 I'm really looking forward to this next panel discussion. I'm joined by Anton Vishnikov from Big W and Christy Thomas from Australian Unity. And they will be joining me today to have a discussion on leveraging DevSecOps to gain competitive advantage through enhanced collaboration and governance. And we'll be talking a lot about collaboration and that culture and the change. So Anton and Christy, if you guys can give me a sound or a hello to let me know that you are, we can hear you and everything's all good. Hi, Christy. Hi. Hi. Hi, everybody. Perfect. Awesome. So what I might do guys, I might really get you guys to give a brief introduction to yourselves, share with our attendees a little bit about your background and a little bit about yourself. So Anton, maybe you'd like to start off, can you give us a bit of an introduction about yourself and your role and some info about who you are? Yeah, absolutely. Hello, everybody. My name is Anton. My surname is Vishnikov. It's a little bit long Russian surname, Anton V. And I'm at the WAPS Engineering Lead at Big WX, which means I lead the platform team and everything develops and basically helping everybody to move the application from your local laptop all the way to the clouds, right, through CI CD pipelines, through some kind of automation, through cloud automation, monitoring story on all that kind of stuff. I'm a software engineer. You can go into the whole story or world from maybe being a software engineer or infrastructure or networking engineer. And I'm a software engineer in heart and probably that's one of my competitive advantage because I love to automate. And I'm really compassionate to the software engineering teams on the software engineer side of things, maybe compared to other teams or developed teams. And yeah, and my current challenges is blueing teams together, right? Culturally wise, engineering culture, blueing application teams of the security team with the platform or infrastructure teams and the technology wise, as many people on the call on the presentation already said, coping with enormous complexity of modern systems, whether that's a cloud, Azure AWS, you made it or Kubernetes and many, many other complex technologies, getting that complexity, take that away and then make it as a consumable product for engineering teams. Fantastic. Well, thank you so much for joining us today. And Christy, would you like to introduce yourself as well? Hi all, I'm Christy Thomas. I came to Australia like 15 years back and I started as my IT career as a programmer, then moved into networking and security also more into infrastructure. Then recently last five, six to seven years I was into cloud then DevOps. So I've worked with different organizations like John Holland, Australia Post, then recently I worked with, I was working with Australian Unity. And just now I joined another, it's a US based, it's called a DEMIST data and they are US based in New York and I'm joining their global team as a cloud lead, as a technical lead for the cloud solutions, basically for the DevOps and it's a new journey for me and first time I'm working outside of Australia company and yeah, so excited about it and but I had a good career and also good fun and passion in Australian Unity. It was mainly data development company and I met a lot of good developers, data engineers at different agile projects. So proud to be part of it and also it was very successful and at the stage I think it's a new journey for me to try something different. So yeah, so and yeah, you can find me on LinkedIn and yeah, so yeah, that's all about me. Hey, fantastic. So the question that I wanted to ask both of you today is the first question to kick things off and Anton or Christy, I'll let either of you go first with this one, but how does DevSecOps differ from other methods of collaboration and what will that mean at all levels of the organization? So maybe Anton, would you like to kick it off with your response to this question? So very, very good question. So the question is how DevSecOps differs from other things? Probably my honest feedback it doesn't, right? It's similar what we invented with DevOps, right? At some point complexity of the systems was so high that it wasn't good enough to have disconnected teams, right? Well, that's application teams or infrastructure teams and complexity pushed us to work together, right? Technological complexity, but also complexity of the maybe organization structure or velocity of the products and stuff like that. We used to deploy things like maybe once a month or a quarter, 10 years ago, but nowadays what is it like, 10 times a day, right? So that complexity pushed us to work together, infrastructure and application teams. Now, where's the security? Oh, security was left a little bit behind, right? But nowadays the same story happens with the security. We found that we've got applications, engineers and infrastructure engineers working together and we basically join in security. It's the same, same story. Complexity of the security challenges or products or applications pushes us to join security until it's already kind of working together landscape. And this is why we've got DevSecOps but this is my interpretation of challenges. Yeah, same stuff, the cultural one, getting people together, working together, ways of working all the kind of stuff. And also the second part is the technology, automating security, security, S code, configuration, S code, everything S code, right? Same story which happened with DevOx, but at much faster pace and probably at much higher states because it's security. Kristi? Kristi, do you wanna have a go at answering that as well? Yeah, pretty much similar to what Antoine just mentioned. Like now, as William also in his talk mentioned, nowadays, I mean, like modern world, I mean, like, no, it is like agile, DevOx. So most of the companies are moving from the traditional waterfall to DevOx. So in DevOx, actually it's a, you are delivering a component of the, like you know, and it's a very dynamic and fast. So you have a Dev team or a data team. Data is also part of that. And so Dev and data team, you have an ops team. And now when you say DevSecOps, it's you're having the security team also. So suppose if you have delivering a component and that component have a security glitch, it can be a product problem or a platform problem, but everyone have to collaborate and resolve the problem for security. Because that's something which I can see in my career with the DevSecOps. Because when it comes to security for agile team, everyone comes in. So the collaboration will, because we don't know where the glitch happened. So it can be, because if there's a problem with the product alone, there's some logic or anything problem, then only Dev team will be looking into it. But if there's a problem only on the platform, then only platform team will be looking into it. But when it comes to security, we need to collaborate together. And according to the business requirements, we need to change the security features or standards. And yeah, that is something about, I can talk about how modern agile team works on DevSecOps. And challenges actually, as everyone mentioned already here, there are different aspects, like basically what tools you are using, what languages you are using. Even when you come to Dev development, you have different languages. Or if you are coming to DevOps, like a platform, you have different tools for nowadays. So your DevSecOps tools also have to integrate with all this. That is another challenge which we can see. And people get used to that tools. So those are the things which we consider in DevSecOps. Yeah, fantastic, great, great answers. So Anton, how can an organization support the cultural change required to implement DevSecOps? Right, you don't have easy questions for us, how does the organization support culture change required for DevSecOps or anything else, right? Well, from the top level conversation, probably we have two choices. Well, I probably gonna give anti-advice, but some companies are just not meant to do those things. They're not designed to solve those problems. And unless the company itself reinvents how the company works, basically no initiative, well, it's a cloud transformation or security or anything like that, it's not gonna happen, right? It's just, no, no, right? But a second, yes, it just, it starts from the top, right? So we've got the buying, we've got business awareness, so company understands why security is important, well, why, well, no. We've got APR, right? We are a public listed company and nowadays our security profile is much more sensitive to comparing to maybe five people startup, right? No one cares about that, right? But once we are an IPO, we can actually obligated to do those things, right? Okay, great, security awareness starts from the top, maybe regulations, maybe any other requirements. But as some people said, it could start from the bottom, whether it's people adopting Kubernetes or people raising the security awareness kind of from teams perspective, right? And then when we have those two pieces work together, the company itself understands why the new security buys and allocates budgets and cares, right? Lead by example, right? CTO comes and lead by example or CEO comes lead by example, right? We've got budgets and time and we also have engineering teams actually understanding why we need that, looking into this one, maybe having trainings, maybe, maybe, maybe we're a multiple, you know, everything is here to explore and we've got those things together, reconcile and that's where the amazing journey begins, you know, everybody understands what needs to be done, we've got time budget, we've got resources and we just move forward full steam ahead, right? That's gonna be probably my answer on this one. Very fantastic. And Christy, what are your thoughts? Anton, yeah, Anton already answered most of the stuff, but yes, for organization, there should be a elevate from the game, from the top to the bottom. See, the basic, the basic rule we have to follow when we deploy DevSecOps is, you should not do a big bank change, never do a big bank change straight away because we have to understand what we need to be in developers or data engineers use also and understand they have time limits, they have creativity, lot of constraints are there. So we need to understand that. So never I will ask or advice that we should have a big bank changes. You should always go with the continuous improvement, like, you know, we need to invest more from the top as Anton mentioned, from top level, have to understand these are these are the things and invest more time or like, you know, money or into how to get this practice, like a continuously improving. And recently, I mean, not recently, actually, in Australia unity, we had a secure code warrior a tournament in Australia post also we had when I was there. So the good thing about tournaments is like, you know, the diver, it's the practice so that you give incentives. But when you conduct tournament, there are, you should not be, it should be a beginner level, you know, so different levels should be there so that different engineering team can take over their team and make a tournament or make it so that they improve their quality of coding, you know, and also it will come. So with the incentives, compliments, you can improve, like, you know, you can, by complimenting them, you can make them change the game, you know, even myself, when I'm in agile team, of course, I was taking care of the security side of it. So I, when I go back to my developer, I say, can you do in this way, you know, so it's, we need to be nice to them also and say that it is gelling and also once you have done it and then the second time when he's following that security standard, pat on his back and say, compliment him and say that this is a good job. So these type of human interactions have to come in place if you want to improve your security or if you want to, that's the organization support if you have to give four desecops. So yeah, that's what I will say, incentives, tournaments, give cards, give to developers and data engineers, you know. No, fantastic. That's great. And I couldn't agree more. So when it comes to, so Christy, maybe this question's for you as well. What does desecops have to do in data and information security, particularly for enterprise data and projects? Okay, yeah, through, see, that is one experience I have, I got, I understood for when I joined Australia Unity because it's a data-driven company. So through, usually through desecops, most of them think or the normal practice in agile development is we mainly achieve quality code, which is good, quality, you get a quality code and then you get a, you develop a secure software application, okay? But in data world or in analytics, most of the companies are moving into, we are using containers there also. Like, you know, it is even data, like, you know, some application like Airflow, all these are on containers in Kubernetes also. So when you do that, like, you know, all the data scientists or data engineers, they use production data, okay? So when they develop production data, using production data, when they do the analysis or analytics, they pull different lots of external packages. Like, you know, we call it software composition analysis, SCA, okay? SAS is different because SAS is something, you're scanning the code, but this is where you're checking the, so you pull insecure packages from public hubs. You have insecure methods or like, you know, you have cryptographic, like, outdated outputs or, sorry, debugging outputs or outdated cryptographic are a concern in that world. I mean, like, you know, when you do, so there should be, so because of that, your data get leaked. Because if you don't get into this, if you don't stop that, you know? So DevSecOps plays an important role in information security or data security with that regards. And there are different tools and measures to do that. There are different companies use different tools. And even Artifactory, you know, closing internet for, you know, production servers, all those things are measures are there, but we need to, for my experience, you know, data scientists people, especially they cry that we need our internet, we need to pull this. So we need to find, make them also practice how to get, you know, the packages securely. So something which, yeah, that's what I think in the data world. No, that's it, great, great answer. And Anton, what are your thoughts there on that question? The question, which was, Yes, so what does DevSecOps have to do in that data information security space for you? What role does it play when it comes to data and information? Right. Also a good question. Chris already pointed like the whole idea on this one, right? One of the interesting, I guess, take away from me personally is decentralization, right? When we have a security practice or security goals, it's not uncommon to have security team focusing on one thing or holistically across the company and that becomes quickly a bottleneck, right? When we saying, okay, let's try to implement DevSecOps, right? What does it mean? That means that partly responsibility shifts left a little bit through developer cycle and we're more people, more eyes and more expertise to achieve the same goal. So now we don't have just security team working in isolation and doing something, but we involve application engineers, networking engineers, data engineers, and many, many, many different mobile engineers, right? So we involve many different types of engineers with a very diversified skillset and expertise, right? So that altogether, not only it's a diversification of expertise from the security team, but it also allows us to make more data-driven and more precise and more informed choices, right? For me, it's a really, really great takeaway, right? From what I've seen happen in our organization who started looking at DevSecOps journey and involved in all their teams and the security and the other way around, taking security team, taking into the journey of DevOps or data platform or monitoring platform and you name it, right? Great, awesome. Thank you so much for answering that. I've been asking the other presenters and panelists Natin and William and Darren today this question and I wanted to ask you guys this question as well, but what are your tips for some of our attendees here today that are starting out on their DevSecOps journey? What would be your top tips for them just based on your own experiences in starting and beginning their journey? Either one of you can go first. Christy, do you want to go first? Yeah, first thing, yeah, first thing, couple of things, like, you know, like, you know, couple of tips are there actually. First thing is patience. You need patience, all right? To understand, I mean, like what the business requirement is or why we talk about DevSecOps or why we talk about security to DevOps. So I understand, like, you know, transforming from traditional practices to a dynamic or dynamic of fast agile DevOps practice. It's a big change. On top of that, you're making security also. So and security also have to travel fast with DevOps. So first thing is patience and understand what is the importance. So, and next thing is, like, if you have a requirement, I mean, like, you know, to get the correct tool so that it works with everyone. You know, so, like, if you are used to a particular practice, make sure, like, you know, the security also or DevSecOps gel with that practice, you know, whatever DevOps practice you have, whether try to gel it and get it to the business saying that this is my requirement. And the security have to, so this is a way I have to practice, start doing. So you need to have patience, understand it and work with platform team and security team and collaborate and get the, you know, the correct tools. And also we need to understand there are two aspects in DevSecOps, like one is called, you know, we call it a security hotspots and second one is called vulnerability management. So his security hotspots is like, like, you know, we solve it through code reviews. So try to do more code review for your colleague and your team and, you know, make sure that there's, try to do that practice. Vulnerability management, then that is which more serious where before the release, you need to make sure that it's fixed and you need to make sure these two are, are the main aspects which you have to cover. So when you start your journey in DevSecOps, focus on these things, like, you know, what are the, how can you wait things and understand and slowly can improve it. So some, there will be false alarm or in every security monitoring system. So you need to have the patience to understand that if there's a false alarm and no problem, if it is a critical issue, we need to make sure that we fix it. So just make it as a practice and get involved in like, as I mentioned before, like a tournaments or even events like this webinars. Try to learn from, like, you know, people who already been in the game, you know, so, and also if you are, try to learn from your colleagues also the other teams also getting involved. If you are joining a agile team, if they already have a DevSecOps practice, try to learn that. So, so then you will also get used to it. And definitely you, and you have to be proud of what you're doing and definitely creating always enterprises should be complimenting more developers who are doing secure code, quality code, than insecure code. So that we need to understand that that privilege or that, you know, honor to do that, you know, quality code. So yeah, that's, I'll say for beginner. I mean, for people who are first moving into DevSecOps, I think that will be a tip, you know? You know, that's, it's an all practice, you know? Yeah, definitely, definitely. It's all practice, practice makes perfect. Anton, do you have any top tips, anything you'd like to share final thoughts for our attendees? No, so pretty, pretty good overview is a continuous journey, but my advice would be split those things into two buckets. As I said, some companies are just not meant to have the journey because they're not designed and they stuck somewhere in the late 1990s. So, look, be realistic. You may not be able to change anything in those companies. So either accept that or find another company who is ready to have this conversation, who is looking into this one, who is after the changes and get better. And then once you get this company and you see the opportunity to bring DevSecOps as a journey, bring everybody on a journey, right? Lead by example, get those experiences, so all those tools, get better at those tools, help others to get better and be just contagious and optimistic. Get the engineering teams in this journey, try to talk to, I don't know, tech leads, head of engineering, deal with noise layer and try to reconcile those two things together, the top one and the engineering teams. So that's how it could be done. And as Kruti already said, don't get frustrated, it's gonna take maybe a year at least for the first half a year you're gonna be making friends and maybe for the rest half a year you're gonna get somewhere. And yeah, by the end of the year you may have results. Until then, don't get frustrated. No, fantastic. So I think what I took from that is patience and practice. Those would be the tips there for everybody. So Christy and Anton, I really appreciate you guys joining me today and joining me event to share your insights and your expertise on these topics. It was really, really valuable and I really appreciate having you both here with me.