DevOps for Security Staff

00:00

welcome back to less than 3.6. We're talk about

00:04

the security staff having a little bit of knowledge about development operations. We took the We're taking the flip side. We were to module or two lessons back, we said.

00:13

Would it help if the developers the operations, had security knowledge? Let's look at it from this other perspective.

00:20

Lesson objectives is when I can defend the need for a culture change within security so that they understand their This is this is a lot different than just running patch vulnerability scans patching things like that. It's a lot more of, ah,

00:33

integration into an existing

00:35

environment.

00:37

Explain why assessors need develops knowledge. Explain some of the certifications that may help security staff.

00:46

So cyber staff needs to understand that it's a culture change, they mentioned. They need to become part of the process they need. They need to realize that agile development can't wait weeks. For a security scan, Deron and Evaluation need to really use automation,

01:00

use more efficient processes and become part of this integration again of the Dev ops to

01:08

to

01:10

evaluate how secure the code is, but in the automated fashion

01:14

so that it helps to have a little bit of knowledge about some of the tools the integrated device development environments. Some of the terminology commit, merge, build entities. So that when Because if you want to be part of the team and interact, you're gonna have toe Gail to go the meetings,

01:30

understand? Some of the terminology understand how to talk to developers. So you guys so you're both speaking the same language and

01:36

can can meet in the middle.

01:38

You have to have a little bit ops knowledge as well. So understand deployment. What micro services mean the containers that run them a little bit of cloud architecture again. Same thing when you're talking to the operations staff, you have to be able to understand what they're saying and communicate to them in the same terminology, but also helps tohave.

01:57

The same thing for developers is to come up with

02:00

fixes that that makes sense. And if you understand a little bit of the environment and how you've worked in it, even you mean I even have to work in it. But to be able to

02:10

create common sense fixes for vulnerabilities or risk you identify,

02:16

she was a question.

02:19

It's It's the same question that I asked to modules back where we were talking about security for developers. Have you ever had problems explaining security to developers?

02:29

Same issues where he has not using same terminology? Did you not understand each other's would help if you had a security person? If you have some dev ops knowledge, it's the same thing. Thinking

02:39

previously, we asked it almost from the perspective of

02:43

With the developers, the operation over the problem may be here is maybe we me as security. People need a little bit of knowledge as well, so that weaken again, talk the same language.

02:55

And here's some of training certifications. It looks almost the same thing. Understanding, using code bashing, range, forces, other, any of these tools out there that understand really how to write secure code and so you can see

03:09

what it would it really involves. And also, when you're looking at these tools and the outputs, you want to be able to understand a little bit of coding,

03:19

so you can really again see what it means and check for false positives.

03:24

Some of certifications listed a lot of these Oh, our Web at Penn testing uh,

03:30

certifications like that,

03:32

the reason that they're their security specific. But a lot of them really give you some good understanding of applications. Web servers, the operating system, things like that. And you get a good concept of what it really takes to run an application by being able to tear it apart.

03:47

And, of course, there is the eight MPs azure, any of these cloud based certifications that are really necessary to understand the operation side

03:57

and include somebody certification requirements in the contracts. The same way we're talking about the developers. If you have,

04:03

ah, a specific contract for security staff where you're bringing on assessors, they may. You may want to request

04:11

these certifications as minimum requirements.

04:15

They talked about preparing security for development and operations to understand, get understanding a little bit about the other side of it. So when they integrate in the teams, they can they can communicate in the same terminology and understand each other.