by Gene Kim on
This is an interview that @myownroom did with Nick Galbreath ([http://twitter.com/ngalbreath](@ngalbreath)].
He is the directors
of engineering at Etsy, managing a group of engineers charge of information security (authentication, fraud).
Video will be posted on IT Revolution blog, but in meantime: http://m.youtube.com/watch?v=r53ErYe9Uhs
He did a talk at DevOpsDays Austin on DevOpsSec: applying DevOps principles to infosec (lots in common w/@wickett)
Underlying principle: trust but verify (works on authentication, fraud, monitoring, compliance)
"Get used to constant probing, automatically correlate
login failures correlated to IP addresses
"goal: make things visible, help train Dev on infosec, so infosec not only people who have to say 'no'"
"trust but verify: people, machines, processes, continuous integration, metrics like MTTR"
"more threats: phishing attacks on Etsy staff (corporate & home systems)"
"fast DevOps deployment cadences helps infosec, too"
"undergrad CS degrees focused only on dev; missing all the ops & infosec aspects"
"message to Dev: there are only 2 types of code: code in prod & code not in prod; it's not an abstraction"
"my vision of DevOps in 2-3 yrs? DevOps disappears, b/c it's standard practice"
"right now, #devops has such a huge emphasis on tools; tools not the goal, though. it's end to means"
(BTW, can't wait to see his talk: obviously amazing synthesis of #devops & #infosec) cc @mortman/@joshcorman/@wickett
"DevOps movement borrows heavily from kanban, Toyota mfg metaphors, etc. Loved book Toyota Way (by Jeffrey LIker)"
(PS: Jeffrey Liker was one of first Shingo Prize winners; DevOpsCookbook coauthor @mikeorzenleanit latest winner)
"Our post-mortem process: blameless, any interested party, create timeline, how detected, publish countermeasure"
Look for twitter status: posted ustream video link