Three talks, three security conferences on three continents in ten days!
September 27, 2018
Notwithstanding the excessive time spent on a plane and having to adjust to several different time zones; I definitely had my work cut out for me during this time as I was giving three quite different talks. One I had given in May at Container Camp AU here in Melbourne about container security, but my other two talks were new and touched on some other aspects of the security work that I do here at Versent for our customers, and some research I had been undertaking in my own time.
For DevSecCon Boston my talk was “My ragequit journey: configuring Netflix tools” and details my “journey”about configuring three of the Netflix OSS security tools that they use internally and have released to the public. These tools are notoriously tricky to configure as they only have sparse set up instructions – as is the case with many online code repos – as we move away from the traditional software release cycle, where a technical writer would craft detailed and precise instructions for a piece of software that would rarely need to be updated, as the software itself would rarely receive updates that would require the instructions to be updated. In the times of continuous release, such accurate and precise instructions are long-gone, and although devs may make brief release notes in their Git repo, the fact is that there is usually a bit of struggle and to-ing and fro-ing to get something working now. The point I wanted to make in this talk is that even experienced professionals sometimes struggle to get things working first time, and that’s OK.
At BSides Perth, I spoke about“SecDevSecOpsSec: let’s stop playing IT buzzword bingo”. The gist of my talk was that we’re currently throwing around far too many buzzwords, without much serious thought about what they actually mean. I tackled “DevSecOps”,“SecDevOps”, “secure pipeline” and “secure toolchain”: all of which I’ve heard used interchangeably and sometimes just plain incorrectly! I want us as security professionals to start thinking about how we want to use these terms and start applying some consistency to them, because it causes confusion both internally (well, not if you ask Eddie Smith…) and with the wider security community.
The trip also allowed me to connect with a wide variety of professionals all over the world and I’m sure I’ve made some valuable connections for the future. It also let me wave the flying green “V” flag in markets and countries where we may not be as well known… yet! I’d encourage any professional – no matter where you are in your career – to submit to conference CFPs (call for papers) if you’ve done some interesting research, worked on an interesting project or just have an opinion to share. Although it can be nerve-racking, not everyone knows what you do, and knowledge sharing is the best way we can collectively advance and mature the industry.
Sarah Young is a security architect in Versent’s security practice and works with customers to design secure cloud solutions and uplift the security posture of IT environments and processes. She is an advocate of encouraging more women to take up roles in IT, and spends her free time working her way through her “hit list” of hipster brunch establishments.