DevSecOps SKILup Day on May 19, 2022, offered a day full of sessions, yoga, networking, a sponsor hall and even a DevOps-inspired mixology class! Just before SKILup Day, we launched the highly-anticipated Upskilling IT 2022 Report.
This year’s report has four versions with global and regional data. It reveals a critical need to close DevOps skills gaps, identifies top skills capabilities, and highlights emerging job roles to help individuals and organizations accelerate IT transformations.
Download the Upskilling IT 2022 Report
DevSecOps SKILup Day
The one-day virtual conference featured “how-to” lessons and insight from speakers: Arfan Sharif, Barak Schoster Goihman, Caroline Wong, Eveline Oehrlich, Jason Dunne, Lonye Ford, Melissa Sussmann, Micheál Kingston, Najib Radzuan, Ritesh Patel, Sameer Paradkar, Sven Ruppert, Tim Johnson and Turja Narayan Chaudhuri.
If you missed the DevSecOps SKILup Day, never fear! We’ve got you covered with a round-up of the top themes from the sessions and conversations around this incredibly important topic.
Why Learning About DevSecOps Is Important
Security has finally become a core topic for DevOps engineers. Many layers are required to solve the security problem from left to right. Security at the coding level, build level, and infrastructure level. Security is a growing and important area as we get control over our software supply chain.
The Upskilling IT 2022 Report revealed that Security and Cybersecurity were the top most important technical skills. Over 93% of respondents said being familiar with some form of DevSecOps is a critical or important factor.
SKILup Day speakers covered several trends, including improving observability and monitoring, addressing security risks and shifting left. We’ll review the key discussion points that emerged throughout the day in this post.
Implementing DevSecOps
A key theme among speakers at this SKILup Day was introducing the audience to various aspects of planning for DevSecOps.
DevOps Institute Ambassador Najib Radzuan of DevOps4Me Global shared the DevSecOps framework, activities, plans, challenges and processes during his session, “From DevOps to DevSecOps.” Radzuan emphasized that traditional security cannot keep pace with DevOps’ lightning-fast software development cycles. Organizations must inject continuous security and automated testing throughout the software development process to improve security. He explained why organizations must make security central to development and operations and how building security into every stage of the software pipeline fills long-standing gaps between IT and Security. Radzuan stated, “The DevSecOps approach helps spot software security issues faster and alleviates security bottlenecks, preserving the rapid development pace that DevOps makes possible.”
During the session, “Your Developers Decide Your Security Posture. Not Your Security Teams,” DevOps Institute Ambassador Turja Narayan Chaudhuri of EY GDS presented that security initiatives should be designed with developers in mind, not the other way around. Chaudhuri asserted that in today’s world, the key to your enterprise is in the hands of your developers. No security initiative will succeed unless you involve the development team and ensure that the security processes and frameworks do not conflict with developer experience or productivity.
Micheal Kingston of NGINX explored shift left during his session, “DevSecOps: Shifting Left for Application Security in your Pipelines.” Kingston did a deep dive on why “shifting left” is important and how you can apply this practice in your organization. He also addressed the challenges companies face when under pressure to deliver applications faster and more securely.
Lonye Ford of Arlo Solutions shared real-world experience during the session, “DoD’s cATO.” In her session, Ford discussed the DoD Continuous Authorization to Operate (cATO) memo signed in Feb 2022 that provides specific guidance on the necessary steps to allow systems to operate under a cATO state. She then shared tools that could be used to assess the effectiveness and efficiencies of the security. Ford supplied a body of evidence suggestions that can be used in support of cATO authorization package submission, providing a starting point for discussion as you develop guidance to be implemented in your environment.
Looking for more DevSecOps inspiration? Read – How to Build a DevSecOps Program: 5 Key Insights for 2022
Addressing Security Vulnerabilities
In her session, Caroline Wong of Cobalt.io shared a brief history of pentesting, its importance in the SDLC and how to achieve pentesting at scale. Wong shared practical tips and advice for finding and fixing security vulnerabilities, including starting faster and testing more frequently, engineering and security teams partnering to remediate security vulnerabilities and leveraging data to focus on the top priorities. Wong explained that finding and fixing security vulnerabilities is the key to effective DevSecOps. Pentesting brings awareness to companies testing their people, processes and technologies.
Barak Schoster of Bridgecrew shared key insights in his session, “CI Workflow Supply Chain: Security Risks and How to Find Them.” He said, “CI workflows keep me up at night. I worry that a malicious actor will use the development pipeline to inject code into one of my repositories, leak secrets and source code or perform unvetted modifications to the application.” Schoster then presented infamous practices to platforms such as GitHub Actions, GitLab CI and Bitbucket pipelines and how those mistakes can be prevented.
Sven Ruppert of JFrog shared valuable insight during his session “OS Project Pyrsia: How To Protect the Open Source Supply Chain.” He highlighted how increasingly source texts are manipulated, CI routes are compromised and repositories and their contents are modified. The attacks are becoming more and more sophisticated, extending across different components. He then explored what Open Source Project Pyrsia is and how it helps prevent Supply Chain Attacks inside the DevOps Environment.
Melissa Sussmann and Jason Dunne of Sumo Logic shared real-world experience during the session, “How a Military Strategy Can Help Secure Your App Deployment Cycle.” In the session, they proposed how DevOps engineers can standardize the most effective CIS processes for identifying and responding to threats quickly and effectively via the OODA method:
- Observe: track security bulletins/advisories/CVEs and continuously monitor your own cloud infrastructure
- Orient: research applicability of known threats to your environments
- Decide: determine remediation strategy
- Act: rollout, monitor and manage deployments
They explained that this method frees the team to work on more interesting projects and less monotonous tasks.
Learn how to get certified in DevSecOps Foundation or DevSecOps Practitioner
Enhancing Observability in DevSecOps
Sameer Paradkar of AtoS presented the session “Beyond Monitoring: The Rise of Observability Platform.” Paradkar explained that in a complex, multi-layered, distributed computing environment, with so many interdependencies that are impossible to keep track of, full-stack observability enables organizations to find the metaphorical needle-in-the-haystack. He then provided an understanding of methods, processes, and tools that identify and respond to system issues before they affect customers, which can be leveraged for an enterprise-scale observability platform.
Finally, Arfan Sharif of Humio shared subject matter expertise during the session, “Improving Observability Through Modern Log Management.” Sharif shared how an advanced log management solution can give you instant access to all of your log data and how to remove blind spots that can complicate application development, security investigations and other business-critical programs. He then highlights key Log management considerations when working in DevOps.
Listen to [EP68] DevSecOps and Safer Internet with Jamal Walsh
Graphic Summaries
For a quick recap, check out the sketches below. You can also view the videos and slide decks for a limited time by viewing the 2022 DevSecOps SKILup Day on demand.
What’s Next?
There are many events, webinars, and in-person opportunities on the calendar for 2022. Check out the full DevOps Institute event calendar: https://www.devopsinstitute.com/events/
Get DevOps Certified
Now more than ever, organizations need DevOps professionals with validated skills and knowledge to support their digital transformation. At DevOps Institute, we have identified nine core competencies and offer eleven certifications to help advance your DevOps career and grow professionally.
DevOps Institute offers various certifications that explore DevSecOps practices. Learn more and get certified: https://www.devopsinstitute.com/certifications/
Access even more resources by becoming a member of DevOps Institute today.
Attend DevOps SKILup Festival in Denver FREE on June 15, 2022. Learn more: https://www.skilupfestival.io/denver-22