00:00:20.480
Good morning! My talk this morning is called "Hell Is Frozen Over: DevOps and Security". We are going to explore how they can cooperate.
00:00:34.079
So, who am I? I'm James Turnbull. I work at Puppet Labs, and I was one of the early employees there. Before that, I was the release manager for the Puppet project and wrote a lot of the documentation, which has thankfully been improved by other contributors since. Additionally, I reported to the Chief Security Officer at a large Australian bank and ran an incident response team for those familiar with Computer Emergency Response Teams.
00:00:45.399
My background includes about 20 years in security architecture and operations. I've authored six technical books, two of which are about Puppet. Recently, I released a book titled "The Logstash Book" about Logstash, which is an open-source logging tool. Even if you don't buy the book, I recommend looking into Logstash; it's quite excellent. If you're using something like Splunk, Logstash is a very affordable alternative.
00:01:16.080
As an Australian, I have a unique accent and a tendency to speak quite quickly. If you don't understand something I say, please don't hesitate to raise your hand and let me know. There are a few other Australians in the audience who may understand me better, but I appreciate your patience. I must also warn you that, as an Australian, I occasionally use inappropriate language in my presentations. I apologize in advance if that happens. I'm working hard to keep it under control.
00:02:04.360
Does anyone here work in operations? (pause) Okay, not a huge crowd. How about developers? (pause) I believe Jean and I are the only security people in the room, is that correct? (pause) And Josh, I guess you could claim that too; he has experience in the past. I've spent about ten years working in IT security in both small and large organizations. My last position was in a massive enterprise with approximately 50,000 employees, 6,000 IT staff, and around 300 in IT security.
00:02:37.160
I left that job to work at a startup, largely because I found the corporate environment unfulfilling. Here are a few things I disliked about the role. Firstly, security personnel often face distrust. I would visit project teams, and project managers would often hide, going to get coffee when they heard I was coming. This reaction is typical because security professionals aren’t usually seen as the bearer of good news. More often, I'm the one saying, "We just tested that code, and you should really salt those passwords because we managed to crack them all."