We exhibited at DTX 2022

After a fantastic response to Daniels DevSecOps talk at DTX Europe 2021 (read more on that here), we decided to exhibit for the first time at DTX Manchester. Daniel also retook to the podium and delivered a follow up presentation on DevSecOps and the technical approaches to introduce security into the development flow.

This time round, we were keen to engage with the community and hear about their current challenges and we were not disappointed. We spoke with businesses who had just started out on their DevOps journeys and those who were really far along and realising the benefits. Each organisation had their own unique challenges across both DevOps and DevSecOps, such as being forced to an on-premise architecture or trying to apply DevOps principles to Machine Learning and AI centric development.

We had some recurring questions on our stand, so lets answer some here:

• We want to implement security, but where do we start?
  We have helped businesses of all sizes integrate security tooling into their pipelines and processes, and there is no set order to implement the various approaches to identifying and mitigating risk. As with conventional InfoSec, a pragmatic risk based approach should be taken.

  As organisations move their workloads to the cloud, we are seeing a huge increase in the number of API keys being leaked via the app or its source code repository. These keys are then ultimately abused to attack the application, steal data or provision crypto miners into the cloud provider. Detecting these keys can be quite trivial and is certainly one of the easier security gates to implement. It also triggers great discussions around secret managements, the need to rotate keys and what we need to do when a secret gets out!

• We use XXX for source control and YYY for our services, where do we start doing DevOps?
  We love to hear of organisations setting out on their DevOps journeys, but no two are ever alike. The whole purpose of the DevOps movement is to enable and increase the delivery of value to the business and your customers but all too often we see DevOps become all about a migration to new deployment models and technology.

  There are so many factors that should influence how you automate and which technology can and should help you get to the place you want to be. We always advocate starting small. Choose those business processes which are begging to be automated and which can immediately reduce human error, improve the day to day lives of your developers and bring value to the business. Don’t start by overhauling your entire deployment process, maybe it would be better to standardise and automate functional testing to build product confidence and enable bolder changes to the codebase.

• How do you automate penetration testing?
  This is a very leading question. We don’t want to displace penetration testing from the SDLC as it delivers so much benefit, although a lot of this value can now be realised continuously through managed bug bounty programs.

  Our goal is to automate as much of the penetration testing methodology as possible, ensuring that more vulnerabilities are found and that they can be found at a pace that keeps up with the modern DevOps approach. There is no economical way that the traditional penetration testing approach can keep up with the DevOps goal of “10 deployments per day”, so how do we ensure we manage risk whilst not slowing down the flow of work. That is the challenge of DevSecOps.

• How do you typically engage with customers?
  We are a consultancy but see ourselves as a trusted partner, providing continuous security advice and support to the organisation whilst leaning with engineering effort as required.

  Typically this means we start with a brief discovery exercise to understand the current posture and make educated recommendations. From here we can schedule a program of fully managed engineering work, embed security resources into your existing teams or become that trusted partner who provides the necessary advice and guidance.

For more information, email us at [email protected] or call us on 0161 660 3545