We just came off a great experience at Velocity NY and our very first NYC-based meetup, but we’re always on the lookout for the best events around the city, and we’ve found a few more worth your time.
— This is Part 6 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.
— This is Part 4 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.
For a long time, the relationship between security professionals and developers was pretty contentious and maybe even a little adversarial.
Developers would spend a bunch of time writing code before pushing it to a staging area only to have security tell them it can’t be deployed. Both parties had the best interest of their organization in mind, but there had to be a better way for them to get along.
Security expert Ty Sbano says the onset of the Continuous Integration/Continuous Delivery (CI/CD) and the DevOps revolution has changed that relationship for the better — at least in his experience.
“Security needs to be empowering the business,” Sbano said. “DevOpsSec is one of the patterns that enables the automation and the transparency to give businesses what they deserve and need. That’s the ability to quickly deliver better service to our customers.”
Sbano will be presenting “Security with the Speed of Continuous Delivery” alongside Tapabrata Pal Oct. 12 at Velocity NY, in which they’ll tackle how security fits into the CD cycle and share experiences from their time within Financial Services.
The old method of infosec used to be certifying every piece of code before deployment, or creating “security gates,” as Sbano put it. Having hard security gates with sign-off for all code is just not realistic in a CI/CD cycle, but he said the dissipation of gates is a good thing.
Sbano’s point is if a bug is released in a software update now, it might only be out there for a few days, maybe even a few hours. Before, a security vulnerability might not be caught for 18 months, which would obviously be a much bigger problem.
And Sbano said security through CI/CD and DevOps can strengthen the cohesiveness of the infosec and development teams.
“If we’re continuously identifying bugs through automation and manual security techniques, we can move forward quickly by addressing technical debt through the speed enabled by Continuous Delivery,” Sbano said. “Because of our partnership with development and architecture, we’re fixing bugs at a faster rate because we have the opportunity and the resources. That’s created a better partnership to achieve high-quality code. If there is ever a show-stopping vulnerability, DevOps enables us to roll back or remediate quickly. Everyone wins together.”
Focus on the problem, then find the tools
Even though Sbano and Pal will be sharing their experiences from Capital One and other past roles, Sbano was quick to point out that this talk won’t be specifically about the tools they used. It’s more about the ideas that got their security and development teams working in concert and efficiently deploying new software and updates.
“I’m going to be vendor agnostic,” Sbano said. “The goal is really around education. What are you going to do with static analysis? What are you going to do with that manual penetration testing? How do you wrap all that stuff together?”
Sbano also said he and Pal won’t be looking to “change anyone’s mind” on security’s role in CI/CD or persuade them to adopt their line of thinking. The main goal of the presentation is to share their experiences: What’s worked, what’s failed and what they did to pivot after failing.
Security is cool — seriously
Now that the relationship between developers and infosec is strengthening through CI/CD, Sbano said security doesn’t have to be viewed as an albatross for companies to carry.
“There are really good models and examples when it comes to training and the mindset of security in your organization,” Sbano said. “Security is becoming pretty cool. People are thinking more about it.”
Part of people thinking more about it has been the rise in security-focused talks at conferences such as Velocity, Sbano said. While the conference has historically focused on web performance and development practices, the community has embraced infosec’s role in efficient web development and innovation.
“Velocity is highly regarded,” Sbano said. “It’s my first time going a little out of the security world to speak at a conference, but a lot of people have told me that Velocity is a great place to do it, and I’m excited.”
— This is Part 3 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.
“It was impossible to get regular work done because we were running around putting out fires all day.”
Does that sound familiar?
When it comes to your website, app, API, SaaS product or infrastructure, a minor problem can turn into a major crisis very quickly, and that can hurt your reputation with customers and cost you time and money.
That’s why Blackrock 3 Partners, a team made up of firefighters and technology professionals, are coming to Velocity NY to teach you the finer points of incident management.
In their tutorial, Incident Management for DevOps, Rob Schnepp, Ron Vidal and Chris Hawley will demonstrate the parallels between putting out a five-alarm fire in an apartment building and responding to a data breach.
“There’s a lot of interest in how the fire service does business because we look organized and it works,” said Schnepp. “But there’s a mystique about it because not everyone understands how organized and structured it really is.”
Blackrock 3 uses terms like “Peacetime vs. Wartime” communication and operations, “war games in production” and other phrases traditionally used by the military.
That’s not because a crashed server is equivalent to a person being seriously injured in battle, but it’s because handling adverse conditions is a skill that can be learned, practiced and fine-tuned.
The team at Blackrock 3 stresses that software companies can create an ecosystem to respond to emergencies, minimize impact and learn from those experiences. That includes setting strategies for immediate response, practicing how to start correcting problems in the middle of the crisis and designating an “incident commander.”
In order to do that, Blackrock 3 often goes to their “war games in production” strategy with their clients, which can be surprising to some.
“There are times where we go in to work with a company and plan to break stuff on purpose,” said Vidal. “Sometimes people are taken back by that at first, but how else can you prepare for the randomness of the world unless you really have to solve a problem under some level of pressure?”
After an incident has been controlled and resolved, Blackrock 3 puts a heavy focus on thorough after action reviews — commonly known by many as “post mortems.” Emergency services even have a structured plan for post mortems, too, which is another practice Blackrock 3 is bringing to its partners.
“Post mortems almost always focus on the technology aspect of a problem,” said Schnepp. “They rarely evaluate the human response and how to make that better.”
Blackrock 3 suggests striving for honest, blame-free after action reviews that analyze people’s thought process and logic during a crisis and how future training can improve responses moving forward.
While people normally wouldn’t think the fire department or other emergency services has much in common with technology companies on the surface, Schnepp and Vidal said startup founders, CTOs and everyone they’ve worked with “gets it” from the beginning.
“The same management tactics people use on oil spills can work in the tech business,” said Schnepp. “It’s not a magical formula, but the results are magical.”
Check out Blackrock 3’s Book
The team’s vast experience responding to a wide range of catastrophic events not only led them to forming Blackrock 3, but they recently authored the book, Incident Management for Operations, published by O’Reilly Media.
While conferences and events are one of the most fun parts of our job, we know buying passes for dozens of events each year can be costly.