"Joined by two of our finest A specialist when it comes to security joined by Rice ashamed I Russia as Ivan. Thanks for having me on board and pull the Hulk. Hogan's can I feel so. Let's do some quick interest to set the scene so racer. What's your role here at Amazon? So I am a devops. Security Specialists with data lists professional services and in my identity I would help enterprises I guess enhance their security posture. optimizes security posture secured automation and And yet just as migrating through their workloads to Ida Bluer basically optimize that process protested employed by yourself on a security solutions solutions architect and I help customers with security risk and compliance in the cloud and low conversations. I've been having recently around GonNa desiccation. How do eventually build applications more securely? So that is the topic of today is sick opposite. Because we didn't think that devops enough of a Buzzword we wanted sick in the middle but the good thing is uses with guest today we have we have pulled talks about it and Raisa. Who actually makes it real but you still have working there for a long time in terms of sharing a lot of the knowledge Asia and techniques and things at work in the field and things that don't work in the field you've done some really great talks on which will link to in the shots sort of persona by top tokes but maybe before even Donald J blitz talk about what what ease even copes? Okay I'm going to let you stop house pointing at Eupol arrogant okay. Well I'll go and you can kind of fill in the gaps Vilamoura with Villamor. I miss when I talk about desktops. Firstly the thing tell us you can't go and buy self cups. It's not a thing that you can kind of say I will install one of these and everything will be fine and it's kind of like it's it's Kinda like devops Realizing that security is a requirement that everybody has that is actually important to all people in an organization not just people love security and the title and when we talk about devops. It's a case of is the modern technology that's available in the cloud that helps us build applications more quickly something something that also helps us build. Applications better and better in terms of security is making sure that we doing design as possible. We're catching things things like before. We even get to production and then how do we ensure that the thing that we intended to build walls the thing that we actually bill and we can do that really really quickly. So we're trying to help people ship ship security fundamentally the position of the sick in the deficit cops is not accidental. If we think about wanting to Hamas more the developer and the the operational racial experience into one having security being pervasive is is really important. So rice ahead you say it from from your perspective of what customers are doing i. I guess I'll just go back a little bit so for me deb. cyclops is the capability that an organization have to ship securely and to move move fast securely. So it really does span. All across the people process culture is a really big one and then of course technology is what sort of all of that our help. Sort of Make that come to fruition right but but I guess for me when I sort of work with customers day in and day out I see a lot of the no in the people in process. I didn't love the automation. Actually ends up being in the people and process side and the technology components kind of exist in each of the teams with each of the parties involved. But it's kind of the integration. Point between the teams is where a lot of the automation capability really exists. So that's what I kind of worked with so almost automating the bureaucracy out of the system away exactly so but before we get into some detail. Let's let's look at outcome so it's one thing for us to stand here and say well you know you get to faster you can ship. It's all secure Blah Blah. What can you give us some examples of of what customers you've seen have achieved in terms of Tom Devalue speed to market cycle? Tom's we give feeling what good looks like. So it really does sort sort of span customer to customer and it really does also depend on the maturity of where the customer is apt. And that's key one for Say One of the mys- recent once in the morning. The most recent customers have been working. It has been national Australia Bank. They've kind of been a quite vocal about this. So in a in a lot of the capabilities we've worked with them on has been around Really accelerating this sick ops teams to be able to keep up with the development teams so in that case. Hey you'll see that a lot of the benefits come out in how fast they're able to react when Sort of vulnerabilities found or have thousands even detect the vulnerabilities ladies. And then also How they're able to deploy controls across environments at scale and that's been one of the key takeaways I think at least for Knob because because previously there was a lot of teams talking to each other say security operations will talk to security architecture to get something approved and then you know before that could do deployment? They'll we'll have to talk to the platform team to say. Hey access to all these accounts and I need these sort of role changes to happen But now basically all of the communication has been gone unlike has kind of disappeared. Because we've changed that all took event driven architectures income so essentially as soon as a team is ready That basically generates in writing event that another team can consume and then they sort of part of the process started so no. There's no talking in between teams anymore. and then what that enables is that basically works works it trigger for other teams through their deployments and and that changes sort of continues And so from time of fifteen to twenty days of doing wing deployments across controls across accounts then are down to thirty to forty five seconds. So it's very very rapid movement and completely taking away sort of people people in those integration points between the teams is cops relating example of where we we saw okay in the cloud everything's driven by and so we can order might the leaving dials out of it if we want to. But you have to Kinda culturally except celebrate and emphasize that so that you can have these handles be automated which is really only gets you from thirty days to thirty seconds isn't a hundred percent hundred percent polled. You WanNa make any comments on this. Otherwise must be easy bryson mixer like a really good point that it's it's enabling security people to do the things that they still need to do and the things that are important to an organization organization Trading situation where people are building applications so focused on it is Chelsea. Don't have to wait to and get a response from a security person. Typically there are fewer security people in inaugural developers. I was talking to a seven. They were saying that they were for every seven security. Thirty people dislike one hundred developers something of that nature. So if you've got a blocking processing the traditional security architecture flow is very mocking where somebody hands you a Dogra you draw fouls go and handed back and tell them. I've done something wrong. Rather than wooden capability which allows application team is to keep moving and make decisions which which appropriate for them because they know how the application works. Give them fast. They'd back give them event driven as mentioned Programmatic feedback so they can make some form decisions without having weight. Have without having to wait for human to come back and say oh you should have done this thing and I think that's the important thing there is. We're not. We're not actually saying dying. Don't check you don't chick things rushie saying. Be Really specific about what you're checking full and apply it without tolerance bicycle you. You're just saying e e it it's either going to be there and he gets the teak automatically or it's not going to get the tea and it's actually easier organizationally and culturally if you tell people upfront what you expect. So big part of this is the security oracle the risk org. I'm saying here are the things that I expect our organization Asian to do here are the things that are important to us. These are the security non-negotiables. These are the things that are actually appropriate for your particular application and to support me going. We need to encrypt volumes at rest. All we need to have certain network configuration. I'm going to provide a bunch of capability that will check that for you even before you've built in some cases and then that will enable you to move faster so we're trying to get from security is the department of no two securities enabling function."