Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Interview with an IT Agility Director / 18 Apr 2020
GitLab / Interview with an IT Agility Director / 18 Apr 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: 7. DevSecOps

Description

Interview with an IT Agility Director
Question: What is your perspective on the importance of DevSecOps?

A

With Duke Energy decided about a year into the DevOps program that we really had no choice but to turn the DevOps program into a deficit cops program, and some of that was just you know the conditions change I mean we, the security breaches became or early threats, became a much larger and and the way that we were doing security or at least looking at it from security coding practices. It became obvious that it didn't really meet. You know and didn't fit into the way that we were handling the rest of the DevOps program.

A

So one of the core tenets of DevOps is the shift left mentality. You know where you want to be able to catch defects as Flora left was early in the process, as you possibly can, because the cost of fixing a defect actually grows exponentially as you move from development to testing to deployment phases.

A

So the real objective is I want to find the defect as early as I can, because it's much cheaper to fix so as you're going through, and you know finding all of your other D, adding automated testing being able to find your other defects early. The process for Duke Energy for security. Was, you know a couple weeks before you deployed, you would engage the cyber team and they would run a scan and tell you what your defects were.

A

That's very problematic and it's very much against the tenets of ship left. We were involved in one program, I know for sure that they had a very large deployment. They ran a scan two weeks before and they found such a large number of security breaches or security potential security breaches in their code.

A

There's no way they can fix it in two weeks, so they ended up having to go live with some of those and actually fixing those would have been as risky is not fixing them because you don't have time to run your full testing cycle back through. So that's when we partnered with the cyber team and said okay. Well, let's build, let's start to build these components into our tool chain, so you can find them early on so every time a developer commits code.

A

We can scan that code and let them know right away whether or not that they have any any defects related to security in there. So I think the goal of this was to treat security. Defects like we treat every other defect. We want to find that is early in the process, as we possibly can.