Introduction:
Recently, I had the opportunity to attend an OWASP London event featuring Tanya Janca, who presented a talk on DevSecOps Worst Practices. Her approach, focusing on what not to do, was a refreshing angle in a field often saturated with best practices. The event, streamed live, allowed a global audience to connect, creating a diverse and engaging learning environment.
Embracing the Unconventional Approach:
Tanya's focus on worst practices was enlightening. While there's an abundance of materials on the "right" way to do things in DevSecOps, her approach made me ponder: Do we really need to follow every best practice to avoid catastrophic mistakes? Sometimes, knowing what to avoid is equally, if not more, important.
The False Positives Dilemma:
Janca's discussion about the chaos caused by false positives in security tools was an eye-opener. It was a stark reminder that avoiding fundamental errors can sometimes be more impactful than adhering to a multitude of best practices.The Untested Tools Trap:
The emphasis on the risk of integrating untested tools in CI/CD pipelines was a critical reminder of the basics often overlooked in the race to implement the latest technologies.The Artificial Gates Issue:
Her insights on artificial gates opened my eyes to subtle, unintentional bottlenecks in DevSecOps. Janca’s suggestions for genuine security measures over obstructive practices resonated deeply with me.The Missing Test Results Problem:
Janca criticized the common oversight of inaccessible test results. It reinforced my belief in the importance of direct and transparent communication in our projects.The Runaway Tests:
Her take on optimizing test durations to avoid monopolizing resources was a reminder of the balance between thorough testing and efficient development.Unrealistic Service Level Agreements (SLAs):
This part of the talk made me reflect on our own SLAs. Janca’s advice on realistic goal setting underscored the value of practicality over idealism in DevSecOps.The Importance of Training:
The emphasis on training resonated with me, highlighting that skilled and knowledgeable teams are essential for successful DevSecOps implementation.Addressing Forgotten Bugs:
The discussion on longstanding bugs reminded me of past challenges and the importance of regularly revisiting these vulnerabilities.
Conclusion:
Tanya Janca's focus on worst practices at the OWASP London event was not only enlightening but also a crucial reminder. Understanding what not to do in DevSecOps is as vital as knowing what to do. This approach, combined with the event's interactive and inclusive format, made for an incredibly valuable experience. For those interested in experiencing the talk firsthand, you can watch it on YouTube here:
To learn more about OWASP London and their events, visit their Meetup page. Their community offers a wealth of knowledge and networking opportunities for anyone interested in cybersecurity.