logo

Dear Security, Compliance, and Auditors, We’re Sorry. Love, DevOps.

2022-06-22

Authors:   Bill Bensing


Summary

The presentation discusses the implementation of modern governance and automated governance in software delivery capabilities. It highlights the importance of establishing open visibility within the organization to drive trust and reshape the socio-technical construct. The main thesis is to automate control gates and remove the cognitive load of understanding tools in depth to allow for a standard centralized understandable way for the organization.
  • The need for a next generation of software delivery capabilities beyond automation to autonomous and industrial scales
  • The concept of software factories to remind us of the importance of delivery
  • The importance of establishing open visibility within the organization to drive trust
  • The implementation of modern governance and automated governance in software delivery capabilities
  • The automation of control gates to remove the cognitive load of understanding tools in depth
  • The externalization of policy application from the tools themselves to other centralized systems
The presentation tells the story of Herbie from the book 'The Goal' to illustrate the problem of slowing down in a manufacturing plant. The solution was to pull the humans out and automate the process with machine-readable formats to establish visibility and trust.

Abstract

Stop it with the DevSecAuditComplianceOps buzzwords within the software supply chain. Let’s simply talk about Modern Governance. Great software supply chain hygiene requires governance. Governance stinks because we do it wrong. I promise to give you the means to go from commit to production with 100% no-human-hands. All while meeting visibility, security, compliance, and audit requirements without fail. Modern Governance applies to standard line-of-business software, machine learning, edge, IoT, and any other software artifact. DevOps solved the Developer and Operators conflict. It forgot other essential folks of the delivery lifecycle: Security, Compliance, and Audit. It's also missing the newest entrant, Software Supply Chain Management. We will talk about Modern Governance. Modern Governance resolves governance toil with a software engineering approach. It is no different than applying Site Reliability Engineering (SRE) principles & practices to the dull, mundane, and toil-ridden governance processes.

Materials: