The Ugly Truth About Your DevSecOps Guidelines and Security Policies

The Ugly Truth About Your DevSecOps Guidelines and Security Policies Bruno Amaro Almeida September 2022 Photo by charlesdeluvio on Unsplash

Hello! About me • Head of Technology & Architecture at Fortum • Independent Advisor / Architect Consultant Bruno Amaro Almeida brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida

Fortum Digital Development: Energy Optimization, Sustainability, Electric Mobility Generation, Trading and Asset Optimization District Heating, Recycling & Waste Consumer Solutions Enterprise 3 … … Startups

Policies Cloud Guardrails IAM Hardened Images … Guidelines Cloud Security Privacy Open Source Vulnerability Management Incident Management Quality & Testing Enterprise Architecture … 4 Photo by Sixteen Miles Out on Unsplash

Security vs Developers 5 Photo by Jeremy Bezanger on Unsplash

Security Threat Modeling “Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.” source: owasp.org 6

AWS and Azure Well-Architected Framework & Review • Consistent, Repeatable Assessment • Identify Risks & Opportunities • Outside perspective new Sustainability 7

Fortum Digital Development Handbook Inspired by 💚 https://s-group-dev.github.io/development-guidelines/ 8 (…)

Guidelines Digital Development Handbook Assessments 9 HOW WHY WHAT Builders Library HOW

Connecting the dots with Backstage • Tech Radar • Digital Development Handbook • Core IT Handbook • Builders Library and Templates • Metrics (e.g. DORA, SLAs, SLOs) • … 10 source: backstage.io

Culture > Processes > Technologies 11

Thanks! Questions? Feedback? Bruno Amaro Almeida brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida