Balancing business requirements with security initiatives is tough. Not only are you concerned with scale, latency, resiliency, availability AND delivery of new features, but you also have to pore through mostly generic, sometimes contradictory guidance and ‘hair on fire’ exclamations from security claiming that the end is nigh because there’s an instance of cross site scripting on a help page. Is cross site scripting really that bad in this case?
It’s been said that ‘perfect is the enemy of good’ and nowhere is that more true than in devops. But how do you know when you’ve reached good when it comes to securing your product, service or API? The answer, actually, has very little to do with technology and everything to do with how well you know your end users and your ability to quantify how security tradeoffs will enhance or degrade the trust your users place in your company. In this talk, I will highlight the major security obligations of any application and provide some techniques to help you evaluate whether your security is ‘good enough’.