Talk given by Phil Parker (Partner at Equal Experts) at ExpertTalks Berlin, 14th June 2018.
Running a build server does not mean you are *doing* Continuous Delivery.
An OWASP Top 10 poster on the wall does not mean you are *doing* Information Security.
This talk explores what the real important factors of Continuous Delivery are, does the same for Information Security and then focusses in on how the two intersect and interact.
Developers, testers, ops (and anyone else working on tech teams) will learn why Continuous Delivery is actually MORE secure than the alternatives.
11. How do we get Continuous Delivery?
a close, collaborative
working relationship
between everyone
involved in delivery
extensive
automation of all
possible parts of
the delivery
process
13. (Information) Security
“defence of computers and servers, mobile devices, electronic
systems, networks and data from malicious attacks”
“preventing unauthorized access to computers, networks
and data”
“protection of systems, networks and data in cyberspace”
14. “You can't defend. You can't
prevent. The only thing you can
do is detect and respond.”
- Bruce Schneier
15. Information Security
Managing the risk of
unauthorised impacts to the
confidentiality, integrity or availability
of systems and data.
28. “… we move too fast for there to be time for reviews
by the security team beforehand.
That needs automation, and it needs to be integrated
into your process. Each and every piece should get
security integrated into it … before and after being
deployed.”
- Werner Vogels
35. a close, collaborative
working relationship
between everyone
involved in delivery
extensive
automation of all
possible parts of
the delivery
process
How do we get Continuous Delivery?
36. “Security is everyone’s job now, not just the security
team’s. With continuous integration and continuous
deployment, all developers have to be security
engineers, we move too fast for there to be time for
reviews by the security team beforehand.
...”
- Werner Vogels
37. EE Secure Delivery Playbook Principles
Security should be:
1. Collaborative
2. Continuous
3. Contextual