►
From YouTube: DevSecOps is the Way (S1E2): Compliance
Description
In this monthly series, learn how Red Hat weaves together DevOps and Security to master the force called DevSecOps. This show brings you Red Hat products and our security ecosystem partners to aid in your journey. April is Compliance month! In this episode, learn about Red Hat point of view on Compliance, specifically related to OpenShift. You won't want to miss the insights from Red Hat's Chief Architect, John Osbourne, about how Compliance is handled in the Public Sector. Bring your lightsaber and be prepared to train hard... may the DevSecOps be with you!
A
Good
morning,
good
afternoon,
good
evening
and
welcome
to
another
edition
of
devsecops
is
the
way
today
we'll
be
talking
about
compliance.
I'm
chris
short
executive
producer
host
and
I'm
gonna
kick
it
over
to
dave
muir
to
kind
of
tell
us
a
little
bit
more
about
compliance
bits
we're
talking
about
today
or
let
him
introduce
himself
too,
but.
B
Yeah
yeah
I'll
introduce
myself
then
I'll
hand
it
over
to
our
esteemed
guest
as
well
who's
one
of
our
experts
in
compliance
but
yeah,
hey
everyone,
dave
muir.
I
am
on
red,
hat's,
strategic
global
alliances
teams.
Basically
I'm
a
solution
architect
that
focuses
on
our
great
security
partners
around
things
like
openshift
and
ansible
and
and
we've
created
this
monthly
dead.
Secops
is
the
way
series
which
I'll
talk
about
a
little
bit
here,
but
before
I
do,
I
wanted
to
pass
it
over
to
john
osborne
to
introduce
himself.
C
C
C
So
we're
seeing
that
a
lot
in
public
sector-
and
you
know,
there's
a
lot
of
ramifications
not
only
just
technology
wise
but
organizationally,
and
there's
a
lot
of
pieces
around
that
and
there's
a
lot
going
on.
Usually
these
things
get
kind
of
lumped
together
with
things
like
agile
and
cloud
adoption
and
modernization,
and
all
these
other
things.
So
really.
What
I
do
is
try
to
help.
Customers
make
sense
of
all
that
and
kind
of
point
them
towards
well-known
happy
paths,
or
at
least
as
close
to
it,
as
as.
B
B
B
This
show
is
specifically
called
devsecops
is
the
way
it's
typically
somewhere
around
the
third
week
of
every
month,
but
we
do
two
shows
actually
within
open
with
openshift
tv.
Our
next
one
for
this
month
is
actually
tomorrow
we're
talking
with
systig
one
of
our
partners
around
compliance
and
that's
how
we're
kind
of
breaking
it
up.
We've
got
two
shows
one
more
on
thought
leadership,
which
is
what
this
show
is
about
and
then
another
one
featuring
one
of
our
partners.
B
B
You
could
always
learn
more.
We've
got
a
site
sort
of
around
this
and
in
devsecops
in
our
ecosystem,
you
can
see
it
there.
Red.Ht
devsecops,
the
the
d,
the
s
and
the
o
do
need
to
be
capitalized
or
feel
free
to
feel
free
to
email.
Us
if
you've
seen
me
talk
before
these
categories
may
seem
familiar
because,
within
our
ecosystem,
within
red
hat,
we've
created
a
framework
of
what
we
call
devsecops
methodologies
and
technologies.
B
B
There's
nine
different
categories
which
correspond
to
our
months,
but
then
there's
about
34
different
methods,
I'm
sure
it's
hard
to
see
yeah
so,
but
what
that
allows
us
to
do
is
you
know,
say:
oh
you
know
this
certain
method,
this
certain
technology
should
possibly
be
integrated
at
this
step
in
the
devops
life
cycle,
and
we
could
take
what
red
hat
does
we
can
take?
What
our
ecosystem
does
our
partners
and
bring
together
a
comprehensive
joint
solution
for
our
customers?
B
So
you
know
at
the
very
least
it
lets
our
customers
say.
Oh,
I
should
probably
think
about
static
analysis
or
secrets
management
we're
talking
about
today,
compliance
audit
and
compliance,
technical
controls
at
certain
stages
in
devops,
so
that
I
can
ensure
to
have
security
embedded
automated
and
not
slow
down.
You
know
your
devops
process.
B
Wanted
to
share
real
quick
is
you
know,
here's
some
of
our
partners
that
we
work
with.
We
have
a
huge
landscape
of
security
partners,
but
you
can
see
kind
of
where
some
of
them
fit,
for
example,
compliance
which
is
this
month's
security
topic,
you'll
notice,
there's
folks
like
aqua
and
cystic
synopsis,
tiger,
palo,
alto,
new
vector,
you'll,
see
blogs
and
the
podcast
tomorrow's,
with
sysdig
around
some
of
their
capabilities
as
well.
But
but
this
you
know
being
red
hat
and
being
the
platform
provider
on
the
bottom,
which
is
secure
by
design.
B
So
I
wanted
to
then
transition
down
and
have
a
conversation
with
john
about
you
know
his
role
a
little
bit
more
about
what
he
does
very
interesting
to
understand.
You're
taking
you
know
commercial
practices,
applying
it
to
the
public
sector,
but
if
you
could
kind
of
paint
us
a
picture,
john
of
what
you
do
overall,
like
in
a
given
day.
I
know
you
do
a
ton
of
stuff,
but
what
are
some
of
your
main
major
activities
for
our
customers?.
C
Yeah,
the
really
starting
off
the
hard
questions.
What
do
you
do?
You
know
it's?
It
really
varies
by
the
day.
You
know
I
have
a
lot
of
different
job
functions,
but
you
know
my
my
bias
has
always
been
to
be
really
customer-facing,
so
you
know
I
I
cover
a
lot
of
ground,
because
the
public
sector
is
very
large
right.
We've
got
state
and
local
governments
we
have.
C
Some
are
small,
some
are
really
large
and
you
know
we
have
federal
agencies,
we've
got
dod
and
intel
and
all
these
things
and
it
kind
of
spans
a
lot
of
different
types
of
things
from
hey.
I
need
to
do
this
at
the
edge
too.
Hey,
I'm
just
getting
pretty
early
started
pretty
early
on
my
cloud.
Adoption
journey,
one
of
the
biggest
things
we've
seen
is
that
as
customers
start
to
move
into
kind
of
newer
ways
of
working-
and
you
know
move
into
things
like
cloud,
there's
there's
a
lot
of
confusion.
C
You
know,
I
think
one
of
the
biggest
things
we
see
is
customers
try
to
kind
of
lift
and
shift
their
on-premise
model
into
public
cloud.
So
they're
not
only
just
the
technology
but
they're
different
ways
of
working,
so
which
is
a
really
big
challenge
right,
because
cloud
is
just
so
much
different.
So
the
way
you
do
identity
management's
different.
The
way
you
do
networking
is
different.
The
storage
is
different
and
then
the
way
you
kind
of
work
around
it
right.
This
whole
idea
of
kind
of
the
the
capex
the
op-ex
piece
is
really
interesting.
C
But
a
lot
of
what
I
do
is
help
customers
with
that
make
incremental
progress.
Try
to
change
the
mindset
a
little
bit,
because
if
you
look
at
public
sector
a
lot
of
the
compliance
and
things
that
have
been
you
know,
mandated
by
law
are
very
static
in
a
lot
of
ways.
They've
been
the
same
documents
or
risk
management
frameworks
have
been
around
for
10
20
years
right
now,
so
you
know
try
to
get
them
to
move
into.
C
The
devsecops
is
more
of
a
mind,
change
set
and
changing
the
mindset
a
little
bit
because
you're
you're
starting
to
look
at
you
know
even
making
incremental
progress.
You
know
one
of
the
things
that
we've
seen
kind
of
the
failure
modes.
I
think
a
lot
of
people
if
they've
heard
about
different
successes
in
public
sector.
You
know
there's
a
lot
of
ones
that
are
very
public,
that
you've
seen
on
you
know
kubecons
or
you
know
other
big
conference
events
and
they
think
hey.
C
We
can
just
kind
of
like
take
that
blueprint
and
copy
it
and
move
it
over
to
us,
and
it
really
doesn't
work
that
right
right,
like
devops
in
general,
is
a
lot
about
experimenting
and
trying
new
things
and
and
making
small
incremental
progress
and
kind
of
iterating
on
that.
So
moving
that
into
the
the
kind
of
big
bang.
You
know
everything
risk
management's
all
done
up
front
to
kind
of
move
into.
B
C
You
know
faced
around
burn,
charts
and
gantt
charts
and
things
like
that
and
very
kind
of
older
ways
of
working
and
not
as
much
focused
on
outcomes
and
just
kind
of
building
things.
Small
and
incrementally
and
kind
of
you
know
pivoting.
You
know
if
things
aren't
working
and
that
type
of
thing,
so
it's
a
lot
more.
The
groundswell
is
there,
but
we're
still
making
progress.
I
think
as
we
go,
but
customers
are
starting
to
make.
You
know
a
lot
of
headway,
especially
with
with
platforms
where
they
can.
C
You
know,
bake
in
a
lot
of
their
policies
and
security
pieces,
and
let
development
teams
have
that
kind
of
api
driven
handoff,
as
opposed
to
more
of
the
the
ticket
driven
handoff
that
we've
seen
in
the
past,
where
you
know
you
wait.
You
know
three
months
to
get
a
virtual
machine
and
all
that
stuff,
so
yeah,
so
we're
making
headway,
but
you
know
there's
your
your
mileage
will
vary
depending
on
where
you
are.
C
I
think,
if
you
look
at
the
traditional
like
gene
kim's
like
three
ways,
a
lot
of
a
lot
of
us
are
still
in
the
the
first
way,
which
is
you
know,
focusing
on
just
getting
things
through
a
cicd
pipeline
and
in
general
you
know,
if
you
say
devsecops,
I
think
people
people
initially
you
devops
has
been
around
for
a
while.
It's
not
a
novel,
but
the
second
you
say:
devsecops
people
immediately
focus
on
the
sec
part
of
that
and
they
get
they
think
you're
initially
talking
about.
Do
they
by
default.
They
think
you're.
A
C
But
of
course,
there's
other
ramifications
in
terms
of
engaging
people
earlier
in
the
you
know
earlier
in
the
life
cycle,
and
you
know
there's
because
the
way
contracts
and
everything
else
were
set
up.
You
know
I
have
had
customers
that
have
development
teams
that
have
never
met.
Anyone
in
ops
and
they've
never
really
met
anyone
in
security,
so
you
know
we're
working
on.
C
We
and
we've
had
a
lot
of
good
success
just
connecting
people
together.
You
know
some
customers
are
so
big
they're
asking
me
like:
what's
the
other
team's
doing
inside,
you
know
their
own
inside
their
own
organization,
so
but
people
have
made
a
lot
of
success.
You
know,
I
think
one
of
the
sorry,
if
I'm
just
kind
of
being
long-winded
here,
but
one
of
the
things
I
think
that's
not
that
devops
really
needs
to
pivot.
C
You
know
mainframes
or
apps
that
have
been
in
production
for
30
years
and
just
you
know,
moving
to
a
lot
of
what
you
read
about
with
you
know:
devops
best
practices
or
use
cases
or
whatever
you
want
to
talk
about,
isn't
always
isn't
always
that
clear
on
how
to
get
there
and
kind
of
that.
Incremental
progress
probably
needs
to
be
celebrated
more.
B
Well,
yeah,
you
just
can't
throw
technology
at
at
your
pipeline
and
call
it
devops.
Right
I
mean
culture.
Is
such
a
huge
part
of
it
sounds
exactly
what
you're
saying
about
bringing
people
together
and-
and
that's
that's
one
of
the
things
we've
been
trying
to
say
as
well
with
devsecops
is,
is
getting
those
security
people
to
actually
just
meet
developers
right.
B
Instead
of
through
email
like
hey,
here's,
an
email,
you've
got
15
vulnerabilities
on
this
application,
go
fix
it
right,
it's
trying
to
get
them
involved.
Although
have
you
seen,
I
guess
in
the
public
sector?
Are
security
teams
large?
Is
it
tough?
For
you
know,
tough,
for
those
teams
to
integrate
with
devops
teams
is
so
is
the.
Is
it
thinking
trying
to
get
more
training
with
the
developers
around
security
practices
or
what
are
you
seeing
there?
I.
C
Would
say
that
piece
it
pretty
much
is
in
line
with
commercial
in
terms
of
it
being.
You
know,
the
famous
ratios,
it's
like
you
know,
hundred
or
I'd
say
in
practice,
maybe
thirty
to
one
or
something
like
that
in
terms
of
developers
and
and
to
security
folks,
but
you
know
engaging
them
earlier,
at
least
in
terms
of
the
planning
and
processing
they're.
C
Probably
not
gonna,
come
to
all
your
meetings,
but
you
know
that
that
will
go
pretty
far,
especially
if
you
look
at
all
the
back
and
forth
that
happens
afterwards,
where
it's
like
you
know,
I
you
know
the
traditional
way
of
doing
devops
or
even
development
in
general
was
like
very
much
ad
hoc
in
public
sector.
After
the
fact
like
I
built
an
app,
I
did
all
these
things
and
oh
wait.
C
And
you
know
public
sector
we've
done,
I
think,
a
pretty
good
job
of
starting
to
automate
those
things.
There's
been,
there's
been
a
lot
of
movement
there
and
then
just
engaging
the
security
people
to
make
sure
that
you
know
whatever
you're
building
is
actually
what
they
want
to
to
sign
off
on,
because
you
know
a
lot
of
you
know
at
the
end
they're
going
they're
going
to
sign
off
on.
You
know
the
risk
aspect
of
that.
You
know
one
of
the
other
big
things
I
think
kind
of
the
evolution
of
devops.
C
That
we've
seen
in
commercial
too,
but
definitely
in
public
sector,
is
that
you
know
there
was
this
kind
of
mindset,
maybe
five
years
ago
or
so
that
you
know
security
is
everyone's
job
and
you
know
yes,
it
is,
but
a
lot
of
people
are
just
really
bad
at
it
right.
So
you
know
we
also,
and
that's
really,
where
platform
comes
in.
Is
we
can?
Yes,
security?
Is
your
job,
but
you
know
that's
not
your
day-to-day,
and
nor
are
you
an
expertise
in
that,
so
we
can't.
C
We
need
to
have
some
guardrails
for
you
and
that's
where
kind
of
a
platform
can
can
help.
Do
that
and
it
gives
you
know
the
security
and
operations
teams,
the
the
peace
of
mind,
to
know
that
developers
can
use
what
they
want,
but
they're
doing
it
inside
the
the
confines
of
you
know,
approved
policies
and
security,
things
that
we,
you
know,
know
and
love
and
accept,
and
all
that
stuff,
so
yeah.
C
B
C
Yeah,
there's
there's
so
many
pieces
to
that
too.
I
mean,
if
you
think,
about
even
like
the
the
shared
security
model
in
a
public
cloud
provider
right.
You
know,
I
think
a
lot
of
people
are
still
trying
to
wrap
their
their
head
around
that
a
little
bit
in
terms
of
you
know
what
what
they're
responsible
for
versus
what
the
cloud
is
responsible
for.
C
There's
a
lot
of
knobs.
You
end
up
having
to
turn
those
knobs
look
different
on
different
cloud
providers,
and
so
there's
there's
some
confusion
there,
but
having
a
platform
is
a
really
good
kind
of
way
to
abstract
some
of
that
as
well.
So
if
you're
kind
of
speaking
the
same
language,
whether
it
be
kubernetes
or
ansible
or
you
know,
whatever
the
platform,
whatever
the
language
is
of
your
platform
and
you're
doing
that
on-prem.
C
B
C
Yeah,
it's
interesting,
I
think
so
right
now
there
are
a
few
and
I'll
talk
about
in
a
second,
but
we
we've
seen
actually
a
lot
of
commercial
commercial
companies
using
public
sector
frameworks
as
well.
So
I
don't
think
public
sector
frameworks
are
just
for
public
sector.
You
know
even
I've
had
you
know.
I've
talked
to
car
companies
in
germany
and
other
sweden
other
in
other
places
where
you
know
they
want
to
sell
to
the
us.
C
But
you
know
the
biggest
one
that's
been
around
for
about
15
years
now
is
there
was
a
law
passed
called
fisma
fisma
act
that
standardizes
kind
of
risk
management
framework,
and
it
was
largely
based
on
on-prem
because
it
was
15
years
ago
right,
and
so
you
know
there
was.
It
goes
very
much
up
and
down
the
entire
stack
from
you
know
your
application
and
encryption
to
you
know
how
am
I
physically
protecting?
C
You
know
my
data
center
for
smash
and
grab
type
scenarios,
and
so
about
nine
years
ago
or
ten
years
ago
there
was
they.
They
passed
fed
ramp,
so
if
you're,
if
you're
familiar
with
fed
ramp,
that's
basically
risk
management
framework
for
for
public
cloud
providers,
and
so
that
is
awesome
because
you
know
with
with
on-prem
you
go
through
this
whole
or
or
public
cloud.
You
go
through
this
whole
ato
process.
C
If
you've
heard
of
the
term
ato
it's
authority
to
operate,
it
basically
says
that
your
system
can
have
production
data
in
it
and
so
with
fedramp.
It
basically
says
hey.
If
you
build
your
app
in
the
public
cloud
and
it's
fedramp.
Well,
then
you
know
you
don't
have
to
worry
about
the
smash
and
grab.
You
don't
have
the
with
the
discs
or
any
other
service
that
you're
running
on
that's
fed
ramped.
C
You
only
have
to
go
through
the
ato
process
for
what
you're
building
on
top
of
it,
so
that
reduced
the
the
lift
for
for
a
lot
of
for
a
lot
of
people
in
public
sector.
So
that's
that's
been
helpful.
A
lot
of
other
things
that
you've
heard
about
like
you've,
probably
heard
of
stigs
like
the
operating
system,
has
a
stick
or
your
middleware
platform
has
a
stage.
A
C
All
the
disa
stuff
and
and
fips
and
there's
they've
released,
I
I
got
to
work
on
the
kubernetes
srg,
that's
kind
of
like
the
upstream
for
the
stig
and
there's
all
sorts
of
stuff.
That's
happened.
A
lot
of
those
just
kind
of
roll
into
these
kind
of
two
risk
management
frameworks
and
processes,
but
we've
seen
things
like
cis.
You
know,
just
like
commercial
companies
are
using
in
a
lot
of
cases.
C
What
comes
out
of
public
sector
we've
seen
vice
versa,
so
we've
seen
kind
of
the
cis
kubernetes
benchmarks
and
other
things
come
down
and
now
into
public
sector.
People
are
asking
about
these
other
other
standards
and
things
too
so
there's
a
lot,
that's
out
there,
but
you
know
the
biggest
one
that's
mandated
is,
is
fisma
and
then
and
then,
which
is
the
kind
of
the
nist
rmf.
B
B
C
Yeah,
so
the
the
normal
ato
process,
you
have
a
security
officer,
who's
gonna,
basically,
at
the
end,
they're
going
to
accept
risk
and
sign
an
ato
and
the
the
whole
process
is
a
lot
of
paperwork
generation.
You
know
it's
poems
for
what
vulnerabilities
you
have
and
you
know
thousands
of
lines
in
a
spreadsheet
over.
You
know
all
these
different
controls
and
knobs.
You
have
to
turn
and
all
that
so
traditionally,
that
process
has
taken
anywhere
from
2000
to
10
000
people
hours
to
get
that
out
the
door
yeah.
C
So
it's
been
massive,
you
know.
Sometimes
you
build
something
and
it's
taken.
You
know,
maybe
up
to
another
year
to
get
it
through
the
ato
process.
So
we've
been
working
on
for
a
while
on
ways
to
automate
a
lot
of
those
checks.
Reuse.
Some
of
the
security
there's
been
all
sorts
of
kind
of
fancy
terms
that
people
thrown
around
like
eighty-one
a
day
and
other
stuff.
C
But
really
these
things
have
been
just
a
way
to
automate
a
lot
of
the
paperwork
process
and
a
lot
of
the
controls
that
have
been
turned
with
with
openshift
right
now,
one
of
the
cool
things
that
we
shipped
was
this
con,
this
compliance
operator,
which
will
make
sure
that
you're
already,
basically
your
os,
is
stigged
or
gunned
through.
You
know
the
cis
kubernetes
benchmark
and
other
things
by
default,
so
you
don't
have
to
worry
about
necessarily
turning
all
the
knobs
anymore.
C
It's
a
lot
of
you
know,
engaging
people
and
then
maybe
some
of
the
documentation
around
it.
So
there's
still
a
lot
of
work
to
be
done,
but
I'd
say
every
year
we
make
pretty
good
incremental
progress
to
to
making
that
lift
a
lot
lighter
for
people,
but
it
is
a
people
process.
That's
that's!
Definitely
one
of
the
things
as
well,
so
I
mean
I've
seen
atos
going
through
in
a
day,
but
I've
also
seen
them
take
two
years
right
because
it's
it's
people.
C
B
C
C
C
So
usually
the
first
step
we
see
is
you
know
if
they're
going
down
the
container
path,
it's
container
image
scanning
right
and
so
there's
lots
of
good
good
tools
out.
There
stack
rocks
twist,
lock
and
core
systig
and
so
forth.
You
know
that
whole
space
has
been
very
noisy
and
also
you
know,
if
we're
also
being
honest,
a
lot
of
those
scanning
tools
produce
different
results,
and
so
I
think
kind
of
the
next
iteration
of
that
is.
C
I
want
a
redundant
scanning
tool,
so
in
a
lot
of
cases,
customers
have
two
scanning
tools
and
one
of
those
might
be
something
from
red
hat,
so
I
mean
we
scan
our
own
base
images,
but
not
the
apps
on
top
and
that's
really
where
all
of
the
like.
You
came
from
blackduck
right,
which
is
now
synopsis
right
and
they
they
do
a
great
job
scanning.
All
the
open
source
components
that
you
would
pile
on.
C
On
top
of
you
know
our
base
images
and
so
forth,
but
then
there's
a
lot
of
customers
who
like
to
do
static
analysis
tools
in
a
lot
of
cases,
developments
done
by
contractors
in
the
public
sector,
but
some
of
the
operations
teams
might
be
guppy.
So
the
security
people
are
always
guppies.
So
you
know
they
want
more
checks
in
terms
of
hey,
make
sure
the
developers
are
don't
have
open.
Ports
aren't
doing
those
types
of
things.
C
C
I
think
the
the
challenge
for
a
while-
and
it
still
kind
of
exists-
is
that
a
lot
of
the
tools
that
we've
always
used
to
do
things
in
virtual
machines
isn't
really
set
up
in
a
lot
of
cases
to
use
those
same
tools
in
public
cloud.
So
you
know
a
lot
of
scanning
tools
and
companies
have
pivoted.
I
think
in
a
lot
of
ways.
So
you're
it's
going
to
the
answers,
can
be
different
for
every
every
solution,
but
you
know
in
the
early
days
it
was
like.
B
C
Had
to
do
it
so
it
looks
good,
and
so
you
know
you
you
have
kind
of
that
evolution,
but
you
know
now
we
see
a
lot
of
you
know
you
put
up
beside
the
beginning.
A
lot
of
the
partners
now
have
operators
where
you
can
install
it
and
it's
going
to
run
as
a
demon
set
and
those
types
of
things
and
that's
been
great
and
there's
there's
been
a
push
and
we
did
a
lot
of
edge
stuff
in
public
sector
as
well.
C
So
in
some
cases
customers
are,
you
know
not
even
looking
to
run
just
kubernetes
they're
running
to
it,
they're
going
to
run
ansible
they're
going
to
run
rel
for
edge
or
pod.
Man
just
want
to
run
a
few
containers
in
an
edge
scenario,
but
of
course
edge
is
different
for
everybody
too
right
some
edges,
you
know,
can
run
a
full-blown
cluster
with
you
know.
Some
of
these
pizza
boxes
they
make
now
are
crazy.
C
You
can
have
like
a
you,
probably
put
20
no
cluster
on
like
two
pizza
boxes,
because
some
of
them
just
come
with
so
so
they
always
say:
morris
law
is
going
to
run
out,
but
it
never
never
seems
to
to
do
so,
but
but
yeah,
that's
kind
of
the
iteration
of
it
is
the
scanning
redundant
scanning
static
analysis,
then
looking
to
do
some
runtime
stuff
on
top
of
it.
The
networking
component
as
well
is
is
pretty
important.
C
We
probably
want
I've
been
pushing
for
multi
multi-tenants,
so
we're
not
getting
too
big
with
you
know,
having
20
different
projects
on
a
platform,
we're
kind
of
breaking
things
off
into
kind
of
a
middle
ground
where
it's
it's
multi-tenant,
but
you
know
we're
not
going
to
all
move
at
this
pace
of
the
slowest
tenant
on
the
on
the
platform.
So
that's
that's
mostly
the
evolution
of
it
there's
obviously
organizational
things
that
need
to
change
around
that
so
contracting.
B
C
It
is
I
mean
you
know,
I
don't
blame
them
if
you
look
at
where
they're
getting
their
data
sources
from
they're
like
hey,
we
got
this.
One
came
off
the
python
notes,
page
from
like
2014,
and
you
know
this
one
came
straight
from
the
vendor
as
like
a
vulnerability,
and
you
know
they
just
get
their
data
sources
from
all
over
the
internet
right
and
so
obviously
you
know
when
you
do
that.
It's
not
like
everyone's
looking
at
the
same
authoritative
authority.
C
C
B
Last
last
month's
topic-
we
talked
about
this
where
you
know:
there's
a
set
of
requirements
for
these
scanning
partners
to
to
consume
the
right
security
feed
and
also
display
red
hat
data
alongside
their
data
on
on
red
hat
packages
right,
it's
sort
of
first
in
industry,
we're
hoping
the
other
distros
follow
suit,
which
would
make
results
a
lot
more.
A
lot
similar
between
scanners,
yeah.
C
C
Yeah,
no,
it's
actually
I'm
glad
you
mentioned
that
because
that's
actually
I
had
you
know,
maybe
I
just
put
that
in
the
back
of
my
mind,
because
I've,
I
think,
a
lot
of
scar
tissue
from
that
from
that
issue.
But
for
those
that
aren't
familiar
you
know,
I
think
what
dave's
touching
on
is
the
way
a
lot
of
scanning
tools
work.
Is
they
just
they
look
upstream
to
where
there's
you
know?
C
What
versions
have
a
have
this
have
a
problem
and
then
they
do
an
rpm
check
or
something
inside
of
a
container
and
realize
oh
well,
you're
using
you,
know
python
or
you
know
python
2.7
and
you
have
this
vulnerability
and
that
works
for
every
vendor,
except
the
red
hat,
because
red
hat
is
like
the
only
vendor
that
back
ports
in
a
lot
of
cases
fixes
into
older
versions,
and
so
that
causes
a
lot
of
problems
where
scanning
tools
will
say.
Okay.
Well,
you
know
you
have
all
these.
C
You
have
all
these
findings
and
it's
like
well,
no,
you
actually
have
to
ask
red
hat
for
what's
a
finding
because
we're
back
porting
stuff-
and
you
know
you're
not
going
to
it's
not
the
same
as
the
upstream.
So
that's
been,
that's
been
a
challenge,
so
there's
definitely
kind
of
an
educational
aspect
to
that
as
well.
C
So
we've
seen
we've
seen
that
in
the
the
oval
v2
piece,
for
you
know,
people
who
aren't
paying
attention
so
you
know
we've
had
this
oval
feed
for
a
long
time,
which
basically
tells
you
just
what
you
need
to
fix
and
if
there's
a
patch
it
tells
you
that
you
know
you
need
to
go
patch
your
system,
and
you
know
we
put
out
this
v2
feed
to
help
clarify
some
of
that
those
those
pieces
as
well.
It's
more
like
an
enhanced
feed
to
kind
of
solve
some
of
these
components
upstream,
but.
B
Yeah
in
that
version,
I
guess
the
version
two
came
out
with
a
couple
years
ago,
two
three
years
ago,
they're
continuously
updating
it.
In
fact,
they
I
think,
just
today
they
released
an
enhancement
that
will
help
our
scanning
vendors
consume.
What
what
they're
calling
the
unpatched
vulnerabilities
so
not
only
does
oval
put
out
fixes.
Well,
here's
the
fix,
but
they
also
say
here's
what's
currently
affecting
and
that's
not
patched
either.
You
know
it's
affected
or
we
decided.
B
B
C
B
C
C
Yeah,
it's
been
a
challenge
for
customers,
because
there's
there's
a
lot
when
I
I
start
off
with
this
thing
I
said:
there's
a
lot
going
on
and
there
are
because
you
know
a
lot
of
times.
People
look
to
adopt
technologies
like
kubernetes
and,
like
you
know,
ansible
or
whatever.
It
is
in
conjunction
with
this
kind
of
public
cloud
piece
which
I
talked
about.
Is
you
know
a
lot
of
things
are
different
there
and
then
they're
like
hey.
C
It's
also
a
good
time
to,
let's
fix
our
ci
cd
problem
and
these
other
things
and
a
lot
of
these
components
have
noise
in
their
own
learning
curve.
So
just
getting
incrementally
started
on
it
and
and
getting
something
out
the
door
is.
Is
you
know?
What
do
you
focus
on?
First
is
kind
of
the
is
the
challenge
for
that.
So.
A
C
C
Yeah
it's
hard,
I
think,
and
that's
actually
in
general.
I
think
regardless
which
risk
management
framework
or
compliance
in
general
is
you
know,
compliance
is
is
almost
like
the
minimum
table
stakes
to
me
it's
great,
but
that
the
failure
mode
is
when
you
stop
looking
at
it
as
a
way
to
kind
of
think
independently
about
what
you're
doing
you
know.
Devsecops
is
a
tool,
I
think
it's
a
strong
tool,
but
you
know
it's
we're
trying
to
solve
larger
business
outcomes
with
it.
B
C
You
need
to
work
work
backwards
from
that
in
a
lot
of
cases,
and
you
know
if
you,
if
you
have
a
bunch
of
vulnerabilities,
that's
you
know
on
a
system,
that's
an
on
an
embedded
system
and
it's
not
even
connected
to
anything.
You
know
it's
on
you've
probably
heard
of
like
windows.
95
is
on
a
fighter
jet
or
something
like
that
right
and
it's
like
okay.
Well,
I'm
sure
there's
all
sorts
of
patches
and
vulnerabilities
that
are
out
there,
but
you
can't
access
it
unless
you
physically
touch
the
board
right.
C
So
you
know
it's
not
like
you
have
a
windows,
95
machine
exposed
to
the
internet,
so
you
know
compliance
framework,
we'll
say
that's
the
biggest
travesty
of
all
time.
Maybe
it
is,
but
you
know
you
need
to
kind
of
think
that
you
know
it's
on
an
embedded
system,
there's
a
lot
of
independent
thought
and
risk
management
piece
around
that
that
I
think
you
know
you
have
to
kind
of
wrap
your
arms
around,
and
so
compliance
is
such
a
heavy
lift
that
I
think
by
the
time
people
are
done
with
it.
They
think,
okay.
C
A
B
C
C
Learning
and
so
forth,
is
you
know
you
talk
about
the
automation.
It's
gonna
be
now
more
automation
of
the
compliance,
just
not
just
the
scanning,
but
all
the
documentation
pieces
around
that
like
what
does
your
architecture
look
like?
Well,
that's
great!
You
had
the
architectural
diagrams
from
the
first
day,
but
we
know
how
production
systems
go
over
time
right.
There's
a
lot
of
toothpicks
and
and
duct
tape
that
ends
up
pulling
the
systems
together
over
time.
Right
and
so
are
your
architecture
diagrams
up
to
date.
C
C
You
know,
security
people
in
public
sector
are
saying:
well,
if
you
can
automate
all
your
documentation
and
automate
these
other
pieces
and
and
you
get
to
say
maturity
with
your
monitoring
and
metrics,
and
you
know
you
have
some
of
the
third-party
tools,
like
maybe
a
twist
lick
or
an
anchor
or
a
black
duck
doing
the
scanning
and
maybe
like
a
system
doing
all
the
runtime
stuff
whatever
it
may
be.
You
know,
then
you
can
go
ahead
and
move
towards.
C
You
know
what
you
hear
like
a
continuous
ato
or
something
like
that,
where
you
can
update
all
these
components
non-stop
and
you're,
not
necessarily
worried
about
a
point
in
time,
ato
with
with
documentation
from
last
year
with
certain
versions
that
are
static.
Now
you
kind
of
moved
into
this
now
I
can
iterate
really
fast
once
you
get
into
kind
of
the
second
way,
that's
really
more
optimized
for
developers
where
they
can
start
pushing
their
code.
C
You
know
a
platform,
has
all
the
policies
and
scanning
and
security
pieces
around
it
that
you
know
you
can
move
at
the
the
speed
of
or
the
tempo
that
you
need
for
your
organization
and
that's.
We
are
seeing
some
of
that
now,
which
is
pretty
exciting,
but
let's
take
a
long
way
to
get
there
and
of
course
we
still
have
a
lot
of
ways
to
go
too.
So.
B
Yeah,
I
want
to
sort
of
go
back,
you
mentioned
openshift
and
some
of
the
features
like
the
compliance
operator
and
fits
enabled
right.
So
are
you
seeing
a
lot
of
time
saved
in
terms
of
ensuring
like
a
kubernetes
distribution
is
is
compliant
just
because
openshift
out
of
the
box
by
default?
Has
some
of
these
things
already
enabled
you've
seen
a
lot
of
that.
C
B
C
Treated
like
an
appliance,
it's
the
same
bits
as
as
rel
eight.
If
the
latest
version
is
the
same
bits
as
relate
three
and
you
know,
we
can
give
you
your
stick
in
an
automated
way.
Well,
that's
a
huge
lift
for
the
customer.
If
you
talk
about,
you
know,
undifferentiated
heavy
lifting
you
know
and
toil
and
those
things
that
get
thrown
around
a
lot.
You
know
for
for
compliance,
a
lot
of
that's
just
incredibly
tedious.
C
C
You
know
things
like
you
know:
you've
got
se
linux
and
and
other
things
that
are
built
into
the
platform
by
default,
but
now
you're
also
going
to
automate
a
lot
of
the
stuff
that
they're
going
to
have
to
do,
no
matter
what
you
know,
technology
that
they
chose
because
they
have
to
do
this
compliance
framework.
So
that's
a
pretty
big,
a
pretty
big
thing
for
customers
and
it's
been.
It's
been
one
of
the
more
exciting
things
about
we
still
as
far
as
globally
geos
go
public
sectors.
C
C
You
know
the
feedback
we've
gotten
has
been
pretty
amazing
around
you
know
the
not
having
to
manage
the
os
and
and
have
it
be
more
of
an
implementation
detail
and
having
some
of
the
the
compliance
piece
is
a
little
newer,
but
you
know
just
in
general,
having
you
know
a
lot
more
of
the
undifferentiated
heavy
lifting
and
we
we
just
talked
to
a
customer
that
you
know
is
running
one
of
the
largest
apps
that
yeah.
I
think
it's
actually.
C
The
largest
app
at
the
organization
and
it's
a
financial
app
and
it's
it's
very
public.
A
lot
of
people
that
are
watching
have
probably
heard
this
this
app,
especially
if
you've
ever
you
know,
looked
at
you
know
public
filings
and
things
like
that
for
for
public
companies,
but
you
know
that's
all
running
on
a
cluster
and
they've
got
like
two
they've
got
like
two
admins
we're
in
this,
like
really
large
cluster,
because
it's
a
lot
of
it's
just
kind
of
built.
C
A
lot
of
the
undifferentiated
heavy
lifting
is
built
into
the
platform
and
now
they're,
you
know
going
to
be
using
things
like
the
compliance
operator
enough
to
automate
a
lot,
the
rest
of
it.
So
it's
definitely
exciting.
We
still
have
a
lot
of
customers
on
three
and
we're
trying
to
you
know,
do
a
lot
of
the
there's.
Quite
a
bit
of
you,
know
social
engineering
and
architectural
stuff
and
education
that
required
so
we're
still
doing
a
lot
of
that,
but
the
customers
that
have
moved
to
four
but
our
new
or
our
new
customers.
B
C
C
You
know,
at
the
edge
where
you
know,
they're
not
necessarily
going
to
have
telemetry
and
enabled
and
all
those
all
those
other
things
and
that's
kind
of
a
smaller
form
footprint.
You
know
they're
looking
at
just
using
rel
and
they
might
have
open
shift
at
the
at
the
home
base
right
and
they
might
have
a
ci
cd
factory
there.
But
the
container
image
that's
going
to
get
spun
out
is
actually
just
going
to
run
in
a
plain
old
rail
instance.
C
You
know
now
we're
looking
at
rel
for
edge,
which
is
pretty
cool
and
it
might
just
get
started
up
by
plain
old
system
d
and
podman
and-
and
you
know,
we've
seen
that
kind
of
ansible
automating,
some
of
that
as
well,
so
that
that's
been
kind
of
a
cool
use
case
as
well,
but
we're
also
using
you
know
the
these
working
on
some
smaller
footprint
openshift.
So
I
think
you
know
pretty
pretty
soon
we'll
be
able
to
give
people
kind
of
both
options,
which
would
be
pretty
cool
as
well.
So
very.
B
B
C
Yeah,
I
think
that's
a
challenge
because
you
absolutely
have
to
kind
of
have
somebody
that's
evolving
with
you
know
with
the
technology,
and
so,
if
you
look
at
you
know,
kubernetes
is
on
a
time
box
release
cycle.
So
every
three
months
it
ships
out
a
new
version
and
yeah
there's
been
changes
in
kubernetes.
If
you
look
at
you
know,
ephemeral,
containers
and
yeah,
and
these
other
things
and
there's
a
security
implication
with
running
new
software
right
and
so
and
a
lot
of
times
like
a
kubernetes
benchmark.
C
Might
you
might
be
looking
at
the
older
version?
Or
you
know
when
a
new
version
of
kubernetes
comes
out?
You
know
the
kubernetes
benchmark
might
not
come
out
right
with
that.
So
I
think
having
a
having
a
vendor-
and
this
is
probably
a
shameless
plug,
but
I
think,
having
a
vendor
like
red
hat,
that's
got
a
kind
of
a
strong
security
dna
to
to
vet
a
lot
of
those
things,
and
you
know
we're
going
to
probably
shield
you
from
a
lot
of
that
noise
and
then
also
you
know.
A
C
C
Linux
is
a
really
strong
layer
of
protection,
and
you
know
even
just
having
that
managed
for
you
by
the
platform
is
really
strong,
because
you
know
historically,
people
have
turned
off
selinux,
even
in
environments
where
they
really
shouldn't
be
because
now
we're
being
honest,
it's
hard
to
use.
But
you
know
the
good
thing,
is
you
don't
have
to
know
how
to
use
it
with
you
know,
with
a
platform,
it's
just
kind
of
shipping
it
for
you
and
and
tuning
it
for
you
and
things
like
that.
A
A
It's
a
bear
to
manage
on
just
an
os
right
like
when
there's
other
stuff
running
on
top
of
it,
yeah
yeah,
it's
it's
interesting,
but
we
all
have
to
remember
that,
like
kernel
components
make
up
containers
sc,
linux
protects
kernel
components.
So
it's
it's
one
of
those
things
where
it's
like.
There's
a
happy
relationship.
There.
C
Yeah,
I
think
people
always
got
confused
because
the
original
you
know
the
original
docker
container
architectural
diagrams
that
went
around
forever.
Had
you
know
the
box
was
like
here's
linux
and
then
here's
my
container
on
top
of
it-
and
you
know
I
think
people
will
it
made
sense
for
architecture
diagram.
But
you
know
I
think
people
got
confused
with
thinking
that
it
was
something
just
completely
different
than
than
linux
at
first
but
yeah,
it's
these
things
are
all
just
kind
of
enabled
by
the
platform.
B
A
B
A
A
Yeah
from
just
just
from
a
compliance
perspective
right
like
if,
if
someone
has-
let's
say
you
know,
four
different
clouds,
they're
running
on
chances
are
they're.
Gonna
have
some
bespoke
thing
or
some
cloud
service
that
they're
trying
to
work
with
and
there's
a
compliance
layer
there
as
well
right.
How
do
we
manage
that
right,
like
if
I'm
using
like
rds,
for
example,
in
amazon,
with
my
openshift
cluster?
A
C
A
A
C
Google
cloud
services,
so
no
they're,
not
yeah
expert
and
everything,
but
you
know
they.
They
know
how
to
put
things
in
context
there,
and
then
you
know
our
our
consulting
too.
Is
you
know
a
little
bit
more
set
up
to
be?
You
know
an
accelerator
for
you
or
for
other
groups
you're
working
with
as
well
so
a
lot
of
times.
C
You
know
for
working
with
customers,
there's
other
traditional
sis
like
raytheon
or
deloitte
or
or
whomever
right,
and
so
you
know
saic
and
accenture
and
lockheed,
and
all
these
all
these
people,
so
in
a
lot
of
cases
we're
enhancing
other
people
that
are
doing
those
things
as
well
with
kind
of
hey.
This
is
what
we've
seen.
This
is
a
best
practice,
but
you
know
for
the
customers.
C
Otherwise,
so
that
becomes
pretty
about
invaluable
and
then
of
course
like
internally,
we
have
smeat
lists
and
all
sorts
of
internal
shared
documentation
and
other
things
like
that.
So
that's
been
really
helpful,
but
you
know
they
build
a
lot
of
their
source
solutions
for
things
right
out
in
the
open,
so
red
hat
consulting
has
their
own
github,
repo
and
stuff.
That's
actually
got
some
pretty
cool
stuff
on
it.
That's
worth
plugging
around
and
one
of
the
other
things
that
they've
been
building
is
this.
C
I
can't
believe
I'm
just
now
talking
about
it
is
this
kind
of
software
factory
piece
called
red
sword,
so
it
in
the
department
of
defense.
They
had
built
out
this
kind
of
reference
design
for
devsecops
a
while
back
and
they're
working
on
a
version,
two
of
it
right
now,
but
red
hat
built
out
this
open
source
and
one
of
the
things
that
we
were
seeing
was
customers.
C
You
know,
in
addition
to
all
the
compliance
components
was
they
were
spending
a
lot
of
times
not
focused
on
their
app
after
they
moved
to
kubernetes
initially
because
they'd
be
writing
all
this
glue
code
right
and
so
you
know
think
about
the
devops
engineer
a
lot
of
times.
You
know
some
writing
like
blue
code
or
doing
all
these
other
things,
especially
initially-
and
you
know
that's
a
lot
about
what
what
it
was
like.
C
How
do
I
take
all
these
scanning
tools
and
components
and
kind
of
plug
them
into
jenkins
and
or
tekton
or
whatever
they're
going
to
be,
using
as
their
backbone,
and
so
one
of
the
things
that
we
did
was
well
red
hat,
actually
hired
people
out
of
pocket
to
help
build
this
kind
of
software
factory
component
by
default,
where
you
know
either
you're
going
to
use
it
or
you
can
use
pieces
of
it.
You
know
it's
all
public.
Someone
could
put
that,
there's
a
show
notes
or
something
we
can
put
that
in.
C
But
it's
been
one
of
the
things
that
we've
been
working
on
and
we're
engaged
with.
I
think
four
customers
right
now
with
with
having
them
leverage
that
so
you
know.
Yes,
you
can
build
in
a
lot
of
the
scanning
pieces
and
all
the
static
security
tool
and
all
the
glue
code
and
stuff
that
you
would
need
around
it
as
opposed
to
kind
of
building
up
all
that
yourself,
because
you
know
we
want
customers
to
fill
up
the
platform
with
apps
and
we
want
them
to.
You
know
finish
their.
B
Very
important
well,
so
I
had
a
question
for
you,
john
thinking
about
compliance
in
the
pipeline.
We've
talked
about
different
integration
points.
Cicd
we've
talked
about
scanning
a
running
container,
but
if
we
think
about
compliance,
technical
controls
during
that
pipeline,
where
have
you
seen
those
implemented
like?
Have
you
seen
admission
controllers,
stop
pods
from
starting
because
of
compliance
issues
or
or
maybe
even
as
something's
running,
maybe
an
automatic
remediation
type
of
control?
Have
you
seen
those.
C
I
think
a
lot
of
it
a
lot
of
it's
like
basic
hygiene
in
the
in
the
beginning,
so
and
even
in
the
middle
stages.
So
you
know
that's
a
lot
of
let's
get
network
policies
set
up.
You
know
that
think
of
the
traditional
things
you
would
do
on
premise
with
firewall
rules
and
things
like
that.
Where
now
you
want
to
make
sure
that
you're
at
least
doing
those
in
some
sort
of
cloud-native
way,
so
in
having
good
role-based
access
control,
identity
management.
C
A
A
B
B
A
B
B
We're
also
going
to
be
producing
three
podcasts
around
compliance
as
well
because
of
summit
next
week
they
might
actually
bleed
into
being
dropped
in
may
so
just
stay
tuned,
but
we've
got
a
blog,
also
being
reviewed
right
now
with
some
of
the
topics
we
talked
about
and
and
some
other
content
as
well,
that
we're
publishing,
but
this
is
the
monthly
security
series
so
awesome
for
me.
That's
I
really
appreciate
john
you
joining
us
today,
for
this
thought.
Leadership.
Devsec
ops
is
the
way
show.
C
Cool,
I
appreciate
everyone
having
me
if
so
some
of
my
responses
tend
to
be
long-winded,
but
you
know
we.
We
have
a
lot
of
fun
here.
So
I
like
to
I,
like
anything,
I've
been
learning.
I
always
like
to
kind
of
throw
it
out.
You
know.
So
it's
not
one
thing
I
don't
do
is
horde
knowledge
so
yeah.
We
appreciate.