December 25, 2019

335 words 2 mins read

Security as a minimum viable product

Security as a minimum viable product

First open source won. Then DevOps won. Now there's talk of DevSecOps, which by its very name suggests DevOps isnt secure. But security, just like DevOps, isnt a destination; its a journey. Josh Bressers asks, rather than trying for perfect security, what if we think of security as a minimum viable product?

Talk Title Security as a minimum viable product
Speakers Josh Bressers (Elastic)
Conference O’Reilly Open Source Convention
Conf Tag Put open source to work
Location Portland, Oregon
Date July 16-19, 2018
URL Talk Page
Slides Talk Slides
Video

DevOps represents the natural evolution of software and how we build it. Long gone are the days of spending years trying to build the perfect piece of software. DevOps works because it’s not about building the perfect thing once; it’s about building one little thing and then working on it in quick increments. Why release once a year when you can release once a day? The way security is thought about in most organizations is very similar to how we used to build software. There is an obsession on perfect when what we really need is to understand what our security minimum viable product (MVP) is. Even once we understand our MVP, mistakes will be made. The ability to move quickly is by far the most valuable quality of good security. Using the OWASP Top 10 as his guide, Josh Bressers explores some of the most common security mistakes made and explains how they might be avoided with just three basic development concepts that are easily covered by a DevOps process. Josh begins with a discussion of authentication. For a long time the security people warned not to roll your own crypto. Now you shouldn’t roll your own auth. If you simply use an OAuth or SAML provider, you can avoid nearly half the top 10 list. Josh then moves on to data, trust, and operations. He concludes by examining security and DevOps, demonstrating that there’s no such thing as DevSecOps; it’s really just DevOps.

comments powered by Disqus