Ernest Mueller, Lean Systems Manager at AlienVault, presented at the Austin OWASP chapter meeting this week. His talk was on Lean Security, and you can find his slide deck here.
The chapter meeting, including Ernest’s talk, was recorded. It was a good crowd!
Here are some highlights from the talk:
What is Dev-Ops and how is it different from Dev | Ops?
Previously, development and operations tended to be in silos, and development would "throw code over the wall to operations", pat themselves on the back, and figure it's their problem now. Ernest explained that DevOps breaks down that wall.
Lean security talk by @ernestmueller Austin @owasp #devops pic.twitter.com/5vNCGs33AN
— Kate Brew (@securitybrew) March 29, 2016
Lean Security Learns Lessons From Lean Manufacturing
For those familiar with lean manufacturing principles, waste is the enemy to be eliminated. The Goal, a book written in a novel format back in he 1980s, covered lean manufacturing principles and the elimination of bottlenecks and waste in a very pleasant way. Gene Kim used the same style in writing The Phoenix Project about lean DevOps.
— Kate Brew (@securitybrew) March 29, 2016
Don’t Be “That Guy” in infosec
Ernest discussed procedural ways to implement security controls that de-personalize the topic, and make it more positively perceived in the organization. He presented the processes and methods that progressive companies use to build security into the software value chain, instead of relying on mass inspection post deployment. WhiteHat scans, while a good idea, aren't building security in from the start the way automation in the build pipeline will. For example, Netflix uses a variety of automated tools, including their Spinnaker AWS console and their Simian Army (which includes the Chaos Monkey, a tool which randomly disrupts servers) to force programmers to think proactively about security issues.
In addition, he also advocated ways that professionals can see metrics around the security of their code and the results of their hard work. He termed this a "broadcast mentality," and it appears to be helpful in driving change. Ernest pointed out in a humorous way that nobody likes their "Compliance Officer." He prefers the term the penetration tester @atdre uses, "Security Buddy."
— Kate Brew (@securitybrew) March 29, 2016
About the Speaker
Ernest Mueller is a 20-year IT veteran who has led a variety of teams designing, building and operating SaaS and Web products for companies large and small. Frequently, that has involved innovating Agile, DevOps, and cloud transformations to meet the needs of the modern marketplace. He writes about these topics at theagileadmin.com. Ernest is also active in advocating for the Austin technologist community, and organizes events like DevOpsDays Austin and user groups like CloudAustin. As Lean Systems Manager for AlienVault, he focuses on empowering the technical teams and creating a high velocity path to deliver value to customers. Ernest resides in Austin, TX with his daughter Aoife. Find him on Twitter @ernestmueller.