integration, and security testing - this is a key DevSecOps differentiator since security and functional capabilities are tested and built simultaneously. Key Measures Mean-time to production: the average Mean-time to recovery: how long it takes applications in the production stage to recover from failure. Key Principles to implementing a successful DevSecOps approach  Remove bottlenecks (including human ones) Security Stack enables: correlated and centralized logs, container security, east/west traffic management, a zero-trust model, a whitelist, Role-Based Access Control (RBAC), continuous monitoring, signature-based

testing efforts – Part 6: The Technical Practices of Integrating Information Security, Change Management, and Compliance 1. Introduction a. Goal to simultaneously achieve Information Security goals malicious binaries 4. Source code integrity and code signing – all contributors should have their own key and sign all commits to version control. All created packages should be signed and hash recorded for Pipeline a. INTEGRATE SECURITY AND COMPLIANCE INTO CHANGE APPROVAL PROCESSES i. Effective change management recognized different risks associated with different types of changes, to be handled differently

guidance from management? How frequently will it engage management? I want to make sure that we have an understanding on how my input and feedback will enter into their process.  What are the key risks to

has dominated the IT world because it appears to offer predictability, control, and efficiency, the key values of the contractor-control model. But it doesn’t. Requirements: Requirements are a way of controlling time through incremental investments.  Managing the EA asset is an art, just as all strategic management is an art. Just as the CMO must sense market opportunities, weigh tactics for communicating with feedback from stakeholders. And my two-week and quarterly reviews give the team feedback from management. There is magic here: all of these types of feedback increase the velocity of development without

something that isn’t moving yet, just in case it decides to make a run for it…Tracking everything is key to moving fast, but the only way to do it is to make tracking anything easy…We enable engineers to a termination iv. Examples of potentially significant events (Gartner’s GTP Security & Risk Management group) 1. Authentication/authorization decisions 2. System and data access 3. System and application well-designed and executed experiments that were designed to improve a key metric, only about one-third were successful at improving the key metric!” iii. A/B testing helps reduce zero or negative value add

interdepartmental communications, and effectively serve the other business functions at Parts Unlimited. Key Concepts The Three Ways [2] The First Way emphasizes the performance of the entire system, as opposed need to tighten up our change controls… what’s preventing us from getting there?”  “That change management tool is impossible to use. There’s a million mandatory fields and most of the time, the drop down

through hands-on “shipping” of product. Management for the sake of management is not respected.  Get things done: The hierarchy must be flattened. Layers of management get in the way of goals. The employee employee wants the shortest possible path to shipping code without needing layers of approval. Management should be close enough to the action that they can demonstrate understanding—witnessing employees’ information, IT can lead the organization in learning and in deriving business value from good risk management and from making the most of opportunities that present themselves. Steward of Assets: senior IT

 working off a single backlog of features, driven by vision and roadmap  product and release management, release planning  program psi objectives  common sprint lengths - system continuous integration  business epics  architectural epics  kanban epic system – limit WIP  program portfolio management, enterprise architect  value streams  investment themes - provide operating budgets for release

Development  Operations (Operational Waterfall)  Infrastructure Ops  Product Ops  Product Management  Every technology under the sun  Solaris, Windows, Linux  Apache, IIS, TCServer, etc.  homogenization and assimilation – no snowflakes  Deployment methodologies, automation, monitoring, and management tested continuously. Steve Barr steve.barr@csgi.com @srbarr1 Overall Quality improvements, “it”

nodeRegistra�on: criSocket: /var/run/dockershim.sock name: k8s-master1 taints: - effect: NoSchedule key: node-role.kubernetes.io/master --- apiServer: �meoutForControlPlane: 4m0s apiVersion: kubeadm.k8s nodeRegistra�on: criSocket: /var/run/dockershim.sock name: k8s-master1 taints: - effect: NoSchedule key: node-role.kubernetes.io/master --- apiServer: �meoutForControlPlane: 4m0s apiVersion: kubeadm.k8s sha256:63b5f34842ec20db12f19f6f4ca535b03e498e95842b97b452a04f9dc94b1151 \ --control-plane --cer�ficate-key 9b77643809b701522a61c109d42dcc1b93edcd5a2e5d0c8677942171bbc0e619 kubeadm join 10.99.1.54:6443 --token