Archive 6 min read

Document, Automate, Repeat

If you're working by hand, you're failing. In today's world of security, rapid delivery, and new technologies, automation is critical.

Document, Automate, Repeat

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning, everybody. How are you doing today? I wanted to talk to you about a blog post that went up on the AC MS Q magazine. Um It's by Thomas Limoncelli and it's called uh Manual Work is a bug. And when I read this post, I was over the moon, I think it's absolutely fantastic.

It nails some absolutely critical points and I highly recommend you read it. I will tweet it out again. I will put it in the comments below. Um But you very much uh sort of the very key of this thing was that there's no excuse anymore for not automating your processes and documenting them.

And in fact, I would go further and say that if you haven't documented your processes, they don't exist. Um And if you're not automating them, then you're a fool. Um Simply because why would you be doing this work over and over and over again? And I see this quite often, surprisingly and scarily often um with security teams, especially around incident response and recovery.

A lot of this stuff is manual. Um And a lot of the documentation is disassociated from the automation. Now, there's a key um to success here is when you are documenting and when you're automating that documentation is part of the automation and it's always going to be up to date.

In fact, there's a lot of cool little scripts and utilities that will pull formatted docs out of your scripting stuff so that you just write it once in one file and you get a nice readable version as well as an automat version. And I think that's a nice little trick but you don't even need to go there.

Just start simple by documenting out the processes that you're working on and then start automating each of these steps. Even if and this is full credit to Thomas Limoncelli here, even if that step of automating is just copying and pasting a command line interface set up from like the syntax of the command line, from your documentation into the terminal.

That's something because you can take that and put it in a batch script and sequence a bunch of these things. But also this process um also starts to identify the weak spots in your tooling. Um So a lot of us deal with a lot of um a myriad of tools.

Nobody's got one tool to rule them all. It's not lord of the rings. Um But the problem is is that a lot of these tools have different levels of um automat of program mobility. Um You can, some of them, you can script completely, some of them have full API S where you need to program against.

Some of them have robust command line interfaces. Anything that lets you control data in and out and the actions of this tool, that's a good tool, right? I've said that time and time again, you probably heard me on stage for the last few years saying, you know, modern security tooling and modern operations, tooling period needs to be able to have data in and out in a standard machine readable format and you need some way of orchestrating that and whether that's an API command line or something else, it needs to be automat programmable because you shouldn't be doing these work, this work step by step by hand.

So I'll give you an example and it's a total not security or development dev ops example. It's actually an example with this. Sure. So mornings with Mark, this is episode 80. Um I've learned a lot over 80 episodes. Um Hopefully you guys have as well.

Um I've been learning a ton about um the topics we discussed, but also about running this, how to make this effective. Um And here's the thing I try to broadcast out on Twitter around 9 a.m. every morning, you know that you're watching this. Um And then that video sits on Twitter um and Periscope as a post.

And it's a good way. The reason why I broadcast out here is I get the most engagement this way. But also, it's a way to get longer than two minutes and 20 seconds natively on Twitter, it's kind of a cool little streaming hack. But from there, I don't want to just keep this content here on Twitter.

So I want to post it to youtube. I wanna push it to linkedin. Where appropriate. I want to take the audio and make that into a podcast for those of you listening on to the podcast. Uh But that's a lot of manual work and you need an image associated with that.

You need um different formats of those images, different formats of the video of the audio. So I wrote all this out, I wrote out what I wanted to do and I put that starting out as comments. Um And then I gradually filled that out as a combination of Python and native programs.

So um I generate some of the thumbnails using a program called primitive because for the podcast and for the website, I use an SVG which is kind of cool and sort of abstract the thumbnail that I put up on youtube. Um And so the script goes through and I use FM MP to do a bunch of video editing and things like that.

But essentially what I've done is I've automated the fact that all I need to do is broadcast this to Twitter and that creates AM P video file, um MP four video file and then I also select the thumbnail from either istock where I've got a subscription or something else.

And my script takes those two things as input. So I give it, you know, the title and, and it'll figure out the number and the date and it takes the video and the image and it does all that post processing. So, what I end up with is this nice uniform format uh ready for podcasts, ready for youtube, ready for linkedin, ready for my website, Markan dot C A.

Um All of this stuff is automated. It's also documented because it's automated and I've got that nice um standard operational play. Um That's what you need to be doing in your organization. If there's something you're doing more than once and even if you do it once it's probably worth the time to document it just so that, you know, in case something happened.

Um But if it's not standardized, if it's not automated, um if you're not working down that path, you're never going to get there. And that's really the interesting thing in Limon's blog post is the way he positions it is spot on. Um It's not hard start with a github repo, open up a text file and start pushing in uh some command line or even just pseudo code of like I need to do this, I need to take this video and I need to add um you know, my overlay of mornings with Mark the episode in the title just writing it down has power because then it's visible, people can see it and move forward in security.

There's a lot of stuff we do in development in DEV ops cultures, there's a lot of stuff that we do again and again, whether you realize the first time you do it, that you're gonna do it again or it's gonna be daily activity or not. Um, the massive amount of our work is eligible to be automated.

If you're not taking advantage of that, if you're not putting consistent effort to automate, you're never gonna see the upside your competitors, your competition, your Attackers, they're all automating. Why aren't you let me know what you think hit me up uh online at Mark NC A in the comments down below as always by email at me at Mark me at Mark N dot C A.

Um What are your experiences with automating? Is there a reason why you're not? Um Have you hit particular challenges around automating um that you haven't been able to get around or do you have a great success story? Let me know, let others know. Um This is the way forward.

We have to automate everything we do in security. You need to build into a larger culture um from DEV ops and development. Um And just in general, like I've had a huge a fun because I'm a super nerd. But my workflow being automated for this show after this broadcast ends, I'm going to pick a thumbnail.

I'm going to run the script and 15 minutes later everything's done and I didn't do anything except run one command. That's hugely powerful. That frees me up. That's a simple example. There's tons of them out there. Get automating. I hope you have a great day and I'll talk to you online and on the show tomorrow.

Read next