AWS re:Invent 2023
How Rei Built a Devsecops Culture from the Start Dop103

Title

AWS re:Invent 2023 - How REI built a DevSecOps culture from the start (DOP103)

Summary

  • Clinton Hurgett from Snyk and Dan Ngo from REI discuss the transformation of REI into a DevSecOps culture.
  • DevSecOps integrates security into the software development lifecycle, moving away from traditional security practices.
  • REI's journey began without an official application security program and a siloed security department.
  • Dan Ngo embedded with REI's platform engineering team to understand their processes and build trust.
  • The talk covers the evolution of software development, the need for modern application security, and the cultural implications of DevSecOps.
  • REI's platform engineering team, called Alpine, played a crucial role in establishing a "paved road" for developers.
  • The discussion includes tackling ownership issues, especially with legacy code and services without clear ownership.
  • Metrics like mean time to remediation are used to measure the success of the DevSecOps program.
  • The future goals include improving the update process for REI's internal software framework and maintaining a robust bug bounty program.
  • The session ends with an open Q&A and a brief promotion of Snyk's developer security platform.

Insights

  • DevSecOps requires a cultural shift, not just the adoption of new tools.
  • Embedding security personnel within development teams can build trust and improve security integration.
  • Platform teams can create standardized paths for development, reducing friction and enhancing security.
  • Ownership and attribution of code and services are critical for managing security in a DevSecOps environment.
  • Continuous feedback and integration of security tools into developers' workflows are essential for maintaining DevSecOps.
  • Measuring success in DevSecOps can be done through metrics like mean time to remediation and adherence to SLAs.
  • The ultimate goal of DevSecOps is to enable developers to innovate and deliver features securely and at scale.
  • REI's approach to DevSecOps can serve as a model for other organizations looking to integrate security into their development processes.
How Regulated Financial Institutions Drive Adoption of Digital Assets Blc102How Rivian Builds Real Time Analytics from Electric Vehicles Ant317