In this episode, we chat with Shane Castle, ObjectSharp's Cloud Practice Lead, and Ahmad Harb, Senior Cloud Consultant with ObjectSharp, about the changing role of security with cloud-native and serverless architectures. Shane and Ahmad help us unpack the "buzzword" of DevSecOps, think about the role of security in modern software development, introduce us to tooling in Azure Security Center, and give us practical advice and guidance on how to get started with security driven development right now.

Minutes

• 00:30 - Introduction to today’s show on Azure DevOps with guests Dave Lloyd and Martin Woodward
• 3:15- Shane Castle, ObjectSharp Cloud Practice Lead - and Ahmad Harb, Senior Cloud Consultant - introduce themselves.
• 4:40 - Jeff asks Ahmad to discuss what “DevSecOps” is and why it's such a popular buzzword these days
• 5:00 - Ahmad Harb talks about how DevSecOps up-fronts security to the considerations around building applications so it’s less of an afterthought in the software development lifecycle
• 6:16 - Jeff asks Ahmad why the notion of “DevSecOps” is such a strong focus today vs 5 years ago
• 6:40- Ahmad talks about the importance of privacy post-GDPR, and the importance of security for privacy - can’t have privacy without security. Data breaches are increasingly an issue. You have to bake security into your process at the start.
• 7:45 - Nick asks Shane to talk about what DevSecOps means in terms of the when and how security gets done, within the narrative of increasing devops and declining traditional infrastructure IT.
• 8:30 - Shane talks about how the cloud re-wrote traditional means of software architecture. Cloud architecture is radically different - for example, with service mesh. Dev teams and ops teams are collaborating more, but security was traditionally an afterthought. The requirements of cloud software architecture today require security being part of the conversation much earlier in the conversation.
• 11:11 - Shane talks about software development as a continuous loop, not something that has a beginning and end. And DevSecOps as the next evolution of “continuous security”.
• 11:40 - Nick asks Ahmad and Shane to talk about the practical real world experience and what benefits teams are having with a more DevSecOps approach to application architecture, development and deployment.
• 12:20 - Ahmad talks about how the cloud gives companies a great advantage in terms of improving velocity, but also enabling tools like password managers, key vault, etc. The tools that are being enabled by cloud providers is making it possible to build devsecops into your process.
• 13:40 - Shane talks about the importance of encryption and also new tools for governance of applications and management of policies, a more proactive approach to security.
• 14:30 - Jeff asks Shane and Ahmad to talk more about the tools they are using, and Azure Security Center specifically.
• 16:00 - Shane talks about Azure Security Center. He talks also about Azure Policies and Azure Compliance Manager.
• 18:00 - Ahmad talks about Azure Security Center, with some real world examples of how he’s using it to improve application security with clients.
• 20:50 - Jeff asks Ahmad about “the score” in Azure Security Center.
• 21:30 - Jeff and Shane talk about how new these tools are, and how fast new tooling is emerging. Shane advises companies to know their score as a starting point, so they can get a baseline, and then work on remediation items from there. Shane talks about the daily scanning done by Microsoft’s teams for Azure, and tools for ongoing security monitoring across clouds, not just Azure.
• 24:00 - Nick talks about the difference between cloud security vs application security, and how the score / Azure Security Center allows for cross-team collaboration on managing risk.
• 25:00 - Shane talks about continuously running PCI, SOC 1, SOC II controls and reports - how those tools make audit and collaboration around security much easier.
• 27:00 - Nick asks Shane and Ahmad to talk about what companies should do as first steps to get started with a more devsecops approach to building and deploying software with Azure Security Center.
• 31:30 - Shane talks about the importance of dev teams inviting someone from security to be present during architectural discussions, facilitating security driven development.