►
From YouTube: GitLab Dunelm: Shifting Left - Tech Show London 2023
Description
A Journey of Shifting Left with Security and Achieving DevSecOps Success
A
Excited
to
hold
this
session
we're
going
to
be
talking
about
a
journeyman
during
the
shifting
left
with
security
and
achieving
deficit
success
together,
so
my
name
is:
will
be
shopping
off
I'm
a
customer
success
manager
at
GitHub,
I
work
with
Enterprise
clients
across
many
Industries
and
I
help
them
with
their
desktops.
Journey
often
it
happens
that
that
journey
is
related
to
ships,
in
that
this
is
what
we
are
here
to
share
with
you
about
just
a
bit
about
myself,
I'm
based
out
of
Dublin.
B
A
C
A
A
I've
done
companies
nowadays
with
using
technology
and
software
to
differentiate
the
Sounds
in
the
markets,
because,
if
you're
not
thinking
themselves
as
a
we
realize
they're
losing
their
business,
they're
gonna
lose
that
competitive
advantage.
That's
why
it's
important
to
be
suitable
from
the
start
to
download
early,
because
the
more
you
wait,
the
more
you
leave
that
security
to
the
very
end
of
the
software
program
on
life
cycle.
There
will
cost
you
two
becomes
to
be
so.
A
If
that
opens
up
to
you
know
unnecessary
super
use
as
well,
so
we
want
what
was
it
to
shift
left
and
in
additional
one?
That's
what
we've
seen
on
the
screen?
Security
is
often
left
at
pre-production
or
when
the
code
is
released
in
production.
At
that
point,
it's
only
too
late.
It's
only
very
costly.
It
takes
a
lot
of
droids
from
all
the
teams
around
two
productive
fires.
What
we
want
from
that
shift
is
to
standard
form.
A
Times
Institute
has
provided
literacy
data
around
Financial
costs
to
mediate,
bugs
vulnerabilities,
and
it
is
100
times
more
expensive
to
just
the
ones
the
court
is
in
production.
What
does
it
tell
us?
It's
much
cheaper
to
shift
security
left
to
do
it
at
the
design
implementation
testing,
because
in
testing
is
15
times
more,
so
you're
going
to
Beijing
6.5.
It's
also
be
interesting
to
look
at
the
beta.
If
there
was
something
around
time
waste
of
when
that
happens
as
well
I
guess
you
wouldn't
be
able
to
find
it.
A
A
Football,
so
whatever,
if
you've
seen
this
would
have
guessed
amount
of
that
kind
of
the
production.
Zone
that's
going
to
help,
but
this
is
by
no
means
an
exhaustive
places.
I've
seen
myself
so
shift
that
responsibility,
so
you
can
who
owns
that
responsibility
to
the
company
and
stuff
for
the
left
side
right?
If
I
did
that
survey
in
2022-
and
you
know
without
developers,
security,
so
Holy
Spirit
in
your
team
and
they
said
developer-
said:
hey
50,
50.,.
A
Security
but
I
don't
think
he
was
a
security
that
said,
if
everyone's
responsibility
as
an
example
I
personally
think
it's
my
responsibility
now
security
team,
because
I
have
used
to
teach
them
how
things
do
it
and
also
secular,
laptop
learning,
if
I
do,
because
that
happens,
I'm
proud
to
admitted
that
that
does
happen.
It
was
very
sleepy
that
day
so
now
the
shift
left
flow.
This
is
a
zoom
version
of
the
Commandments
does
that
flow,
and
we
around
the
life
cycle?
What
we're
interested
in
here
in
my
whole
Community
doing
that
part.
A
A
The
left,
but
there's
a
lot
of
tools
and
oh
I'm,
seeing
a
lot
out
there
is
secret,
is
done.
The
spreadsheet
it's
taken
from
one
place
passed
on
to
the
other,
and
it's
very
difficult
to
know,
which
is
what,
where
and
asking
my
clients
you
know
if
anything
happened,
who
accidentally
right?
It's
very
response
to
that.
We
don't
know
so
it's
kind
of
is
a
bit
automated
developers.
Don't
have
to
think
one
and
one
one
to
one
in
this
routine.
Purchasing
there
and
left
hand
side
security
needs
to
be
involved.
A
They
need
to
be
part
of
it
part
of
the
solution.
They
cannot
fit
outside
of
that
process.
Yeah,
so
copper
has
this
kind
of
solution.
What
you're
seeing
over
here
is
just
a
list
of
what
a
physical
lab
offers,
but
that
is
an
exhausted
list.
The
Stars
tasks
containing
scanning
license
compliance.
What
have
you
so
the
point
here
is
they
need
to
have
comprehensive
list
of
scanning
Solutions
and
not
only
we
run
at
every
Community
by
developer
and
they
didn't
have
to
think
of
the
results.
I
think
that's
part
of
it.
A
A
But
I
think
once
you
accomplish,
it
you'll
be
able
to
scale
the
code
because
often
it
should
be
serious
for
developers
because
it
would
be
collaboratively
working
with
devs
through
the
operations
on
the
same
page
and
as
a
result
of
that
you're
going
to
have
simpler
coverage
policies
and
what
we've
heard
from
another
client
of
RS
UBS.
The
Auditors
are
very
happy.
A
C
C
But
also
the
most
importantly,
there's
a
shift
in
how
we
use
this
Technologies
as
well.
The
business
had
a
big
appetite
to
do
it.
We
took
some
risks
along
the
way.
You
know
it
was
it's
quite
easy
to
say
that
they
wanted
to
do
it
as
Tech
another
business.
We
said,
let's
do
this
and
we
said
let's
go
service
and
now
respond
to
a
little
bit
to
the
story
itself
of
our
journey.
I'm
not
going
to
spend
too
long
on
this,
but
essentially
in
August
2018
you're,
starting
to
propose.
C
We
said
right:
let's
consolidate
our
tooling,
that
student
programming
language,
let's
work
with
our
partners
of
today
in
the
US
and
start
our
rewrite
of
going
back
home,
we'll
fast
forward
a
little
bit
of
2019
within
my
life
without
service
platform,
a
bit
when
I
mentored
for
myself
and
I
joined
in
August
2019,
but
I
was
very
much
there
for
the
go
live
and
we
had
two
War
rooms
set
up
one.
Last
night
we
had
a
24-hour
cover
from
quality,
Business,
Services
engineering
and
all
the
other
Tech
teams
and
we've
lived.
C
C
Of
our
sales
have
been
thrown
through
the
website,
of
course,
that
made
an
increase
in
traffic,
so,
as
AWS
service
technology
says
on
the
team,
it
is
exactly
where
he's
mentally
it
scaled
without
a
grease
it,
you
know,
had
no
problems,
no
problems
and
the
e-commerce
platform
had
no
problems
whatsoever.
Some
of
the
license
plate.
C
So
what
were
some
of
my
challenges
before
we
went
to
service
architecture?
So
we
had
a
mismatch
of
Technologies.
We
had
a
mismatch
of
bathroom
tools
as
well,
so
we'll
be
using
I'm
not
going
to
be
able
to
accountable
we're
using
a
lot
of
different
programming
languages
within
somewhere.
That's
Consolidated
that
down
to
one
or
two,
which
is
an
OJs
or
react
to
the
front
end,
and
then
we
also
consolidate
our
observability
into
this
code,
and
we
see
the
active
items
as
well,
which
helps
bringing
some
efficiences
across
our
teams.
We
moved.
C
C
So
if
one
of
them
it
generally
remained,
the
entire
platform
would
fail,
and
they
would
actually
take
quite
a
long
time
to
find
their
own
problems,
but
also
to
recovery,
combat
as
well
and
then,
due
to
the
all
the
points
that
I
mentioned,
it
was
very
hard
to
release
that
change
and
we
had
a
very
limited
deployment
of
frequency
as
well.
So
how
was
that
enough?
Successful
I
think
I
mentioned
a
couple
of
them
already,
but
the
consolidating
our
touring
and
their
programming
languages
and
technologies
that
we
were
using.
C
We
built
outcome
teams,
so
we
were
delivering
to
those
teams
we're
focusing
on
the
winning
four
business
value.
Instead
of
I'm
working
microservice,
a
and
Team
B
working
life
since
B,
we
then
have
dependencies.
They
need
to
communicate
to
be
able
to
release
that
change.
So,
basically,
it
was
all
within
one
team
to
deliver
that
change.
Yeah,
overheads.
C
But
the
last
couple
of
points
I'm
quite
passionate
about
personally,
it's
called
that
friend's
name
perspective.
We
very
much
focused
on
building
self-service
liabilities
functionality
so
also
having
self-service
deployment
mechanisms
for
our
teams,
so
they
could
deploy
good
autonomy,
but
still
have
the
right
carnivals
in
place
that
we
need
from
the
security
and
back
in
perspective
to
give
them
the
economic
value
faster.
C
And
finally,
just
from
that
automation
perspective,
it
meant
that
we're
inconsistent
between
our
environments
were
very
important
to
them
and
also
consistent
between
our
platforms
as
well
and
how
we
were
building
our
software
in
the
coin.
The
systems
is
a
big
way
for
me
and
initially
always
love
it.
Consistency
is
key
in
everything
that
you
do
just
especially
when
you're
doing
the
scale
number
one
when
we're
at
live
without
platform,
still,
we've
only
scaled
up
from
there
as
well.
C
Actually,
the
next
strategy
wasn't
just
security.
We
were
very
much
addicted
that
in
multiple
ways,
so
we
have.
We
have
a
dedicated
performance
engineering
crew.
Now
we're
looking
at
performance
and
working
with
our
engineering
degrees,
day-to-day
and
educating
them
to
think
about
any
performance
from
day.
One.
C
And
then
we
have
embedded
quality
software
development
engineers
and
test
and
SRE
Engineers
we're
looking
at
quality
and
observability
and
Squad
level
on
our
service
level
day
in
day
out
working
in
those
spots
and
also
on
the
durability
perspective,
we're
looking
at
one
of
the
internet
from
a
customer.
First,
one
approach,
instead
of
just
your
typical
CPU
or
digital
memory
perspective
as
well,
and
then
finally,
platform
in
SRE
are
also
working
with
those
guys
to
make
sure
that
maintenance
to
support
instead
of
at
the
end
so
very
quickly.
C
I
did
that
Jenny,
myself
or
another
contractor
introduced
it
about
a
tutorial
three
and
a
half
years
ago.
We
first
iterated
on
that
within
the
team.
So
we
went
and
prevents
that
within
the
team
for
our
terrible
fallback
deployments
that
worked
quite
well,
then
we
built
a
set
of
modular
pipeline
where
these
four
items
deployments
using
gitlab
tools
templates
but
spread
that
across
our
data
and
SRE
teams
as
well.
C
C
Using
gitlab,
so
you
spent
12
months
building
outside
of
modular
libraries
and
then
another
time.
That's
the
right
way.
Everyone
number
two
numbers
the
next
I'm
going
to
talk
about
how
we
integrate
security
into
the
spider-verse
as
well.
So
he's
already
on
breakfast
talking
about
the
different
security
of
things
that
get
laptop.
We
chose
these
five
to
begin
with,
because
we
found
out,
they
were
going
to
bring
the
most
money
to
shifting
and
left
into
the
squad
to
begin
with
what
we
did.
C
A
C
Thing
was
I
think
we're
almost
42
or
20,
where
the
teams
could
override
those
modules
wherever
I
wanted
to.
So
we
had
to
get
that
and
said
why?
How
do
you
make
these
mandatory?
Then
they
recommend
that
they
compliance
framework
to
make
sure
that
we
can
make
those
things
as
mandatory
in
all
of
us
in
all
of
the
advantages.
C
Block
device
dashboards
on
ability
to
dashboards
and
security
dashboards,
which
gave
those
data
engineering
to
the
data
and
adjustment
that
they
needed
to
be
able
to
treat
your
own
security
at
a
service
and
platform
level
to
be
able
to
remediate
those.
And
then
because
we
were
one
of
those
fans
that
each
met
they
were
very,
you
can
see
if
they
were
introducing
Community
vulnerabilities
and
if
they
need
to
operate
any
packages,
you'd
be
able
to
make
sure
that
we're
compliant.
C
And
finally,
if,
let's
say,
for
example,
you
were
working
on
good
branch
and
you're
interested
in
your
package
if
there
was
a
critical
vulnerability
that
would
be
introduced
on
that
Branch
very
quickly.
That
would
split
up
a
new
Mr
approval
would
say
this
ml
needs
to
be
approved
by
debt
support
before
it
convert
to
being
a
master
to
mean
that
they
can't
go
into
production
without
that
to
get
without
the
autonomy.
But
we've
also
got
the
guidelines
need
to
find
their
support.
So.
C
Again,
they
were
involved
very
much
a
design
stage
and
our
value
service
in
new
features,
and
we
have
technical
designers
and
we
have
all
of
technical
in
there
as
well.
Next
thing
is
that
we
started
a
security,
Champions
initiative
and
that's
very
much
studies
infancy,
but
it
means
that
we've
got
students
that
are
thinking
about
security,
all
the
way
across
Tech
the
security
of
responsibility.
And
finally,
this
is
something
that
we're
doing
this
week.
A
new
initiative
and.
C
This
week
to,
finally,
just
to
summarize
going
back
to
work
slide,
you
know
you've
heard
us
talk
about
what
your
test
is
security
at
general
clinic,
but
we're
very
much
is
a
success
story
of
how
we
have
50
security
left.
We
are,
we
are
scanning
for
it's
a
seamless
experience
with
developers,
the
platform
devastating
happens,
the
background
modules
we're
using
a
single
platforms
platform,
which
is
Get
Loud,
to
be
able
to
do
that
that
developers,
requirements
are
taking
into
account.
You've
got
security,
deposit
box
and
Optical
black
perspective
involved
in
that
process.