 Hello everybody and welcome again to another OpenShift Commons briefing today as we like to do on Fridays. We're going to talk about cultural, organizational, transformational topics and securities. Hi on everybody's list and we have with us today the director of cloud and DevSecOps strategy for the cloud platforms groups Kirsten Newcomer, who's going to walk us through a conversation about DevSecOps and what comes first, the tools or the culture. And you can ask questions if this is meant to be an interactive thing. So she's going to talk for a little bit. But if you have questions, please ask them in the chat. And if you want to join us in the video, I will happily turn on your faces and let you talk as well. So with that Kirsten, take it away, introduce yourself and what you do here at Red Hat first. That's really interesting. All right, Kirsten Newcomer. And I do focus on security in particular cloud native security security for containers and Kubernetes. And really, from my perspective, that means security throughout the application platform stack throughout the life cycle of the of the platform and the applications themselves. And DevSecOps happens to be one of my favorite topics. And it's also interesting because it generates a lot of buzz. And yet when it comes down to figuring out who is actually doing DevSecOps, what does it mean to them? There's there are a lot of different opinions out there. And so that's one of the reasons I'd really appreciate it if this is a would love to have this be interactive, learn what any of you are doing in your businesses around DevOps and or DevSecOps. So just as an introduction, right? You know, this is this is, I think, relatively well understood at this point that businesses need the ability to innovate faster in order to differentiate themselves. IT departments need the ability to deliver those different differentiated applications faster. And in the cloud native world, right? That's containers, Kubernetes, microservices, but also DevOps is a key enabler for delivering and innovating more quickly. And that's across a wide variety of markets and a wide variety of focus application focus, right? Not just, you know, cloud native microservice based apps, but AI and machine learning, right? And internet of things. And how do you make good use of the data, data lakes, all of these kinds of things really matter. And I'd say they matter even more with the pandemic that changes the pandemic have kind of imposed on the economy, right? Everybody is doing more business in a digital fashion. And so why is DevOps a key part of delivering more quickly? Agility and innovation, by the way, agility really can't succeed in silos, right? You have infrastructure teams, you have the app platform team, you have management and automation. And of course you have the app development team who are key to all of this. And if you really want to move more quickly, you have to do that in a collaborative way, right? In a way that allows you to work together and meet everybody's different goals. And you'll see that there's a security admin here on this slide, right? As well as the sys admin. And at the same time, the slide just says DevOps. And so when we think about DevOps, a lot of people forget that security is actually was always intended to be part of a DevOps process. So if you haven't run across the term before, which I imagine is not the case with this group, right? There are three key elements that make DevOps work. I'm not going to read this slide to you. Culture is key, automation and technology. And I've talked with a lot of different folks about the which comes first thing, right? Do you, you know, what's most important? Do you need the tools that enable DevOps? Do you need the culture that enables DevOps? Can one come before the other? Do you need them both together? And I'd be interested to hear whether there are any experiences of any of you who are with us today, kind of around, you know, is DevOps working for you? And if so, you know, how did it, how did it start in your organization? And if the silence rolls on for too long, I'll just keep talking. I think the way that we could do this is if you, if you're listening in here, all the folks who here, if you have an opinion, just raise your hand in the chat and I can turn on your video or your voice and let you speak if you'd like to there and add that in. Or we can do the talking at the end, which might be here. So let's, yeah, we'll go for that. So, so the short version of DevOps, right? It's all about getting things out the door quickly to your end users and reliably. But we can't forget the security piece. And the reason I like to use the phrase DevSecOps is because it just calls it out directly. And it adds explicitly to that TLDR that getting the things out the door, the solutions out the door securely is key. So when we think about tools and cultures, you know, one of the things we do see at times is people start adopting DevOps without necessarily making significant changes to those silos, right? And the DevOps team often becomes a part of the AppDev team, an extension of the AppDev team, rather than a real combination of AppDev, Ops, and the security teams. Apologies for the background noise. So we see at times, right, that that still that kind of wall between AppDev and Ops still can kind of sometimes be there when we're talking about the DevOps team. And so unfortunately that can lead to a behavior where there's an example of a single team of engineers thinking that they can solve the full organizations technology problems just by using orchestration tools, right? Just by using the CI CD tooling. When we think about the elements that you really need to add into your CI CD pipeline to ensure that you have got true DevSecOps, we need to start with challenges, right? We have an ever changing threat landscape. It just continues to emerge. The supply chain is clearly a new element, you know, it's always been an element of the threat landscape, but it's got new prominence these days. When you're working in the public cloud, you have a shared responsibility model, but honestly, even when you're working on premises, you still have a shared responsibility model, your AppDev team, your Ops team, your security, your network team. As people move to containers and Kubernetes, we see that while security principles still apply, oftentimes the existing tools that they're used to using and the existing processes are not really effective. Really effective in a cloud native environment. And then, frankly, it can be challenging to find folks with security skills. And it's very challenging to break down the silos, which is why the culture question is such an important one. So we're seeing more and more of a recognition that to secure cloud native workloads, which are frequently ephemeral, they may only run for five minutes. They may run for longer. They may run for less. If one of those instances of a cloud native workload goes down in an open shift or a cube environment, Kubernetes is going to spin up a new instance from the image. So that means that you really can't rely on some of the traditional approaches to going in and having a human patch in environment when a new vulnerability is discovered. You really have to design for DevOps for your applications, but also I would say for your platform itself. We should be treating everything as code and we should be building security gates into our CI CD process, both for our apps and for our platforms. One of my favorite examples of a company who an organization who really took a great journey with containers to DevSecOps is this public sector company, their federal customer. I'm not allowed to share their name, but when you get the slides, if you click on the link, they talk about themselves and outed themselves so you can certainly learn more. They decided as they were moving to containers and cube and moving to public cloud that they were going to take the opportunity to see how they could improve security through the adoption of containers and and take on a genuine DevSecOps model. And so they started with executive sponsorship, their chief of cyber defense, their VP of operations, their VP of application development sat down together, identified the key use cases that they wanted to address as a team and talked about how things would need to change to make that possible. So in this case, they started with the culture and with the people. They knew they were adopting new tooling. The adoption of new tooling was an opportunity to change some some old patterns. One of the things that the cyber security team did was that that he insisted that all of his security team members needed to understand how developers built and delivered code. And this really gave them a better understanding of each other. They had to talk to each other. That also gave the dev team an opportunity to understand what are the kinds of risks that the security team is really looking at and why. Many times, especially in larger organizations, you know, the security team has has, you know, passed on a set of principles or policies. But without necessarily, you know, information about why those policies are there and the tighter collaboration makes it much easier to have a back and forth and a genuine risk assessment rather than just a thou shalt conversation. You know, where somebody says thou shalt and somebody else says we can't and here's why. And, you know, so, so having the, what's the use case we're trying to address together, help the business be successful, minimize risk, and, you know, deliver solutions faster. So the characteristics that help make this kind of change successful, open communication, respect, developing trust across those silos. That's key. Instead of matters to write how people people do respond to how they're measured. And so, if you're primarily measured if a developer is primarily measured on the, the number of lines of code they deliver that may not be the best measurement, you know, might also want to be looking at, you know, how quickly do they respond to newly found vulnerabilities. Not so much is it vulnerability free code, because that can be challenging new vulnerabilities are discovered in existing code all the time. But maybe the measure, better measurement is how quickly can the team as a whole get an update to that newly discovered vulnerability and get that code rebuilt and redeployed. Give team members responsibility push responsibility down the chain, so that individuals feel that they can make a difference. And then finally, really have to be comfortable with experimenting and knowing that some things are going to fail, and you want to iterate to improve those failures and patients patients of course is key. And then the teams who are really successful in taking on these kinds of things this this kind of this this degree of change, they do that with executive sponsorship. They have good technical leadership people who can dig into the technical challenges, and they often start with a pilot project where they are genuinely they're given the opportunity to try it out to experiment to figure out what works to change processes when their initial thoughts don't work, identify those key tools and iterate until they feel really good about what they're doing. And then once they've gotten to a place for example one of our customers was able to shift from delivering every three months to every three weeks with a DevSecOps process. Once you've got that success, give the team a chance to brag about it throughout the company so that their peers can learn from what they did to write, you know, publicize what's happened. So when you think about, you know, some of the elements of containers and Kubernetes right there are some key areas to think about regarding security. So do I detect problems early in the life cycle? What does it mean to shift security left? What do I need to do in the build environment? Some of the best practices here. Start with trusted content. Make sure you use it a container registry to store any content you pull down from externally. Put security gates into your build management process and into your CI CD pipeline. Protect your application platform by managing deployment in a GitOps-like fashion. Make sure that you are treating all the configuration information about your platform as code. You're managing it as source control. You can use GitOps. You can use ROCD. There are a number of different ways to do this. And then of course take advantage of the typical, you know, make sure you focus on the typical security things that matter. Identity and access management, protecting data at rest and data in motion, hardening the platform out of the box and managing deployments to the platform in such a way that you can be sure that you're not unintentionally letting in malicious code. And then there's no such thing as 100% security, right? So iteration for your applications and for your platform, you know, a DevSecOps model or key, you want to protect the runtime as much as possible. You want to collect a lot of data. You want good observability about your running environment so that you can use that to notice anomalies and to respond to those. Of course you need to protect your application access and data as well. And in a Kubernetes environment, you want to use network micro segmentation to isolate running workloads as well as take advantage of things built into Linux such as SE Linux to mitigate or prevent runtime escapes. So I actually have kind of additional content that drills into these points. But I think, you know, and we could walk through those, given that we seems like we have a lot of time. So maybe I'll go ahead and do that thoughts. Let me just ask a quick question too, because you've hit on a number of key things from my point of view. And one of them, you talked about doing a POC first and getting that. How do you get from, how do you coach people to get from POC to a repeatable pattern? So like they do it once, you know, is there something in the coaching that you give when you're talking with, you know, our customers and other folks about this? I think that really comes back to iterating. So, and I would use the term pilot rather than a POC. So I think it's important to pick something that is an actual project that your team needs to deliver. And so you're going to pilot this new process on something that you actually need to make available to your end users. And, and therefore, and maybe you build a little extra time into that pilot to acknowledge that you're going to have to do some iteration. You're going to be making some changes as you go. And, and you also need to be sure that there's executive sponsorship. But, but the goal is that you are going to define processes and refine those processes using an actual project. So that, you know, normally it's very unusual that you would deliver once, right? You're going to have a new version of that same app another time down the road. So, if you can do that with something that is going to be long lived and learn from it, there's, there's, for 1 thing, there's much more motivation, right? Because it's again, think of it as a pilot rather than a POC. The other thing that I was thinking, and then we'll go into your other slides and people have questions, please pop them into the chat or I'll turn you on your microphones on. 1 of you talked about the technical leadership and 1 of the groups that you didn't mention, but I think it was unintentional is like the compliance and risk officers in companies that we talk about the developers and the operations and that. But getting buy-in and educating that, that layer of the organization has always been like the, for me, 1 of the hardest, but best conversations to have because they're the ones that expect the audit logs and all of the paperwork that they've had before in the sign up. And if you don't bring them on board, you kind of hooked because then they're still asking you for, you know, whatever the huge JSON file, you know, I need my JSON file and go through it line by line or something like that. That's a, yeah, that's a really good point, Diane. And I think it is challenging because in a lot of organizations, the compliance teams are responsible for understanding the standards that have to be met, and maybe they're the ones who talk with the auditors or those who certify a deployment to be compliant with a specific set of regulations, but they generally aren't, the compliance teams generally aren't deeply technical. They usually rely on the technical expertise of the security team or sometimes the active teams themselves. And I think that's a lot of what leads to kind of the frustration and the communication is that these groups aren't necessarily talking the same language. So I'd prioritize connecting in the security team first, because they often do represent compliance. And they're usually more, you know, they're usually a little deeper in the technology and they're therefore better positioned to have that back and forth conversation. And then, but you are right. Ideally, you want a compliance, you want, you want to have that conversation with compliance. I guess I'd say that I think one of the best things to do. And again, I mentioned very early on that automation is a key part of DevOps. So as you're thinking about your processes and your tools, keep in mind that you do have a compliance team that needs output in a form that they can take to an auditor, whether that's RF or JSON or whatever the format is that they're expecting to get that data in. And think about and look for automated tools that can help you demonstrate that compliance in a way that reduces the effort for everybody. Yeah, I think that's it. And Chris has Chris mentioned in the chat is that he could not stress how bad a pattern it is to measure folks by lines of code commit. Yes. Finding, finding metrics for DevSecOps pilots and projects is an interesting thing in this like images scan without, you know, things or because you also mentioned like in the past, you know, patches would be applied by humans, you know, and and there would be a log file that the patch had been done. So this, this is whole thing when you're automating security and doing security is code, which is really where we all should be migrating to if you're not there yet. But the other piece of the puzzle is like, how do you tell people that you've done it, you know, like you measure that it's done in a way that's tangible or and I know I'm hooked on the audit side of things. So, and auditable. And that's always been the interesting conversation that I've ended up having with people is that, yeah, developers get it, system and get it. And usually we can talk the sea level people into it. And then everybody forgets to talk to the compliance and risk officers and then then there comes this grind and halt like, well, you can deploy that until I have this, you know, and that that's that that's what I'm getting at is that that's the and that's a cultural shift. That's like including, you know, the entire and collaborating across the silos that you mentioned, and making that something that's just part and parcel of the conversations because, you know, plopping containers and images and, and pods and, you know, OCI stuff on to a compliance and risk officer is like, not a good thing to do. They're not going to understand it. Yeah. Yeah. And, and, you know, there are ways again to show them that you care about what they need to deal with. Right. I mean, they they and and when we come back to measurements. I mean, there's there's two elements of measurements. There's there's like, how do you measure what's happening in the in the pipeline, which is almost the dev sec piece of things. And then how do you measure what's in the sec ops area. And, and so, you know, a measurement can be yes. And this actually applies to a process piece for compliance officers. Right. Yes. We run vulnerability scanners on our private registry. At this interval, and I can show you dated reports demonstrating, you know, that the images that were scanned. Yes, we run vulnerability scanners as part of every CI build. And I can show you the output of that right that that's a documented because. And now I tend to focus on technical controls on the sec ops side of things a little bit, but it's absolutely true that compliance requires. It involves process as well. Right. So, so as you kind of define your processes, you want to document them. And as they change, you want to update that documentation and that can be a hard thing to do. But back to your point about auditing, because we need to audit. The platform for technical controls. We need to audit our processes to ensure they're compliant. One of the really nice things about doing everything as code is that you get audit trails of who did what and when something changed. And so maybe part of what, you know, would really help the compliance team and the auditors is helping them understand how to. Do that audit data both through the pipeline and the audit data that you might produce for technical controls on the platform itself and giving them a way to kind of check it for themselves. You know, because relying on humans to do patches isn't really an audible, auditable trail in the real in the reality of it. I mean, we may culturally trust it more, maybe in school organizations. But it's really, it's you're relying on humans. Yeah, and how good we all are. Well, and more often the way audit and audit trail is created in that scenario, right for a traditional architecture is I've got a change management system, something like service now. A request gets logged in alert. You know, somebody says new vulnerability alert gets sent a change request gets logged saying. Please patch this vulnerability and then somebody has to, you know, that gets handed off to the appropriate team and they have to schedule all of that. And, and then so your audit ability relies on people kind of passing along this change request in an automated CICD pipeline for an application or for the platform itself. Right. You have processes in place. You can have automated triggers that say, hey, there's this new vulnerability discovered in one of the images you're using. I'm going to automatically pull down the latest version that has that fix and I can automatically kick off a rebuild of that application with that fixed face image. And then you might have gates around deployment. Right. You need to be sure you've tested it. You want it. You don't, you don't want to just rebuild and redeploy, but you can automate a lot of those gates. And then if it's for the platform, you can do something similar because, you know, a platform like open shift allows you to apply the, you know, patches in a rolling fashion across the cluster with zero app downtime for well behaving apps. Now, some orgs are going to want to schedule those patches anyway, right, but you can still use automation to do that scheduling. All right. Well, then maybe we should deep dive more a little bit more into some of the other aspects of this and we'll see if we can coach some other questions out of the folks that are listening. And this will go for it. All right. So, when we think about detecting problems early in the life cycle during the build process and the opportunity to shift left. And this is, I think what many people think of when they think of dev ops and even dev sec ops, right? That this is the pipeline that we're that we're going to move things through in order to get them into production. So, trusted sources in for containerized apps, trusted sources is critical, right? You're pulling down all your system dependencies for your custom apps are going to be integrated with that container image. Whether that's an alpine base image of rel ubi base image, you want to be sure that you are using content that you have a trusted source for you can verify where it came from. You can and ideally also that it's a source that regularly updates their content so that if a new vulnerability is discovered, you have easy access to an up to a fix to that vulnerability and updated base image. A private registry is key because again, even though you're pulling from external sources, those external even if it's a trusted one that external source might go down. You know, there was been a couple of years now, but there was a point in time when, you know, their AWS had an S3 outage that really impacted people's ability to pull from some of the external registries that store container images. So it's always good to have a local copy and it makes it easier to ensure that you do trust but verify. So you start with a trusted source, but you still run vulnerability scans in your private in your private repo to ensure that things are okay. Security gates in your pipeline can and should include vulnerability scanning, but an emerging area that's really become more and more important is application config analysis. Any solution, any pod app, you know, containerized app that you're deploying to a cube environment has a lot of config data that goes with it. And so you want to be looking for things like are there embedded secrets in the image, but you also want to be looking at what what security requests are being made. What's the security context for the pod is the pod asking to run with extra privileges that you don't want to allow on your cluster. And all those kinds of things are things that can be done really early on so that, yeah, you've got built in suspenders right you're going to prevent privileged pods from being deployed. But you don't want to find that out when you're ready to go to production you want to find that out as early as possible so the developer can fix it. Of course, every application should be designed in a way that it can support logging and monitoring so that we have continuous observability once it's deployed. When we think about the platform itself, again, configuration and lifecycle management of the platform matters a lot. You know, we have a number of even even though open shift for itself is highly automated supports automated operations with Kubernetes operators. We also have customers who ensure that every part of a platform deployment is managed in an automated fashion through a platform pipeline. So that again it's auditable, and they can verify that everything is deployed in the way they intended it to be deployed. And more this really sets you up for just just like containerized image applications. You should think of them as ephemeral and you can always be redeploying from an image. You should be able to think about your cluster that way right you should be able to tear down and replace your cluster at any point in time and automation makes that possible. So GitOps, Argo CD, any many types of ways to manage that, but definitely your platform should be treated as code as well. Host and runtime security. We're going to talk a little bit about more about that of course identity and access management for the platform, ensuring that data at rest and data and transit is protected. So every cube cluster right you've got an SDN so you want to be sure that you are leveraging things like network policies for network isolation network micro segmentation that you're managing ingress to the cluster. And effectively managing egress from any pods running on the cluster to off cluster services right and in general you want your ingress to be encrypted you want your egress to be encrypted. And you may have your off cluster service may have a firewall in front of it in order to, you know, further ensure that only authorized applications are able to access that off cluster service. Platform logging monitoring metrics and then audit and compliance Diane to your point and ideally look for tools that will help you automate audit with for compliance with technical controls from regulatory frameworks and there are many available to you, including the OpenShift compliance operator but many, many folks in this space because of the automated nature of Kubernetes because the platform is continuously changing and nodes or servers are coming and going. Automated compliance and automated audit are really key things and there's there are plenty of solutions out there available to you. Again, automate the life cycle we kind of hit on this. So let's talk a little bit about managing the deployment once you've got your cluster up and running you've got it configured the way you expect. You're you're all set up for managing updates to that cluster. You're monitoring for configuration change or drift on the cluster and managing that. Next, we need to be sure that as workloads are deployed to the cluster that we're managing those appropriately. So, ideally, you've got your own private repo where you're storing code, storing your images. You want to set up allow lists and block lists to ensure that especially in your production environment. Only only images that have been approved for production can be deployed to your cluster. Again, we want to use a get ups and or and or Argo CD approach to that deployment continuous deployment piece. You want to take advantage of Kubernetes admission controllers to ensure ideally you found any, you know, requests for excess privileges early in the life cycle through doing app config analysis. But again, so that's your belt you need your suspenders. So something slips through something didn't get vetted. Use pod security policies or open shift security context constraints to prevent admission of pods that have privileges that you don't want to allow on your cluster. Validate image signatures. Leverage something for your apps like service mesh to add an additional layer of protection for application traffic. And of course, continuously monitor for new vulnerabilities and be prepared always to rebuild and redeploy not just your apps, but your platform as well. And again, when it comes to getting started, you know, start with a pilot. You don't have to automate everything at once either. Right. You can do the goal is to get everything as automated as possible, but you can start with with simple steps right start where it's easy to automate. But be sure that all your team, you know, that you collaborate across those silos and that you get use cases across those silos and find a way to facilitate those conversations. Whether it's a slack channel or, you know, an email alias or these days you kind of don't have a what we used to call a war room. You know, but maybe it's a zoom session and then find measurements that that measure the positive behaviors that you're trying to reinforce. And that's that's it for slides. So, well, awesome. And, and, and that's really, I think culturally and technology, like, I tend to focus on, you know, Argo CD or cube linter or, you know, that goes straight to the technology. So it's really nice to have a conversation about the cultural pieces of this and culturally for security teams. This concept of experimentation and allowing for failure is is probably one of the highest bars to, you know, mentally get through like that. Have you found that? Is that like the talk about iterating, but allowing someone to fail in a security scenario is sounds like, you know, an oxymoron. Yeah, no, that's definitely that's that's a really valid point. I think security teams are are, you know, used to trying to again, really their job is to minimize risk. There is no such thing as zero risk, but sometimes they get this mindset that there has to be zero risk. And so kind of oftentimes you need executive support to shift that mindset. But another way that that the technology enables a change in the mindset because containers are the same from dev to test to production. If you set up your environment, you're, you know, if you're, you're deploying to a cube cluster, it's the same container image deployed to a cube cluster, whether it's dev, test or production. If you set it up so that, you know, you're really doing that testing in exactly the same kind of environment as your production environment. Then you can maybe get your security team a little bit more comfortable with the idea of iterating and ideally, you know, if there's going to be a failure, it's going to show up in the test environment as long as you've got the right tools in place. And because clusters can be spun up and shut down so easily. I think it makes it simpler than a traditional architecture where, you know, VMs might be scarce, you'd have to, it would take weeks to get a VM, you know, you'd have to request a VM. It would take weeks to get it provisioned. The VM environment is different from test and production. The closer you can get these environments to be exactly the same, use the same tooling, the same security tooling, the same network policies, the same configs, the better your chances of finding something early and giving some comfort to those security folks who are so worried, right, that, that, you know, their job is to prevent the company from showing up in the newspaper. Yeah, well, I think, to me, that is like, and to the promise of pause or pass or however you did, that was always the thing that I loved about it, you know, seven or eight years ago when the whole concepts of, you know, heroku showed up on is the repeatability of the environments, you know, is that, you know, previously you would do development on your local machine, throw it over to tests and QA and all this. And, you know, we've now had like seven or eight years of this containerization stuff. But I also think that you and I were at Red Hat, we're at the bleeding edge of the knife, right, you know, so we, we drink this too late all the time and I, and we kind of have to realize that not everybody has followed this path as as quickly as other so I think that's really culturally still coaxing people along is a key piece of this. Absolutely. And again, you know, and it's hard for big organizations to change, right. And so I think that's one of the reasons why when we've seen it be successful. Executive sponsorship matters. If you, and it's not that you can't be successful without executive sponsorship, but exec sponsorship makes a big difference. And again, starting with a small group and then trying to take that success learning from that and expanding it across the larger organization is a win too. And it's funny what you were talking about with with the past. I mean, I remember gosh. Oh, well, over maybe 15 years ago now, you know, this, this goal at a company I was working at to be able to more easily, right, you find a problem in production. How do I trace back from that production code to the root cause the source code problem that in a development environment so that I can more easily reproduce and fix and and get that fix back into production. And there were all sorts of different kind of ideas about how to do this and how data sharing and how do you get traceability from the source code to the binary. And we're in a world where less of that matters because it's the same image from dev to test production. It's kind of cool. So we do have a question from Jason in the chat here and I think it's he'd rather stay off camera. So that's okay. My hair is doing okay today. Do you see security teams being spread thin and DevOps teams? And if so, does training developers on basic security coding practices become a priority? Like, how do you spread the load kind of. That's, that's a great question. I mean, the truth is that security folks are security skills are thin on the ground period. And, and they're expensive. And so the more an organization can do to help all members of the team understand what the security goals are. And again, the why behind them, because the technology does change. And so, you know, there are, there are scenarios where something like saying, you know, every certificate has to be signed by the corporate CA. There may be cases where that's appropriate and there may be cases where that's less appropriate in a in a cube cluster. You know, maybe the platform certs don't need to be signed by the corporate CA because that cluster is a closed root of trust, but you want your application cert signed. But you need to have conversation about that. So, so one thing we, I haven't heard as much about this recently, but a few years back, I started hearing, you know, about roles called like the be so role. The business information security officer who was embedded with active teams. And because they were embedded, they could have conversations about risk and the developers could have a conversation about, well, we don't, you know, doing it this way is a problem. But what if we did it this other way? Can that still meet your goal? And, and so anything that an organization can do to facilitate that. To facilitate that learning and then again, to help developers feel like it's worth their time to better understand the security requirements. I mean, they don't want bugs in their in their code either. But what hasn't happened right that the thou shelt messaging doesn't work developers like to understand the why and then they can get really creative about the how. So, the more we can more communication, we can foster the better. I think that's a great answer to that. And Dave, if you have a follow on just type in the chat and I'll read it out for you. The other thing you mentioned was the rise in the importance of config analysis. That's, you know, that I think, and I, that's, I'm just coming off a talk with coob linter folks from so it's like been top of my, can you talk a little bit more about, you know, how that is evolving. Sure. Well, I think, again, some of this is is due to change in technology, right? It used to be that, you know, so the developers responsible for doing, you know, kind of building their code and and doing, doing testing and a test environment and there's a certain set of configs that they know they need. But in production, right, it was always the ops team. The developers would say, well, here's how I need my, my VM configured. It needs to have these system, these system libraries and it needs to have these ports available. And, you know, it kind of boom, boom, boom, boom, boom, everything would be listed out and handed off to ops. And then, you know, the ops team would have an opportunity to kind of determine whether it met their concerns and the security team to networking team. And now, all that configuration in a in a containers and coop world all that config data is is in my deployment. It's in my coop deployment. It's in my pod in my, you know, what user I want to run at what Linux capabilities I might need. You know, what, what are my network connections that's all going to be in the SDN it's all less visible to the ops and network and security teams, because it's all configuration is code for the application. And so one of the ways you win trust is by using that automation those those newer automation tools to analyze for challenges, whether it's a helm chart, a deployment, you know, config something in YAML image, run those analysis tools looking it's also a way to educate your developers about what's okay to do and what causes problems to run those analysis tools early, share the output of them provides, you know, visibility across the team, and it reduces problems early in the life cycle. Didn't think ever at this point in my career I would be editing so much YAML. I just like YAML this and YAML that like everything every and and the access to the config files and the YAML and the helm charts and stuff. You know, we have access to tweak that. Yeah, yeah. Yeah. Chris is joking about calendar driven YAML engineers. No. Creating these things. Yes, it's great. And it is it's like, for me that that that is the, you know, the part that was when I was back in the day when I was writing applications and deploying them. That was the mystery part like I would have it configured perfectly for my thing. And now I go into IDEs and things like that and I have access to tweak it again. And so what this automation layer to get to the deployment, you know, you can tweak it off having that automation in the CI CD, check it before it goes into production is really kind of key. And it has really made me a better developer, shall we say there's one question that's coming in here. Alec is asking, what is the best step by step prescriptive guide for DevSecOps with OpenShift? Did you write? Excuse me. Is that a reading question? I don't know. Maybe we should write one. We do have we do have some folks in Red Hat who have put together what they might call would be the, you know, a container factory that outlines. We can we can dig up a link to something like that and share it. I'm not sure whether it's in a blog or whether it might instead, you know, be somewhere else. But I think Red Hat believes strongly in prescription, but with choice. So. Yeah, I think that we, I think that writing the book would be good and then you just brought, if it's in a blog, I'll be really upset because one of my, my least favorite things is when we document. By blogging and then they never get updated or maintained. I saw that the mantra I have is in, you know, in all the community, you know, open source projects is please if you're going to do something. But I actually think that is what Alec is asking is a title for a great book to work on. It is. It is. I like it. It's an open shift and some sort of a guide there. If it isn't in the container factory, hopefully not blog. But it probably is because I know our friends and family here at Red Hat. So we'll find that link and share it with everybody. E books are great idea though. Yeah. Let's do that. I think we could be back with it. But that's, you know, that's sort of. Taking dev step ops one step at a time. I think that's a great slide to kind of end on for everybody to think about where we're at. And if you go to your next slide so people know how to find you. I don't think it's there. All right. Well, I'm going to have to add that into the slide deck afterwards and do that. So it's hopefully it's in some repo that that container factory. It's actually we'll look for it and update it recently and I will add this Caroline. I will add the slides. I'll take this whole talk, which thank you so much for spending the time with us today to talk about this next week. We have problematic versus deterministic security with Steven gear. I think that's how you gear you gigger or something like that from stack rocks is going to be talking the same time next week. So if you want to join us in the following week after that, John Willis is going to be talking again on dev sec off. So we've got 3 strikes and you'd better watch them all. And we'll hopefully hit it out of the park. And I think you have done that today. So thank you so much for taking the time Kirsten and we'll keep you on online a lot. I think in the coming with all of the security stuff that's coming down the bike. So thanks again. It's a pleasure to talk to you all soon. Bye bye.