Security the Etsy way: Effective security in a continuous deployment culture presented at Kiwicon 2014

by Rich Smith,


Summary : Effective security teams know that understanding people is just as important as understanding technology, and that to achieve security of an organisation requires that the security function is constructive in problem solving and not to just block innovation. Much has been spoken about Etsy's engineering culture, and how continuous deployment and 'devops' have been embraced and developed, but how does security operate in such an environment? This talk will discuss the progressive tools, techniques and approaches the Etsy security team follows to provide security while not destroying the freedoms of the engineering culture that we all love so much. Topics will cover the building of an effective security organisation that is people rather than technology centric, and one that positions security to facilitate problem solving with fellow engineers rather than blocking progress through the fear of changing risk. The end result being a more honest and inclusive security approach, as opposed to the more common situation of a perception of security that becomes increasingly divergent from reality as engineers work to circumvent the imposed security constraints. Discussions and demonstrations of some of the novel tooling developed and released as open source by Etsy will also be discussed time permitting.