logo
allArticlesConferencesPresentations

Dear Security, Compliance, and Auditors, We’re Sorry. Love, DevOps.

Conference:  SupplyChainSecurityCon 2022

2022-06-22

Authors:   Bill Bensing

Summary

The presentation discusses the implementation of modern governance and automated governance in software delivery capabilities. It highlights the importance of establishing open visibility within the organization to drive trust and reshape the socio-technical construct. The main thesis is to automate control gates and remove the cognitive load of understanding tools in depth to allow for a standard centralized understandable way for the organization.
  • The need for a next generation of software delivery capabilities beyond automation to autonomous and industrial scales
  • The concept of software factories to remind us of the importance of delivery
  • The importance of establishing open visibility within the organization to drive trust
  • The implementation of modern governance and automated governance in software delivery capabilities
  • The automation of control gates to remove the cognitive load of understanding tools in depth
  • The externalization of policy application from the tools themselves to other centralized systems
The presentation tells the story of Herbie from the book 'The Goal' to illustrate the problem of slowing down in a manufacturing plant. The solution was to pull the humans out and automate the process with machine-readable formats to establish visibility and trust.

Abstract

Stop it with the DevSecAuditComplianceOps buzzwords within the software supply chain. Let’s simply talk about Modern Governance. Great software supply chain hygiene requires governance. Governance stinks because we do it wrong. I promise to give you the means to go from commit to production with 100% no-human-hands. All while meeting visibility, security, compliance, and audit requirements without fail. Modern Governance applies to standard line-of-business software, machine learning, edge, IoT, and any other software artifact. DevOps solved the Developer and Operators conflict. It forgot other essential folks of the delivery lifecycle: Security, Compliance, and Audit. It's also missing the newest entrant, Software Supply Chain Management. We will talk about Modern Governance. Modern Governance resolves governance toil with a software engineering approach. It is no different than applying Site Reliability Engineering (SRE) principles & practices to the dull, mundane, and toil-ridden governance processes.
Materials:
Slides
Tags:
software supply chain
Governance
compliance
audit
DevOps

Post a comment

Related work

Securing the IaC Supply Chain

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Jesse Sanford, Jason Hall
2022-10-26

Sponsored Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline

Conference:  Cloud Native SecurityCon North America 2023
Authors: Saurabh Wadhwa

Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline

Conference:  Cloud Native SecurityCon North America 2022
Authors: Jeremy Colvin
2022-10-24

Secure Your Project with the SIG Release Supply Chain Kit

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Carlos Panato, Adolfo García Veytia
2023-04-20

Know Your Dependencies: A Guide to Automating Dependency Assurance

Conference:  Cloud Native SecurityCon North America 2022
Authors: Steve Judd
2022-10-25

Robots with lasers and cameras (but no security): Liberating your vacuum from the cloud

Conference:  Defcon 29
Authors:
2021-08-01