DevOps Made of Steel

Brett Lesczynski, Ryan Hejnosz and Adam Arihart, security analysts and administrators from U.S. Steel Corporation, spoke at the Elevate 2021 conference about how they upgraded their security practices at one of the largest and oldest companies in the world. Legacy practices are common at organizations with their age and scale, which can sometimes make change happen quite slowly. In this case, the efforts to bring a modern DevSecOps process into the environment has to start where the work is done (with support from leadership, of course).

Starting at the Beginning

Change in this environment is usually burdened with many error-prone and slow manual processes. This can cause significant delays in keeping your tech stack up to snuff. Even commonly-used technology that enables good processes – such as source version control –might not be used uniformly across all technology departments that own code.

As with any process re-engineering project, Brett and Ryan started by mapping the process. You can see the general change process mapped below as an example of how you can start:

Caption: Example change process

Sponsorships Available

Sponsorships Available

Sponsorships Available

Managing Priorities

While environments vary, determining priorities is a constant and crucial in this process. Generally, people are limited to three things in any given time frame. Increasing that number results in diminishing returns. A monthly planning cycle can help avoid the tendency to plan for 10 improvements and only getting one completed.

In April 2019, they were determined to keep it to address three goals: project inertia, system maintenance, and addressing a low user base.

Caption: Example of three selected goals.

Priority management means setting a few key objectives and keeping them in focus. Brett and Ryan decided to focus on a Git program before moving forward.

Solving Open Source Security Concerns

A very common source of concern in any (Read more...)