How do you do DevSecOps in practice? What are relevant tools and practices? Based on his work as a consultant and as a member of the advisory board that publishes the Thoughtworks Technology Radar Erik will give an overview of tools and practices that have proven themselves in real-world use. And because security is now relevant at each step of the process, the scope of the talk is broad. It includes architecture, the software supply chain, fitness functions and how to implement them in a build pipeline, as well as runtime monitoring.

Target Audience: Architects, Developers, Ops
Prerequisites: Knowledge of continuous delivery and DevOps
Level: Advanced

Extended Abstract

Closer collaboration between developers and operations people brought businesses many benefits. It is also fair to say, though, that it created new headaches. Some practices, especially continuous deployments, forced us to rethink the traditional security sandwich, with conceptual work up-front and a pen test at the end. It was easy to sneak a “Sec” into DevOps, it was reasonably obvious to call for security to be “shifted-left”, but in practice this raised even more questions.

Based on his experience working as a consultant Erik will address these quesions. He will discuss practices like container security scanning, binary attestation, and chaos engineering, alongside examples of concrete tooling supporting these practices. In addition Erik will show how the concept of fitness functions, which have become popular in evolutionary approaches architecture, can be applied in the security domain.