The Ugly Truth About Your DevSecOps Guidelines and Security Policies Bruno Amaro Almeida September 2022 Photo by charlesdeluvio on Unsplash

Hello! About me • Head of Technology & Architecture at Fortum • Independent Advisor / Architect Consultant Bruno Amaro Almeida brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida

Fortum Digital Development: Energy Optimization, Sustainability, Electric Mobility Generation, Trading and Asset Optimization District Heating, Recycling & Waste Consumer Solutions Enterprise 3 … … Startups

Policies Cloud Guardrails IAM Hardened Images … Guidelines Cloud Security Privacy Open Source Vulnerability Management Incident Management Quality & Testing Enterprise Architecture … 4 Photo by Sixteen Miles Out on Unsplash

Security vs Developers 5 Photo by Jeremy Bezanger on Unsplash

Security Threat Modeling “Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.” source: owasp.org 6

AWS and Azure Well-Architected Framework & Review • Consistent, Repeatable Assessment • Identify Risks & Opportunities • Outside perspective new Sustainability 7

Fortum Digital Development Handbook Inspired by 💚 https://s-group-dev.github.io/development-guidelines/ 8 (…)

Guidelines Digital Development Handbook Assessments 9 HOW WHY WHAT Builders Library HOW

Connecting the dots with Backstage • Tech Radar • Digital Development Handbook • Core IT Handbook • Builders Library and Templates • Metrics (e.g. DORA, SLAs, SLOs) • … 10 source: backstage.io

Culture > Processes > Technologies 11

Thanks! Questions? Feedback? Bruno Amaro Almeida brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida