00:00:08

See that role is death SecOps journey, um, which I will go through the journey of, um, of what we've done for that month in the last couple of years of where, um, that same opportunity that it started with.

00:00:23

Um, so talking, talk a little bit about myself first to it, to give you an idea of what I'd done. So in 2003, I joined aggro. Um, I was already, um, a developer before then I'd be to college. Um, started Gladwell as a, um, an operator. So an 800 operator, um, after a year or so, um, I was already trying to move to be a developer because that's what it depends in college and then moved to be a developer. So it was an RPG developer, um, which I worked on that on, uh, the development, all our systems In 2006, I retrained myself to, to do Java so I could do more front-end development and our websites. I then moved to be a team manager in 2010. Um, it was like a progression, so I don't already to become a senior developer. Um, the next progressive move, I think for me, was to move in into team management pharmacy. I look after I was looking after, um, a couple of development teams, Uh, in 2017 and I then became, um, uh, delivery ops manager, who now I look after numerous tribes, um, and, um, delivering lots of bits of software across the board.

00:01:51

So I drove, um, it's a car insurance company, mainly it started off with the car insurance company agency. Um, it was, uh, David Hermie who work within the picture, started in Nazi Germany in 1993. Um, we are based in, in Cardiff and that's where the main head office is In. Um, obviously in, uh, where we should've started. There was only a telephone and, uh, the TV and the yellow pages. And obviously I'm not sure how many are you old enough to know what the other pages are, but they've been out before. Obviously you started off though. Growth is pretty, pretty small radios. We started to move into the market obviously, um, in 2000. And, um, we started looking at the internet and we quite proud to say that we, one of the first, um, caught engines really for, um, It insurance, which is good, which is the elephant brand, is what you can see in the picture, Which was based on, um, an internet only, or only rant,

00:02:59

Obviously we've, we've, we've gone. And since then, um, obviously, um, when we moved to the internet, obviously we started looking at price comparisons and 90% of our, our sales now will come from post comparison sites, obviously. Um, we've moved from car. Um, we went into multi-car, so in 2005, we were the first to introduce multi-car and it was a true Modi gospel. The more cars you put on the cheaper, the policy, you've got it all covered under one policy. I was lucky enough to be one of the developers to help build that, um, which was really excited in 2012. Um, we then went, uh, we diverse, diverse a bit into, um, household. So we've got a household product. I was very lucky enough again. Uh, I was a team manager I poked and my team were lucky enough to, to, um, basically build how sort of, so I'm pretty lucky that the tutors cheated of quite a ticket. Obviously we did it a bit bigger than just in Cardiff. Um, as you can see, we've got lots of other, um, companies that we've been a part of. Um, I won't go through a alone, but we basically, um, more or less taken all the world.

00:04:23

So in 2013, um, we were looking at time for change and the reason for times are changes. Obviously we were on an old, uh, it's gone red as in autistics for that. Um, but green screen and we wanted to move to a more friendly user experience, um, for the software, especially for our call center departments, um, to work on, uh, on obviously the age of Chicago was coming along. Um, so we, we then embarked on a journey which, which took numerous years to do, but we moved from our legacy system to a software called gateway.

00:04:59

Obviously one of the things that we're looking at doing right now is move into digital. So self service, um, moving more towards focus fault form, or way of is obviously that's, that's very key in our strategic plans. Analytical data is super important, same as any other company, really the more, the more you understand about your customers and what you're doing, uh, the better we can help price and make sure that we do things right. Obviously one of the other things that's happening is obviously we've moved to the online account. So you, if you, if you're lucky enough to be with agro or, or any of our brands, um, and there'll be diamond, anything, um, or bell, you can, um, go onto our birthdate and manage it on the cup online. Um, this is obviously far more important in the last three or four months since COVID-19 has come in and everybody's working from home, um, which makes it a lot harder. Um, so we've know, pushed a lot more to a total online account to allow their customers to self service themselves.

00:05:59

So once we had done out, uh, about two, maybe two individuals two and a half years ago, we, um, started looking at the security side of, of what we do. Cause obviously we've moved from, from one aspect from another one and it becomes far more, um, understanding and complex as you call through. So, um, what we've got to our own school D team, uh, that was developed and moved out, we had a small, smaller one. If you like in 80 originally, we've moved over and it's now we've got, we've got a huge, um, security team. Um, obviously we work with them about delivering a secure software development life cycle. One of the, one of the things that we did, um, to help us understand what it is to be more secure in our development is we obviously did some trigger. Um, right. I created is on Yoshi.

00:06:56

He come in as a consultant and help train us if you like. So we had all of our developers, um, everybody in 19, sorry that, um, we went through the course. So we did the basic secure development introductions. Everybody knew and understood what it is we've trained to do it quickly. No VA's T managers probably builders everybody that actually cut any cord. Um, so we made sure that they did a secure development, um, for developers. So they understood what it was to, to obviously make sure that our record is, is secure. And some of our seniors, um, were then went on to do the APA advanced security development. So we've got sort of like a different level of security through the two thing, what they say about Brian. If, if anybody ever wants to have a conversation with 70, tell her can tell you how easy it is or I say easy, it's not really easy, but it is depending on which way you look at it for somebody to hack your system.

00:07:56

Um, we'd got big firewalls in front of us and he said he would never have tried to attack one of those, which is an interesting thing. Cause obviously we paid a lot of money and you've got these big really bunkers, all stopping you. So I've been bad people coming in and the, it said that you'd go off. And, um, one of the conversations we had really you'd go off and find who I'll print the company buys, maybe get into them, sit in us after it. And then you would bring them in through the door of the Trojan horse street, which I thought was really, which really opened my eyes to how hacker thinks and what we think is secure. And what do you think this is a security, definitely two different things.

00:08:34

We, um, one of the things that started me on a slightly different journey around development cord was obviously in Australia for two years ago. Um, and, um, which was the first time I've ever been to one of these, these conferences. Um, but anyway, loved it, the amount of people that were the enthusiasm and the amount of information you could get, which was phenomenal. Really. I ended up going to a presentation, um, by, with, um, and around open source. No, we use open source obviously as, as most companies do. And we, so I kind of went along to our block and um, so I'm sitting in there and he's talking about Israel's B PRI and how he's downloading it. And he sort of went and took it out. Okay, that's fine. And then he starts talking about the open source and what it's doing, and I'm sitting there thinking that's interesting.

00:09:33

I kind of, we read through some of that and the more he was talking about it, the more I was getting worried. And I thought we definitely do that. And I'm pretty sure we have no idea what we've downloaded. We have no idea where we're at the courts come from, whether somebody put anything in it, but it's malicious on art. We just openly believe that it's all right. Um, which, which was obviously one of the first things I come over there feeling a little bit easy, uh, to say the least obviously from doing so obviously came back, uh, started having a chat to of developers really about what we've done, what we're doing. So how, how our pipeline works, what we've got in place. Um, so that's how the probably play. Um, we were have in open source, it was strongly locked down by security teams or whenever we wanted to do anything, they basically said whether you realize it or not, um, which is great.

00:10:31

Um, so we thought relatively covered. Yes, good. They doing their job to make sure it's a secure, safe again from, and OTs doing our due diligence. If you like. Um, that's fine. So 80% of our downloads were done outside sort of the data really? Um, no, I don't know if that was a good thing or a bad thing at that time, because obviously from a security point of view, we think we'd okay. Well, that's kind of not really true. So, um, obviously we got in touch with Sonatype, um, who then came in and did a sketch on us. So the scan was just to see what have you done or did in the last three months? I think you guys, um, and they give us a list of everything that we've done, an audit, um, over the last few minutes, and I guess I'm sitting there and we didn't thinking this is going to be horrendous.

00:11:29

We did. Right. Um, I know I'm going to be really scared. I'm going to have to do like a ton of work to make sure that we can fix it. Um, it's probably more or less true. Um, wasn't as bad as I thought it was going to be. Um, we had a couple that we needed to fix more or less straight away, but that was about it. The rest were, were, were fixable and we had some mitigations in this, but still we were downloading some, some, um, some dodgy court to see them. Um, so that was one of the things that came out. So obviously then we obviously ended up implementing it, um, the interesting bit, which obviously we've got gateway. So we've got how we build our application. Oh, secure gates. We've got sauna cube to look at our quarter analysis, starting a tells you whether you got to the means you're going to be vulnerabilities in it.

00:12:26

Um, but it doesn't touch what we bring down from, from open source and anybody that does download, download open source, you know, that you don't want one piece, it goes off to another piece. He goes off to another piece and you, you have no idea what you don't want it to be. Um, and if you do, you're going to spend hours and hours and hours or days, weeks trying to find out. Um, so obviously we bought the nexus IQ scan, which has been put in there, which we've now implemented is taken the best part of a year to implement it. It's been really difficult. Um, why it should be really simple, right? It should be, it should be very simple to implement these things is security. We need to get them involved. But as soon as anything else, you've got teams that are already functioning, then all of a sudden you've, you've, you've tried into implement something that can stop them building quicker. Um, so it took away. Um, we also had some issues really around building it. So when we originally planned it in, um, obviously this is what we had. I mean, it was like 320 threats we think, oh my God, that surely can't be true because we've already done the scan on that front. You already know. And this is just making sure that it goes through the pipeline still safely, just in case he goes off and does anything weird.

00:13:49

So we like this truly happy to, so we looked at our scan and said, like, it will scan and says this. And it was on old scan, but because we weren't actually transferring this information through our pipeline and moving anywhere, um, it's still picked it up because it assumed it was there. So we had to do a bit of a work around really. Um, we have to look at some sort of community practices, look at it, build in, um, some index tool in to see if you can plug them in. What we get now is this, so the report runs, this is what we get, which, which is obviously much, much nicer looking. Obviously the problem we have, you would look at this as 320, we've still downloaded. So we've still got a bit of work to do around not allowing that cord to come down and how do we do it and what I'm, what, what threat it has to us as a, as a company and what it has to us before we move it, it in. But so right now we changed our pipeline a little bit. We've um,

00:14:56

A lot of things are all automated. Um, most of those software now on 90% of it comes down to an excess, um, repositories. So we came to know that it's all been scanned and we know what we bring in. There's, there's a couple of layers we still need to bring in. But, um, nothing that, that gives us a major threat if you've ever. So right now we did a good place. We built some, some, um, so we've got so many people know that that helps you have a telephone and bows all of our hardware. You got the answer, we'll the bills, um, all of our scripts. And we've got what we call Yeti, which is our application that we've internally, both allows us to monitor all the systems and, uh, is all together. Really.

00:15:43

So one thing while I am talking about is, um, from a security testing point of view, so we've got a dedicated security team that live in security, right? So they, they sit in over there, they call it the red team. They do all of our scans to make sure everything is okay, but they do that scan at that point when we are going live or like the week before, which is totally right. Because at that point, if they find a massive vulnerability, the weakness haven't picked up through anything, really, whether it's coded ourselves or not, that, um, it would be, um, we will have to go back and then it delays things and, um, and you know, it goes back and then you got loads of other product from the product owner, from everything else. Um, so we are working with the guys to figure out how we move a bit more left, so they don't become, um, so, uh, uh, So much of a pain at the end and I'm a nice peanut, not a bad thing. And, um, obviously whatever they find, if we say we can't fix, you know, because whenever we got in a release is important, it needs to go with them and create ourselves technical debt. And then we have to go back and do it it's cost or Taven efforts into anything else.

00:16:58

So one of the, one of the things we found out is that, um, a while ago we've got three testers who, who are teaching themselves to be security testers, which is great. Um, it was sitting in the corner and, uh, we found out about it about a year and a half ago, something like that. So we've now, um, kind of embed them into the pipeline to get the security testing done at the point of when we bought it. So we know, and if there's a vulnerability in it, can they do it doing to get kicked out? We both go, actually, you can't do that. Right. Um, so we were working with them. So we we've, um, working with the red team. And so you need to obviously make sure we sign this off. Um, so that's work in progress as, as anything else is really difficult.

00:17:43

The longer you have something that sits over here that belongs over here, it becomes a copper plate and you have the handoff and who owns it and what does it mean? And they found it. I didn't do the usual. That'd be men you get into, what are the other things that we've, we've started to add to our, um, to draw paint lane really is how we build environments. So obviously that you've talked to a software, I've told them about the delivery of the software now as the hardware. So even no same as anything else, you mean we scripted everything to make it so that it's easy to do is continuous. It's, it's great. You've spent using it and we'd have a really good place, but it's not hard. So we need to harden it. So we work in again without the red team and the security team, or very much on board with trying to make sure that we can, how hardware already hardened before it goes anywhere.

00:18:44

So if we want to build a new server, I want to build a new environment or any harder. So we look into build, build out into a pipeline to make sure that when, when we, when we build an environment, we give it to 78, it's already hard, and we don't have to worry about Patrick Head, or it's got a vulnerability only because we haven't done anything with that patch, that hypnosis. So those are the things that's quite important for us to make sure to redo that. And obviously my dev ops engineers teams are doing that. And obviously working with the red team, one of the things I think that's important is that's just my journey or my journey as insurance we've would they change things? I think I would. Um, but that would be the big company. Um, it seems most big companies are probably doing exactly the same thing.

00:19:33

And if you're a smaller company, you can probably do things so different. Um, but the separation of teams, I think you mean as a dev ops, we talk about dev ops dev sec ops. It's important. Um, if you separate the team, you become a handoff, but you become a handoff. It becomes somebody else's problem. Um, or they don't believe in what you've done. And then you have that, that far. So if you, if you can, and if I could go back and do something, make sure it's built in there first, make sure it's already building and meet you already thinking about it, going forward, creating the skewer development life cycle. I mean, this is the right thing to do. Everyone should have. One problem is, is that it was driven from, oh, security team, not driven from us. That's not a bad thing, but again, demeaning, it takes a while for the team then to take a bit of ownership of it, to understand what it means and be accountable for fight to make sure that they do it.

00:20:33

It's okay to own it and to deliver it. So that's still ongoing. We do reconvene, we definitely follow it and we use it, but, um, you need to get more buy in from the, from the treasury. If you've heard from a security testing point of view, talk about it. Just know, I think, um, we've got a security testing team that we've got looks after that. And we'll work with us, you know, with, you know, teams, um, ideally they should ask for sign off and see where there's fun, Butterball and off, even right now, if I'm honest that we have that team sit in there, they hand the Jeter off that goes off to the testing team or that the development team or the train and the train do they take ownership of it or not really, it just sits in the backlog. Um, and then they hand off to the renting and renting do something similar.

00:21:28

And therefore we've got these gyrus set and about really that says, I mean, you've got this vulnerability. Somebody needs to fix it. You know, um, which is not a good thing because that means it becomes a management problem and it shouldn't really be a management problem. It should be the th the tribe and the squad problem to make sure that they're secure and deliberateness. So moving that into the team and making out ownership of it is, is super important. Um, and the responsibility, the responsibility to me is about a developer or a tester or a tribe or a squad to create some chord. It's the problem. They, they develop it, they built it, they owned it. They should take a hundred percent full responsibility as soon as you allow that to go somewhere else, it becomes the problem. Um, so I would definitely think, um, if you could change things is harder for us. Do you mean, we already said, there'll be already massive. You're already doing things different, just harder to, to reinvent the wheel. If you want to call it that and move things in, it becomes, um, challenging people get stuck anyways, doing it. It's not that they want to move because they all do and they will understand it, but actually do mean get him get any work in really tough late.

00:22:44

And I said, breathing, that's all I've got, I'm more than welcome for any questions. Obviously we run, uh, the slack channel is my LinkedIn. If anybody would like to, uh, contact me. And, uh, I hope I caught that that was beneficial to anybody. And, uh, it's usual to do.