DevSecOps

Anastasiia Voitova described the multi-layered security of a modern robotic and autonomous system designed to protect devices and their data. Building defence-in-depth measures include operating system hardening, automated secure device provisioning pipelines, unambiguous device identification, data security for telemetry and commands, secure over-the-air updates, active reverse engineering protections, reducing human involvement, and more.

Product security is a process, and some of the steps could be automated to save resources and prevent security regressions. Our Security Engineer, Elmir Iskanderov, talked about his experience and ways to speed up product updates through automation at the Online QADay conference.

Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and the endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse. Anastasiia described the four years journey of designing and supporting Themis: from shaping cryptosystems, writing language wrappers to CICD pipelines, autotests and interactive documentation.

In this talk, Eugene tried to cross the bridge between modern DevOps/SRE practices, systems architecture design and traditional security/risk management. It is driven by lessons learnt from building systems the modern way in high-risk environments with high reliability and security demands, drawing from the experience of protecting governmental secrets, critical infrastructure and preventing banking fraud at scale..

Dmytro Shapovalov, our senior infrastructure engineer, talks about improving the infrastructure for developing, testing, and delivering security tools. Our experience of smoothing the difference between security idealism and engineering friendliness.

Most modern applications live in a close cooperation with each other. Dmytro spoke about the ways to effectively use the modern techniques for monitoring the health of applications. Being an infrastructure engineer, Dmytro explain typical mistakes developers do when implement monitoring, and suggested a couple of approaches and tools that can help.

DevOps movement emerged as an attempt to build the bridge between people who write code, people who maintain the infrastructure for running it, and people who make the business decisions. These changes have put the emphasis on the new set of techniques and values. These techniques and values can either be beneficial or problematic for the security posture.