Andy Dennis is VP of Consulting at Modus Create, leading the Platform and Cloud Practice. Andy has 20+ years experience in industry focused on Security, DevOps and Platform Infrastructure. In Andy’s spare time he tutors undergraduate Computer Security for Goldsmith UoL’s online degree program and has an interest in OSINT. A published author and speaker, Andy has written 6 books on topics ranging from Docker to Raspberry Pi Home Automation. He has spoken most recently at the DEFCON Recon Village, BSides CT and BSides Orlando.
When we use the term platform we can use it in many contexts, here we explore two. First, platform meaning the hosting layer and environment that applications are deployed upon. The second, the self-service interface, tools and mechanisms by which individuals can build and expand upon that underlying hosting layer. Internal Developer Platforms (IDPs) sit within this second context, but leverage the first. An IDP enables platform teams to produce a catalog of reusable infrastructure templates and patterns. Supported by portal interfaces product engineers can leverage these reusable components to deploy supporting services themselves. IDP products such as Cortex and Backstage provide the opportunity for security and governance to be baked into these templating processes, ensuring secure-by-design infrastructure. Not only do we have self-service infrastructure, but self-service security. Here engineers can implement pre-canned secure components and shift security downwards. Complementing the move to “shift-left”, “shifting down” lets engineering teams take advantage of the pre-defined “security as code” available at the platform level. This allows teams to focus on the things that count, such as delivering new products, and not worrying about securely deploying infrastructure. In turn it also aids in reducing the burden placed on Infrastructure and DevOps teams. In this talk I will demonstrate how we can reduce the cognitive load on engineering teams to “learn all the security things” by using a “shift down” approach to secure platform development and the roll out of Internal Developer Platforms.