DevSecOps: The Core Curriculum Opening Remarks

DevSecOps: The Core Curriculum -- opening remarks

My brother like 15 years ago asked me what song I would come up to if I were a pro wrestler. There are two. That was one of them. The second one is going to introduce our very first speaker. So Hey, everybody, what's up? I'm Liz. I am the co founder and CEO of StrongDM.

‍

I'm going to start off by telling everybody that today is not going to be "that type" of conference. And by "that type" of conference, I mean one filled with cliches because they're never going to start. Today, we're not going to talk about some crazy pie in the sky vision like a credential crisis. We're just going to talk shop.

So I would like to take everybody back. We're going to go way back, we're going to go all the way back to 2015. Uptown Funk by Mark Ronson is at the top of the charts. Michael Keaton, I do believe has just made a comeback with Birdman. What else? Obama's president, the FCC is actually hotly debating net neutrality at that point - and Ashley Madison was also hacked that year.

And my last company, which had just been acquired, the acquirer got hacked. What happened was an engineer had spun up a test Mongo database, but it was filled with real data. Nobody knew it existed. And a hacker discovered that it was leaking on a port, good old 27017 got in and hundred million records of PII later, the company was investigated by the FTC.

And there was nothing not one but two consent decrees and it was out of business. So just all shareholder value totally lost. The good news is that out of that totally unintentional, but catastrophic incident, StrongDM was born. So what happened was, we actually couldn't wrap our arms around our infrastructure. And so we had no idea who had access to what and so how secure where we really we? I mean, obviously weren't.

At the same time, we also weren't special, everybody had similar problems. And so we set out to simplify access controls. And we started with a couple functional basic questions like, how do I get access today? Am I going through a bastion? Am I exposing any sort of ports to the public Internet? Do I need to get my laptop on the production specific VPN in order to access Kibana?

And then those questions began to provoke some thoughts. And so we asked some bigger picture questions, which is, what are the minimum number of credentials that I need in order to get access to privileged systems? Do I even really need the address of something in order to get to it? And is it possible for everything to be both temporary and dynamic, and so strong built a proxy. We started with databases because that is where the crown jewels are stored. And then we added SSH and then RDP, because contrary to popular belief, as some of us in the audience might know, Windows is alive and kicking.

A few weeks ago, we released Kubernetes. Today, I think everybody in front of me as an engineer, and everybody speaking for you today on this stage is also an engineer, we should be able to learn from our peers. And so that's why at this conference, you are going to hear a whole bunch of real world case studies about infrastructure and security problems that teams from companies ranging from startups all the way to huge multinational corporations have attacked and solved.

My hope is that you will ask a lot of questions, they'll be one FinTech panel, and I believe six retrospectives. So before I introduce our first speaker, and stop droning, I would like to say thank you to Hearst and to Blissfully for sponsoring this event today very much appreciated, and also to our speakers who came in from faraway lands like Boston, and LA. And one of us who took the red eye last night from San Francisco. Thank you. And so without further ado, I am going to introduce our first speaker, this is the others song that I would have walked out to if I were a pro wrestler, but he gets it and he told me that I could choose it for him today. So you can play out and may I introduce Mr. Joel Fulton, the CISO of Splunk.