Security and DevOps: “Go get an approval for this library usage. Or not?” @ DevOps Toronto Meetup

April 5, 2021

< 1 min read

Security and DevOps. Go get an approval for this library usage. Or not?
To be good at security, you need to think like a CISO; you need to act like a CISO; you need to become a CISO… or do you? In this talk, we’ll keep following Alex and their journey towards better software engineering processes. A dive into the world of information security presents Alex with new goals, new challenges, and new headaches. Or maybe the headaches were there before and now just became more visible?

View Slides Here

Speakers

Baruch Sadogursky

Developer Advocate @JFrog

Baruch Sadogursky (a.k.a JBaruch) is the Head of Developer Relations and a Developer Advocate at JFrog. His passion is speaking about technology. Well, speaking in general, but doing it about technology makes him look smart, and 18 years of hi-tech experience sure helps. When he’s not on stage (or on a plane to get there), he learns about technology, people and how they work, or more precisely, don’t work together. He is a CNCF ambassador, Developer Champion, and a professional conference speaker on DevOps, DevSecOps, Go, Java and many other topics, and is a regular at the industry’s most prestigious events including DockerCon, GopherCon, Devoxx, DevOps Days, OSCON, Qcon, JavaOne and many others. You can see some of his talks at jfrog.com/shownotes

Video Transcript

just have to watch this because the
moment it kicks off it starts like
looping audio and it drives me crazy
there we go all right beautiful
so welcome everybody
to may the fourth uh may the fourth be
with you
jfrog has been on this all year you guys
are the star wars
captains of the universe um and
this is a great a great day to catch
jfrog because you guys are you guys are
100
on brand today but um
i want to hear who’s a fan of the
rebellion who’s a fan of the empire
toss it in the chat no judgment either
way
let us know um and you can go old school
new school too if you’re if you’re a fan
of the
the uh generation let us know
um who’s watching star wars some star
wars today
also i think the uh isn’t the bad batch
out today that new animated series
i’m gonna try and catch that i’m a big
fan of all this disney stuff coming out
so
looking forward to that there’s never
enough series these days
the side of captain kirk
100 agree captain kirk all day
all right thanks for humoring me so um
i want to let everybody know what i’ve
been working on in the past month i
took the 4×4 method i got a lot of great
uh feedback on that
and i’ve pared it down tailored it
to be a start to finish
methodology of mapping so
calling it flow engineering there’s a
free ebook
at that link i’ll get i’ll get a link
posted in the chat
but if you’re looking for ways of
visualizing your workflow with your team
having really good discussions about
what your current state is and where
you’re going um
that’s what this book’s all about so i
would love for you to check it out
toss me some feedback in slack or by
email
if you can if you have thoughts and uh
i would really appreciate it but i think
everyone will find it pretty valuable
this is basically what i’ve been
working on all last year condensed into
a
pretty quick ebook with that
we are going to get to baruch’s talk
uh on security but first i want to toss
to
ari and let him introduce jfrog
as our sponsor our wonderful and loyal
sponsor of devops toronto
take it away ari all right great i
appreciate it hey can i uh share my
screen really quick
you absolutely can you should be you
have to do that i will
stop myself okay cool
and if i can
hold on i always lose this button there
we go
take it away easy one to lose
hi everybody i’m ari waller with jfrog
and i appreciate steve allowing me to
make an announcement about our upcoming
global
devops conference swamp up 2021. can
everyone see
uh the slide i have up yep
um besides this uh besides a sample
of amazing speakers from many of the
companies you would expect to see at a
global devops conference
we’re also going to have a pretty cool
executive panel as well with ceos from
hashicorp pagerduty
as i’m sure you all know him he’ll be
there and of course our very own ceo
shalom hym from
jprod so we’re really really excited
about that i’m also excited about the
fact that jfrog will want you to go for
free
um it is a free um day
at the conference on may the 26th
however uh there is a sec third day of
the conference may 27th which
has a price tag of 49
but not for people in this meetup i’m
going to drop in the
i’m going to drop in the slack um a link
which will get you
into our meet up excuse me to the debt
mops conference for
a two-day pass absolutely free um
now i’ll drop that so you don’t have to
worry about scanning the qr code or
anything like that
last but not least baruch is going to
mention a raffle in his talk tonight
baroque has a show notes page that he
likes to refer people to
it’ll eventually have the video um
that’s on youtube
we’ll put a link to that in there as
well as the slides but i also wanted to
show you that today
jfrog is going to be raffling a oculus
quest
if you haven’t tried one of these these
aren’t a true game changer
um in the virtual reality world i
never got into virtual reality but this
totally changed it all for me
and what i will do is drop that link for
you in just a moment
we do not do live drawings unfortunately
because of corporate compliance
however we do pick randomly within two
business days
i will contact that person by email and
then we will share the winner with the
entire community
so we can all rejoice with you so
without any further ado
i’m back to you steve or maybe
i am signing up for that one that’s uh
i love the oculus quest i got the chance
to try one out once and uh
it’s been on my list of like if i ever
if i ever have reason to spoil myself
that’s uh that’s gonna be a major
purchase or you can just
win the one or is waffling we
we will see i think i’ve exhausted all
my luck associated with the meet up so
far but
you never know you never know uh yeah
with that
i’m not going to throw back to my deck
because basically
oh wait so really quickly let me just
toss one more thing up
and then i will hand off to baroque so
um just letting everybody know that
next month we have karen talking about
appsec tools
so we’re going to keep security rolling
for
a little while um and
look at this from a different angle so
um talking about application security
and um runtime observability so a
different angle from
what baroque’s going to be focused on
but
we’re looking at we’re looking at
security again from a different angle
next month so
join us rsvp uh the meetup link will be
posted
immediately after this in slack and uh
and you’ll get a heads up over
um over email as well so
with that i’m going to stop my share i’m
going to hand off to brooke and let him
take it right here we go um
so we have kind of an internal
competition
who brings more people to swamp up you
just from ari you just got a glimpse of
why he is in front with a huge lead on
everybody else
this is how this is how he does it um
yeah no but i worked on the on the
agenda on the program
uh it’s it’s really amazing i mean
attending this conference and and for
free of all things
is definitely something that you should
consider
um let’s talk about let’s talk about
security and
and in general and depths of cops in
uh in particular so um i don’t know if
you remembered
a year ago i’ve been here in a very meet
up
speaking about alex alex then went
through
a transformation of a company to devops
and did a lot of amazing things and
deservingly they became the chief
information
officer of this company and now
alex faces a bunch new
a bunch of new challenges some of them
around personal and
information production jdpr and such
uh just caring for a personal record
of their customers and the end users
and some of them are around physical
security
um that’s a very nice incident that
happened
a couple of months ago uh with the
company that provides those
lockers like you know like amazon
lockers
that were hacked and just opened
all of them remotely all across the
country
that was an interesting hack which is
obviously
um dangerous and then more traditional
things like you know the good
all the hacks and zero days exploits
and i don’t know if you heard the news
um i think yesterday or the day before
yesterday
and there was a discovery of a new
speculative exploit kind of uh
meltdown inspector but even more
dangerous
working on an even lower level of intel
and
imd processors and it it never ends and
it never ends in in this
cycle of you need to know that you are
hacked
and then you need to make sure that you
fix the problem as soon as possible
and then you need to make sure that you
deploy the fix
as soon as possible today we are going
to talk about all three of them
but if we’re going back to devops real
quick because it is a devops
meetup in the end of the day we need to
remember that
our drive to do devops better
to become those elite performers by the
scale of state-of-the-art support
accelerate metrics
or any others is in the end of the day
an evolutionary pressure
we are doing it not because devops is
sexy or because we can get more money
well which is true but first
and more in and foremost we do it
to nail this deployment part
as soon as possible this is one of the
things that is important for us
it makes us more secure so in the end of
the day
our alex they although they came from a
devops background
and alex now understands that they need
a professional that knows
everything about uh security and this
professional has a name
chief information security officer or
siso for short
in order to hire cso alex needs to
understand
what ciso is and
what they do so they embark
on a journey of learning what chief
information security does
starting with wikipedia in which they
discover
that there is a thing called cisp
cisp is a certified information security
professional
certification that requires a lot of
reading like a lot a lot
and this is just the tests there is a
lot of other materials for example
cso desk reference guide this is what
chief information security does and this
is also
a lot of books and alex discovered funny
terms
like pasta and stride and trike
for some reason all those are actually
thread models
and i listed three but here
natalia claims that there are 20 and
maybe there are 50
who knows the most interesting discovery
and this is something that
is very useful for all of us as well is
that
chief information security officers come
in two flavors
there are the engineers that went
to specialize in security and made
their way to the top to the chief
information security officer
and then there are the compliance
bureaucrats
that made all their way to become a
chief information security officer
the dynamics of us engineers
working with them is completely
different
the way we approach our
our comrades engineers is completely
different
than the way that we approach
bureaucrats that
are there to enforce compliance and this
is something that we always need to
remember
when we are going to interact with
security people in our organization
we need to think what background they
come from
and this will dictate how do we approach
them
now the role of chief information
security officer
is very diverse there are a lot of
things that
through um c so takes care of
uh being for example a business advisor
advisor to the ceo but also
a training in higher security staff
and embed security information and et
cetera et cetera and what’s not
actually if we look at the uh
the cis exam it clearly identifies the
areas
that information modern information
security
is built upon you can see here stuff
like
chapters about asset security asset
security
it’s how do we protect our passwords
or software development security
software development security is
we remember to escape
all the query parameters in our
sql queries and security assessment and
testing
this is what we do to check that we do
everything correctly
communication and network security this
will be
our um certificates the
our https and everything else
and security engineering this
is your uh security secure pipelines
and integration with security tools that
will verify
your um your software and then and
identity and access management
everything from
the badges or or the
the tags that people will use to enter
the building
and um all the way to the locks that
that you have on various things security
operations
this is your um on call
security on call and then security and
uh risk management this is a general
assessment of
threats of threats and
understanding of what is more important
to invest money to protect money and
time to protect
so in the end of the day when you look
at that
and obviously there are weights to each
and every part
that are in the exam that we want to
believe that represent
those weights of those aspects in real
world and
um you know as as engineers
and and people who come from the
engineering background
we realize that there are only a couple
of aspects which kind of relate to us
directly the software development
security
which is as i mentioned how do we write
code and
the security engineering which is
basically how do we write pipelines
only 22 of this entire thing
is something that we understand and
something that we can relate
everything else requires other
professionals
and by now i hope when you hear
other professionals this is what you see
we’re talking about a different silo
we’re talking about people
who live in their own world who have
their own metrics who have their own
challenges
and their own goals that not necessarily
uh know how to work with us and
i bet this is your experience with
security organizations in many
many companies security is another silo
now we know how to break silos and
obviously the answer is devops the
problem is
that there is
a very big difference even if the
understanding
of brick and silos exist between
people who just say hey we want to break
silos and
actually the way to do it so this is
what we’re going to talk about
today my name is barak sadogurski i’m
the chief sticker officer
and also the head of devops advocacy
with jeffrog
and the stickers part unfortunately is
on hold now
hopefully next time it will be in person
i’ll come
and spread beautiful stickers all around
for now the important part of this
of my business card is my twitter handle
i’m there at j barrow
come and a talk to me the most important
slide
of this talk is this you go to
jefferson’s show notes
you will find there are the slides the
videos soon enough
um a place to comment to rate and
the raffle that um ari mentioned the
the oculus uh vr you go to jeffrey with
those comments the show notes you will
see it first entry
you can go there and participate in the
ruffle and
the beauty of it that you don’t need to
remember it it’s on the bottom of every
slide
as my twitter handle in case you um will
decide that i’m worthy
you’re following later down the road um
anyway see so does
everything really kind of
knows everything about everything
security this
looks very very familiar because
actually what
we’ve been shown there this many many
hands
is actually those t-shaped people that
we
are so um proud about in in devops
this is a person that knows everything
about everything but also has the
speciality and their speciality is
security
now uh how
do we learn about those people
one of the frameworks that we can
um that we can go and embrace is
looking at their what motivates them
and what motivates them if you look at
the literature like the drivable daniel
pink
will be autonomy mastering purpose there
is
also fears from taking silos down
and adopting devops and we can talk
about
how all those
manifest in security people for example
what is the autonomy of security people
well obviously they don’t want to be
battlenecks
they want to be productive they want to
be able to prevent
security incidents all by themselves
without
need of anyone else what is the mastery
of security people
well the uh the the sip exam give
us an idea they want to learn about all
this stuff that helps
us to get uh to get our organization
more secure
and what is their purpose in the end of
the day is having better security
for less money what is their fear
especially when it comes
to devops well obviously if we move
faster they feel that they are losing
control
if they cannot stop the world to um
to do their security audit they feel
that the software
is flying by insecure to production
and they feel in jeopardy right so this
is more or less
what where they stand and obviously as i
mentioned you need to remember
are we talking about engineers who came
through security
or bureaucrats who came through to
security
and they have obviously a little bit
different
incentives and different motivators to
each and every one of those
sections but in the end of the day if we
take the basic scenario of reactive
security
is going back to this identify fix
and um and deploy and for that
they actually need to know all that as
we already spoke
and the the thing about those people
is that yes we think that they
are the protectors of the realm
everything
but in the end of the day those people
are in a great personal risk
that is tied with the risk of the
company
being breached it’s the reputation
they will be unemployable after that
it’s financial
they will be fired but also
the company risks are the same
reputation
financial personal data availability
in the end of the day the ransomware
that you know blocks everywhere
affects the availability um and and
compliance
they need to be in compliance in order
to be able
to conduct business like pci dss and
what’s not
and and the problem here is that
there are tons of ways
to get hacked the cyber attack
is very very diverse right it can be
identity theft milo malware and viruses
and ransomware and phishing
and weak password and and spyware and
what’s not
and it doesn’t matter how much you
invest in all of them
in the end of the day the contractor
that wipes the floor in
your server room has
full access to everything and they
weren’t
vetted they were just you know just
hired of the street by your contractor
employee that you
barely know so it’s
for for whoever plays defense
has to have a perfect
defense whoever plea plays offense
only needs one successful move
so let’s talk a little bit
deeper about those aspects of
uh information security uh let’s go by
one
one by one and you know we already did
that
so also we don’t have a lot of time so
let’s just talk about
threat analysis threat analysis is fun
this is a threat model explained by
bruce wayne
and batman it’s done by
tiffany lloyd from mit and it’s a great
demonstration about
how thread model works when we talk
about thread models we need to identify
we need to identify our assets in case
of
bra of batman and bruce wayne those are
the bad cave alfred the emails
and the texts next we identify the
threats
the threats are the police who want to
know who batman
is the joker who is the villain or any
other villain
and the journalists that want the hot
gossip about
about batman then we identify
what threats possess which risks to
which asset
and we need to decide
are they low medium or high so for
example
you can see here that the police
has a very low risk for the bad cave
but moderate risk for uh
for the emails joker uh
we think that the vector of attack by
joker will be alfred
mostly but they also can try and attack
the bad cape and the journalists are
a relatively small risk but they are
threats for
the email syntax and then we identify
how do we protect a special specific
asset
for a specific thread right so for
example
for the batcave we
use a security system for alfred
we hide their location and for the
emails and the text
we use encryption so this is kind of an
example of those
three steps asset threats and protection
that are implied that are actually done
for for every
um for every threat model what you need
to remember
is that thread models are um
are different and they are very
context specific probably most of the
time
you don’t need to worry about sharks
going through your roof
but if you are in the charcado movie
you definitely you definitely should
now this is all very nice but
we kind of go full circle and we come
back
to the question of those 22 that we care
about
the security engineering and the
software development security
and those as you probably guessed are
devsecops devsicops is
about securely doing our job or writing
code
and engineering our software now frankly
i think personally the devsecops
is a marketing hype term
the reason i think that is
that the term devops should be
sufficient
as you probably know and that’s not news
for anyone
devops actually includes qa obviously
but no one bothered to stack
qa into the into the term
it doesn’t call dev qa ops and there is
no new movement
the fql ops so if dev
qa does not exist fk ops
why devsicops do the reason
is so we will pay
attention it’s a marketing trick for
us to say hey let’s see
if we didn’t forget security in our
story
now it’s exactly the same in the
embedding security
into devops is exactly the same as
embedding
development development and operations
when we realized that the developers
and the operations shouldn’t be enemies
that should work together
this is devops the same exactly the same
thing
is with devsecops right so developer and
security
not rivals anymore instead they work
together
and this is where defcicops
actually lives right the opposite
incentives
of innovation versus protection
doesn’t have to stand in the way of
productive collaboration
tearing down the silos and working
together if that sounds familiar
that’s because it is it’s exactly the
same
concept now there are obviously those
who claim
well you know you cannot
just run along and do whatever you like
you need to stop the world and assess
what is your security posture
and usually those tests are performed
just before the time we need to release
our software
and if the security people decide that
you cannot
use especially as a specific library
then
you it’s your problem and the release is
still net
next week and no one cares how
devsecops solve that well with
shift left and this is a meme for
whoever is old enough um
to to remember uh shift left
solves this problem by
taking those decisions from being
very late in the life cycle of software
and moving them left on the timeline
earlier in the lifetime of software
right
so instead of doing those checks
only during prayer release checks we can
do them
sooner during code reviews or even
sooner during continuous integration or
even sooner during
the development the development
themselves and here i’m speaking from
experience
as a jeffer platform has a component
called jeffrey x-ray
that does exactly that we shift left the
security
to uh whenever point in time you want
including the ide itself and i recommend
you
to look at those types of software
that can um that can create this change
now one of the problems is
just lack of this coordination from both
sides
from the developers and from a security
and if we want
this collaboration to succeed here are
some tips
that you can take to your security folks
and working them together to improve
first
make sure that people know
how that the security folks know how r
d works why shift left is important
why the their announcement a week before
the release
hey you cannot use this library has
devastating consequences
they might not know it especially if
they come from compliance
and not from engineering for them it’s
all like chinese
or or or magic they have no idea what’s
going on
it’s your job to make to explain to them
why they cannot
come to you a week before the release
and say hey replace the library that
everything is based upon obviously
right another one so
yeah so there is a nice book called make
work visible
that talking about how do you
explain processes and flows
to other people very very useful highly
recommended another very important
aspect is
automation when you automate everything
venerability scanning
study code analysis dependency venue
ability scanning the license compliance
everything that can be automated should
be automated
because then obviously you
improve the velocity instead
of validating each and every
release you can actually certify
the process by implementation those
automations
and then obviously you move faster
now not only that it also makes
easier for the regulators to work with
you
because maybe quan maybe not
intuitively they will prefer you have
a certified process then they have to
certify
each and every release now
the question is what can be
uh automated there are manual tasks
that have to be manual just because the
machine’s not smart enough right
you can say hey um in the end of the day
there are security
um
i forgot the world security exploration
that has to be done
in order for us to know where the uh
where the dangers are right there are
those red teams
that need to try and breach our software
and there are audits that need to happen
all those are manual works are our
manual works but
this is true but this is as true as
having
a manual qa because in in when we’re
talking about qa it’s exactly the same
right we can automate the tests but in
the end of the day
a good q engineer will find
failures even when all the tests are
are passed how did we solve it with qa
well we introduced exploratory testing
and this is testing that happens with
the development
and then the results are automated
to make sure we can validate it over and
over again for each release
it’s exactly the same here the auditors
and the red teams can do their work
during the development and then codify
their findings into the a pipeline
itself
there are also very powerful tools
that allow us to code those
findings into the pipeline
secured by desired services security
best practices using tools
that implement security built-in
today when you start in your aws service
you will have all the policies already
configured correctly
you don’t need to worry about that for
that matter
you can also codify your own best
practices
in stuff like um base docker images
right so when you extend from it
it will already be hardened protected
with all the correct monitors and
monitoring set up
with the honey pots and what’s not
so this is how you can automate or
or encode the the wisdom
of security people into your software so
not every software engineer has to know
what’s going on now you will have to
have
some engineers that know what’s going on
and those will be
your security champions and those
security champions are very important
people
that just care about security while not
being a part of the security teams
and they are important because as the
part of your empowered engineering teams
they will be those that will keep you
will keep you honest when it comes to
hey
did you implement this or that when we
are talking about security
in the end of the day it’s for all of us
to make sure
that our software is more secure and
this is how you do
with that thank you very much
i’m edjay barrow on twitter as i
mentioned jeffrey from the show notes
that’s the place to go for the slides
the video and the raffle
thank you we have i think time for
questions
awesome thanks brooke um yeah feel free
to toss questions in the chat or
uh take yourself off mute and jump in
um i’ve got one to kick us off
what in your experience is like the
hardest part of getting
getting started with any of this like
for teams where
this seems like a nice to have or
further down the road map what is the
thing that is
you find is keeping them from making
progress so this
is this is such a great question steve
thank you
uh and i don’t think anyone has
actually an answer to a question when
is not too early
to start implementing heavy security
measures
but obviously some things you do from
the beginning if you
if you are starting with uh you know
with
with uh using the sas services or
platforms
when you start on amazon obviously you
get everything inherited to you
and and configured but in the end of the
day
some point of time time for for a while
you can say
i’ll take care of it later i don’t have
any users
i’m in mvp stage
i have not a lot of users and
not a lot of people think of me and then
you go
into well i’m not very interesting for
people to actually invest in hacking me
in some point of time you need to say
hey
now it’s the time to actually review it
and and
and and take like real measures to make
sure that i am in good shape in that
and i don’t think there is a good answer
to that
and a couple of years ago we did talk
with my friend leonid goldnig
about how devops is a scale in terms
of you go from almost no process
and all the way through hey now it’s a
huge enterprise and it really needs
to have a very well defined processes
something in this somewhere on this
scale
security kicks in and and it’s hard to
say
when there are some aspects that
really easy to do from the beginning and
the others are not
it’s just something that you need to
periodically
ask yourself hey is now a good time
to um to devote time to
to to this aspect and another one here
is um another challenge here is
is people uh in the end of the day
everything in the world is devops if you
ask me
this is like if i learned anything in 11
years of devops is that
everything can be tied to devops uh
including security
uh in the end of the day it is about
collaboration
it is about uh best practices
of how to work together uh
with the sha with this same
shared goal of secure of
releasing better software faster and we
talk about better
security is a part of it so uh yeah yeah
you need to talk to people and work with
people
in order to understand when it’s the
right time
to start really care about security and
what it takes
um do you find so that scale that you’re
talking about i think
like that’s something that sounds
right to me too i think you know we’re
always
we always feel like there’s things that
are behind us that we’ve covered
that we feel okay about and then there’s
things that are ahead of us
that we’ve gotta we’ve gotta eventually
get to
is there something like a
security maturity model that you like
or some kind of resource that helps
people place themselves on that scale
and then yeah maybe have conversations
with leadership about like we’re here
and this is where you know i’d be
comfortable sleeping at night
if we could make it to this stage yeah
absolutely there are maturity models
definitely that you can assess yourself
against for security and not only that
you need to remember that
being 100 compliant to maturity
model is not the right goal to have
all the time uh and saying hey i’ll take
care of it later
um is it might well be the right answer
um so so yeah i i think
finding those
good security people that come from
engineering background and understand
what you what your world is uh would be
would be the key um
to to successful implementation in the
end of the day
you’re totally right about just enough
you know and fitting your current use
case because you can’t do everything and
every time you choose to do something
you’re choosing not to do a million
other things right so
i think that’s really great point um
mike tossed a great link in the
in the chat i think i’ve seen before
that uh
you know i like maturity models as a
reference i don’t like maturity models
as a
you know hard and fast guy yeah
absolutely
um but i think they can be helpful to to
sort of like
give people an idea of like what am i
missing right what
what are the gaps that i might not have
seen yet
what’s ahead on the horizon how
how can i think about like where i am in
the spectrum
so that’s cool um do you feel like any
of this
like is this security getting easier or
harder over time like
think back five years is this uh is this
a harder game than ever because it’s
more sophisticated or is it getting
a lot easier because of tooling and
automation and
the tide raising all boats yeah so this
is a great question i think one of the
problems with security
is about how complex it is
together with how
it’s out of our sight
and with how a smallest mistake index
are down
this combination of those three is
completely
lethal and i think the complexity
again we’re talking about now about
hacking on a microprocessing levels
of of tremendous
complex complexity that it takes to even
understand
how this hack was implemented not even
talking about you know trying to to
protect against it
yeah i think what we see a lot with
security
and you know a lot of the stories over
the past year are
definitely on the human side right i
mean we’ve seen a lot of compromises
that are
kind of back doors that get built into
foundational pieces of software but
there’s probably for each one of those
that affects everybody
like a solarwinds you’ve got probably
ten thousand examples of like someone
clicking on the wrong thing right
uh or like answering an email the wrong
way
so another point about me there is
nothing you can do
right the solar winds are so many levels
removed
from you to impact its security
but you are in the end of the day the
victim
yeah i think that’s an another great
point that that
brings something to mind to me is this
this ability of like
once something happens how quickly can
you recover right because we can’t
prevent everything so focusing on
time to restore service um
which i think goes back to your
visibility piece this is right back to
devops
this is right back to and this is a
great point
to to to make to all those who say well
we don’t need devops
we don’t need to release faster because
we don’t have
uh you know we don’t have competition
and we’re fine as we are
our quarterly release that requires
10 hours of downtime is fine with our
customers
why do why would we bother
and the answer is hey when you get
hacked
and you only know how to release once a
quarter
you will release once a quarter because
you don’t know any different
and that’s not good enough yeah patrice
patrice also had a great comment about
security’s hard because it’s hard to say
what we’ve done that has had a positive
impact right
it’s it’s hard to quantify what you’ve
avoided like the tragedies that you
could have experienced
with weaker security you don’t know you
don’t know you you can’t
justify yeah you cannot you cannot brag
with your successes because you
you can’t prove them in any way also
how do you justify how much security is
enough
right how do you know in the end of the
day it’s all goes down to
to time and money right how
much time and money you need to invest
in order to be secure
to a level which is enough right i think
that that piece that that’s that brings
to mind to me the flow framework and
flow distribution right so
this idea that you’ve you’ve got to keep
shipping features
you’ve got to keep building code but
you’ve also got to pay down technical
debt you have to make sure that bugs
aren’t accumulating you have to make
sure that you’ve
struck this balance right of risk
versus velocity right and and
quality as well and not burning out your
people
and so i think it’s always going to be
that to me is the infinite game right
it’s like
it’s never going to be perfect and
you’re always going to be
swinging the pendulum back and forth
between different extremes and different
balances
but uh i think that that’s that’s what
makes this work
so interesting
to use a positive word but also
challenging right it’s
uh that’s why we’re all here we don’t
like easy work
absolutely yep
all right
i don’t see any other questions i’ll uh
i’m gonna shut up for 10 seconds
but um if you’ve got a question toss it
in the chat
otherwise um baroque any uh
final thoughts anything that you’re
really excited about coming up
trends for the like a normal
face-to-face events coming back
i’m that’s what i’m looking for that’s
the only thing i care about
right now and i just cannot wait to meet
you
all in person hopefully steve will
invite me once again
i i will do my best performance
in person i promise
well um we would love to have you up in
toronto and i think that
this has been another wonderful um
wonderful event and we really appreciate
having you
and ari part of the meetup and and so
close to this
uh the toronto family so um hope to see
you soon hope to see all of you
soon and i hope you have a wonderful
may the 4th go watch some star wars or
star trek whatever extraterrestrial
fantasy world you prefer and
we will see you next month thank you
very much for having us
and see you soon bye
thanks everybody
thanks everyone