DevOps Pro Europe 2022
Our talk by David Melamed - Open Policy Agent as a Control Engine: Open Policy Agent has become a very popular project in the cloud-native ecosystem for finer-grained policy management and enforcement. OPA comes with a very convenient dev-friendly language called Rego that can be leveraged as a unified way to manage any deployment changes at scale.
In this talk, we will focus on four critical security controls that will be integrated as part of the CI/CD pipeline: static application security (SAST), dependency check (SCA), infrastructure as code (IaC) and dynamic application security (DAST). Anything from your Terraform deletes to code vulnerabilities, infrastructure misconfigurations and more can be operationalized and enforced through OPA and ArgoCD or even other GitOps methods and CI tools like Github Actions. Code examples will be showcased as part of this session.
Agenda
You cannot detach engineering processes and culture from the infrastructure.In this talk we will share from our experience of supporting and managing serverless production environments. We will discuss the not-so-obvious way it differs from managing other more common modern infrastructures and the impact it has on the operations methodology. we will discuss how it influences the developers day to day work and lessons learned.
Let's face it - now that we're a few years past the whole "shift left" trend, we can honestly say it has largely failed when considering security debt. Instead of solving issues earlier in the cycle, which was at the premise of the “shift left” promise, we mostly shifted the problem left. To date, security has largely been a source of friction between development and security teams––and fostering a proactive security culture among developers is still the holy grail a lot of companies are dreaming about without really managing to reach it. That's because this mindset needs a hard reset. We need to look at security completely differently. Security should not and cannot be decoupled from product quality - notably because developers are measured on code quality and velocity and not on how secure their code is. In the same way that our product's usability is a first-order engineering concern, security should be regarded in the exact same way. In this talk, I'll share some lessons learned and the way to bridge the gap between security and engineering, by changing the way it is viewed and implemented in current processes.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna