
plug
in
the
code
fuel
pack
for
Python
and
even
write
some
custom
queries
for
one
of
the
high
profile
projects.
Secret
scanning
with
push
protection
ensures
that
our
repositories
are
secure
and
free
from
Secrets.
Now,
GitHub
Advanced
security
automatically
ensures
that
KPMG
developers
do
not
unknowingly
commit
credentials
to
a
code
base
in
KPMG
UK.
A
We
have
also
built
custom
automation
with
GitHub
actions
to
check
projects
compliance
with
the
company's
security
policies.
This
has
allowed
us
to
give
developers
immediate
feedback
on
code
checked
in
and
whether
they
are
stepping
outside
keeping
mg
security
or
compliance
boundaries.
This
approach
provides
an
instant
feedback
loop
to
the
developers,
making
it
an
extremely
effective
way
of
building
security
early
in
the
development
process.
A
This
action
works
by
evaluating
repository
contents
against
a
policy
described
in
the
yaml
file.
This
policy
explains
what
Dependency
license
types
are
approved
for
use
which
types
should
be
consumed
with
additional
due
diligence
and
which
are
completely
prohibited.
The
policy
also
States
remediation
time
frames
for
different
severities
and
vulnerabilities
to
give
teams
an
appropriate
timeline
to
remediate
them.
Ultimately,
it
provides
developers
immediate
guidance
on
security
or
compliance
controls.
A
They
need
to
focus
on
the
vision,
for
this
action
is
that
it
will
be
automatically
rolled
out
to
every
new
repository
and
constantly
kept
up
to
date
across
more
than
6
000
existing
repositories
in
our
Enterprise
across
the
global
Network.
Crucially,
this
approach
maintains
Central
visibility
that
provides
assurance
that
two
years
on
organization
are
secure
and
not
exposing
ourselves
to
unnecessary
risks
without
impeding
any
developer
workflows.
Today,
my
call
to
action
is
to
make
security
and
risk
management
proactive
and
productize
the
implementation
to
achieve
that
focus
on
empowering
developers.
A
Developers
need
tools
embedded
directly
into
the
developer
workflow
that
enables
them
to
quickly
and
seamlessly
secure
their
code
in
minutes
and
the
beauty
of
productizing
security
is
that
you
don't
have
to
trade
off
the
developer
experience.
When
you
make
security
consumable
to
your
developers,
it's
easy
to
comply
and
manage
risk
at
PACE
and
scale
risk
management
at
KPMG
was
historically
cumbersome
and
various
departments
also
performed
manual
security,
quality
assurance,
leading
to
a
lengthy
and
time-consuming
process.
A
Kpmg
UK
needed
a
security
platform
that
would
continue
safeguarding
customer
trust
while
simultaneously
providing
an
easy
to
use
development
environment.
So
we
chose
to
adopt
and
stabilize
on
GitHub
Advanced
Security
standardizing
on
GitHub
Advanced
security
has
meant
the
developers
have
fewer
tools
to
juggle
which
reduces
their
cognitive
load
and
lets
them
focus
on
innovating.
The
key
to
this
shift
was
for
us
to
start
thinking
about
security
as
a
product
that
KPMG
security
teams
deliver
to
developers
rather
than
a
series
of
tasks
to
be
conducted
after
functionality
has
already
been
produced.
A
To
summarize
I'll
leave
you
with
two
key
takeaways.
The
first
takeaway
is
that,
in
order
to
reduce
friction
between
developers
and
security,
think
of
security
and
compliance
as
a
product
that
search
developers
and
not
just
a
set
of
policies
but
fitting
security
as
a
product
with
a
dedicated
set
of
Engineers
and
product
owners.
You
can
start
to
offer
this
as
a
service
to
your
engineering
and
risk
functions.
Another
way
to
describe
it
is
as
a
golden
path
or
a
paved
Road
analogy.
A
Your
goal
is
to
lower
the
barrier
of
Entry
to
securing
coach
as
much
as
possible.
The
second
is,
you
can
turn
security
and
compliance
into
products
by
embracing
tools
like
GitHub
actions
and
GitHub
Advanced
security
that
will
make
compliance
automatic
where
possible
and
surface
issues
early
in
the
process
when
they
easier
just
to
fix.