Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 3

Developer Workflow 101

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Good morning. Everyone is having a great day. I was off yesterday because I was in National Harbor Maryland at the Gartner security and risk management Summit. Am I was there giving a talk at call the security in a devops world now that talk and a bunch of contents were spilling out from that talk is going to be available on the Trend Micro channels shortly and I'm over the next couple days a week publishing a ton of stuff there.

I'll make sure to leak it out. I'm on my Twitter at Mark NCAA and add it in the comments. If you're seeing this post on YouTube or other places on when that goes live what I wanted to tackle in this episode of the mornings with Mark is just a quick overview into the development process because I think first a lot of security teams and there's a bit of mystery there.

There's a bit of a bit of fog not so much understanding of how software actually gets created or IT projects are actually delivered normally security gets pulled in sore right before a project Gaines. Have you need Securities approval so, you know the day before they're like a security manager.

This is supposed to be involved early. I'm in it again right before it goes to fraction. They need security to sign off on it. But I think there's a really important lesson to be learned in understanding the development process itself because there's been a radical shift of the last few years where the traditional method of development is shifting into a more modern approach a substantial difference is there and there's a huge amount of security Advantage if we're involved out of the advantages are around through the shortened feedback.

Loops. I'm going to switch over to my iPad right now. I'm going to show you that little bit of a different visual look for those of you on the podcast. I'm going to write this as we go have so that you're not left out. But this development process essentially in a waterfall and what used to happen was that you would have software be created and then just sort of bubble down bubble down bubble bubble down in this is why we called a waterfalls at each stage and there was another release or another phase of the process and essentially you would end up being the sort of zero all the way to kind of a 12-month cycle for a lot of folks and and over the course of this time, you know, you would require you would gather requirements at the start of the project and then by the end of the project months later, you would come back to a customer and say like, oh, hey, here's all this stuff that you had wanted months and months ago.

And of course, they're like well, hey the business has changed everything is very different by now, and it doesn't really work that well, so there's been a huge push for a thing called agile or scrum. There's many iterations of it and essentially what that's done to shorten those feed.

Calypso that people are involved early in the process and that businesses understand answer the business unit understand what they're getting as opposed to development leaving and coming back a month later saying here you go have and now the common way to put this sort of visual is in cycle.

So you see these kind of this this Donut Wheel. I'm very much an infinity sign going back and forth where people are saying you don't hate this is how development works now, it's you or developing stuff in your in this short feedback loop West Side development you finish that you push it over to the right side of the Infiniti wheel and that's where we get this continuous process normal.

You have something that we call a CI CD pipeline, which is a continuous integration continuous delivery pipeline that implements this kind of a flow where your I'm going through various development stages in Quick iterations to get stuff out into the hands of your users quickly. And of course in the SAS world in the cloud World, they've pushed that all the way to multiple times per day, but a lot of Enterprise organizations that I talked to have gotten there Sprint's down to somewhere between 1 to 4 weeks depending on what makes sense for them and even at 4 weeks that's significantly better than the normal 12-month cycle.

So you're getting feedback quicker and I think that's absolutely critical that what I wanted to talk about in this video understanding a short on time cuz we keep this one piece format pretty quick was that there is a a set of steps on each side of this wheel. So if you're looking at the death side of things we start with number one is planning.

So we're going to plan out. What sort of a feature are we going to build then we're going to actually code it up. Then we're going to test that code then we're going to Stage it. So now we've completed the left side of the wheel is that we plan we code and then we are tests and we staged so we figure out what we want to write.

We write that code we test it and we staged it. Once it's finished. It approved in staging then it goes over to production. This is now the right side of the Infiniti wheel here. We run. We are ideally detect any issues. We respond to any issues. My writing of course is horrible.

For those of you on the podcast. I'm saving you this and then we mitigate any issues. So here we have the opposing wheel and these wheels run in different ways. They run counter to each other one runs counterclockwise the other one runs clockwise. So we've got this or integrated wheel and hit each of these stages There's an opportunity for Security in the problem that we've had is that by and large there's just a solid wall where security has worked almost exclusively in the production environment, right? We work on run to Tech responded mitigate.

This is where we work on this where we're comfortable applying security controls. We have essentially ignored the development wheel much to our detriment because things are significantly cheaper on this side. If we go on the development side, it's cheaper and cheaper to fix the problem. We need to shift left.

We need to move from one side of the Wheel from the production side of the wheel. The idea of Shifting left is moving over and applying security controls in the development stages. So in the planning Code test and staging phases of all this and that's really what this is about what this push and for pushing security to ship left for getting involved earlier is understanding this development process.

Then realizing there's huge wins to be had there. That was a key point of the talk. I delivered yesterday. I've got a ton more coming out and I'm like I said on the Trend Micro channels and Echo them on my own. Hit me up at Mark NCAA. What do you think about development as far as being a security pro? Are you used to development for developers that are listening.

Do you ever talk to your security folks, or is it just at the end of The Phases at the end of the gate? Let me know. Hit me up online at Mark and see a comment down below or as always by email me at Mark and CIA, and I think this is fascinating.

I think this is where we need to go from a security perspective. We it's very complicated cuz it's a lot of people work, but it's work well worth doing and I think we need to shift our Focus from security, and I think we need to work hand-in-hand with developer and operations folks to make sure that all of our systems work as intended and only as intended I hope you're set up for a fantastic day.

I will talk to you online and see you on the show tomorrow. Good morning. Everyone is having a great day. I was off yesterday because I was in National Harbor Maryland at the Gartner security and risk management Summit. Am I was there giving a talk at call the security in a devops world now that talk and a bunch of contents were spilling out from that talk is going to be available on the Trend Micro channels shortly and I'm over the next couple days a week publishing a ton of stuff there.

I'll make sure to leak it out. I'm on my Twitter at Mark NCAA and add it in the comments. If you're seeing this post on YouTube or other places on when that goes live what I wanted to tackle in this episode of the mornings with Mark is just a quick overview into the development process because I think first a lot of security teams and there's a bit of mystery there.

There's a bit of a bit of fog not so much understanding of how software actually gets created or IT projects are actually delivered normally security gets pulled in sore right before a project Gaines. Have you need Securities approval so, you know the day before they're like a security manager.

This is supposed to be involved early. I'm in it again right before it goes to fraction. They need security to sign off on it. But I think there's a really important lesson to be learned in understanding the development process itself because there's been a radical shift of the last few years where the traditional method of development is shifting into a more modern approach a substantial difference is there and there's a huge amount of security Advantage if we're involved out of the advantages are around through the shortened feedback.

Loops. I'm going to switch over to my iPad right now. I'm going to show you that little bit of a different visual look for those of you on the podcast. I'm going to write this as we go have so that you're not left out. But this development process essentially in a waterfall and what used to happen was that you would have software be created and then just sort of bubble down bubble down bubble bubble down in this is why we called a waterfalls at each stage and there was another release or another phase of the process and essentially you would end up being the sort of zero all the way to kind of a 12-month cycle for a lot of folks and and over the course of this time, you know, you would require you would gather requirements at the start of the project and then by the end of the project months later, you would come back to a customer and say like, oh, hey, here's all this stuff that you had wanted months and months ago.

And of course, they're like well, hey the business has changed everything is very different by now, and it doesn't really work that well, so there's been a huge push for a thing called agile or scrum. There's many iterations of it and essentially what that's done to shorten those feed.

Calypso that people are involved early in the process and that businesses understand answer the business unit understand what they're getting as opposed to development leaving and coming back a month later saying here you go have and now the common way to put this sort of visual is in cycle.

So you see these kind of this this Donut Wheel. I'm very much an infinity sign going back and forth where people are saying you don't hate this is how development works now, it's you or developing stuff in your in this short feedback loop West Side development you finish that you push it over to the right side of the Infiniti wheel and that's where we get this continuous process normal.

You have something that we call a CI CD pipeline, which is a continuous integration continuous delivery pipeline that implements this kind of a flow where your I'm going through various development stages in Quick iterations to get stuff out into the hands of your users quickly. And of course in the SAS world in the cloud World, they've pushed that all the way to multiple times per day, but a lot of Enterprise organizations that I talked to have gotten there Sprint's down to somewhere between 1 to 4 weeks depending on what makes sense for them and even at 4 weeks that's significantly better than the normal 12-month cycle.

So you're getting feedback quicker and I think that's absolutely critical that what I wanted to talk about in this video understanding a short on time cuz we keep this one piece format pretty quick was that there is a a set of steps on each side of this wheel. So if you're looking at the death side of things we start with number one is planning.

So we're going to plan out. What sort of a feature are we going to build then we're going to actually code it up. Then we're going to test that code then we're going to Stage it. So now we've completed the left side of the wheel is that we plan we code and then we are tests and we staged so we figure out what we want to write.

We write that code we test it and we staged it. Once it's finished. It approved in staging then it goes over to production. This is now the right side of the Infiniti wheel here. We run. We are ideally detect any issues. We respond to any issues. My writing of course is horrible.

For those of you on the podcast. I'm saving you this and then we mitigate any issues. So here we have the opposing wheel and these wheels run in different ways. They run counter to each other one runs counterclockwise the other one runs clockwise. So we've got this or integrated wheel and hit each of these stages There's an opportunity for Security in the problem that we've had is that by and large there's just a solid wall where security has worked almost exclusively in the production environment, right? We work on run to Tech responded mitigate.

This is where we work on this where we're comfortable applying security controls. We have essentially ignored the development wheel much to our detriment because things are significantly cheaper on this side. If we go on the development side, it's cheaper and cheaper to fix the problem. We need to shift left.

We need to move from one side of the Wheel from the production side of the wheel. The idea of Shifting left is moving over and applying security controls in the development stages. So in the planning Code test and staging phases of all this and that's really what this is about what this push and for pushing security to ship left for getting involved earlier is understanding this development process.

Then realizing there's huge wins to be had there. That was a key point of the talk. I delivered yesterday. I've got a ton more coming out and I'm like I said on the Trend Micro channels and Echo them on my own. Hit me up at Mark NCAA. What do you think about development as far as being a security pro? Are you used to development for developers that are listening.

Do you ever talk to your security folks, or is it just at the end of The Phases at the end of the gate? Let me know. Hit me up online at Mark and see a comment down below or as always by email me at Mark and CIA, and I think this is fascinating.

I think this is where we need to go from a security perspective. We it's very complicated cuz it's a lot of people work, but it's work well worth doing and I think we need to shift our Focus from security, and I think we need to work hand-in-hand with developer and operations folks to make sure that all of our systems work as intended and only as intended I hope you're set up for a fantastic day.

I will talk to you online and see you on the show tomorrow.