Chris Nesbitt-Smith

Policy as [versioned] code - you're doing it wrong

Is your 'policy as code' just creating new friction? Learn how treating policy like a versioned software dependency finally makes compliance a collaborative engineering task.

Policy as [versioned] code - you're doing it wrong
#1about 7 minutes

Introducing the key personas in policy management

An allegorical story illustrates the conflicting perspectives of a CIO, product manager, developer, and operations staff on policy.

#2about 4 minutes

Why simply codifying policy is not enough

Codified policies often fail due to being kept secret, causing breaking changes during deployment, and generating warnings that are ignored in CI/CD pipelines.

#3about 5 minutes

Applying software patterns to policy management

The solution is to treat policy like a software dependency by making it visible, applying semantic versioning, and including tests.

#4about 4 minutes

Implementing versioned policy with modern tooling

A demonstration shows how to manage versioned policies for Terraform and Kubernetes using tools like Checkov, Kyverno, and Renovate for automated updates.

#5about 3 minutes

The cultural importance of purpose-driven policy

Effective policy requires a clear narrative explaining the risk it mitigates, which encourages collaboration and allows the policy to evolve with the business.

#6about 22 minutes

Q&A on policy culture, tooling, and security

The speaker answers audience questions about cultural challenges, tooling like OPA, supply chain attacks, and the role of risk management.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Demo of enforcing compliance with policy as code
04:33 MIN

Demo of enforcing compliance with policy as code

Unleashing Potential Across Teams: The Power of Infrastructure as Code

The challenges of managing policies as code in Git
03:42 MIN

The challenges of managing policies as code in Git

What we Learned from Reading 100+ Kubernetes Post-Mortems

Implementing automated guardrails instead of manual gates
02:24 MIN

Implementing automated guardrails instead of manual gates

Great DevEx and Regulatory Compliance - Possible?

Shifting security left to prevent incidents before deployment
02:49 MIN

Shifting security left to prevent incidents before deployment

OPA for the cloud natives

Key principles for balancing developer speed and safety
01:22 MIN

Key principles for balancing developer speed and safety

Great DevEx and Regulatory Compliance - Possible?

Q&A: Implementing DevOps and advocating for change
07:10 MIN

Q&A: Implementing DevOps and advocating for change

Shifting Stress to Progress— Understanding DevOps to do DevOps Better

Introducing Policy as Code and Open Policy Agent
06:29 MIN

Introducing Policy as Code and Open Policy Agent

Decoupled Authorization using Policy as Code

Implementing and enforcing supply chain policies
02:25 MIN

Implementing and enforcing supply chain policies

Securing your application software supply-chain

Featured Partners

Related Videos

See all videos
Platform Engineering vs. DevOps Why not both?
58:40

Platform Engineering vs. DevOps Why not both?

Christian Strack

What Developers Get Wrong About Application Quality
46:37

What Developers Get Wrong About Application Quality

Chris Riley

Shipping Quality Software In Hostile Environments
43:00

Shipping Quality Software In Hostile Environments

Luka Kladaric

Plan CI/CD on the Enterprise level!
56:19

Plan CI/CD on the Enterprise level!

Pawel Piwosz

Shifting Stress to Progress— Understanding DevOps to do DevOps Better
37:46

Shifting Stress to Progress— Understanding DevOps to do DevOps Better

Sonal Patil

Retooling and refactoring - an investment in people.
50:23

Retooling and refactoring - an investment in people.

Andrew Holway

Charting the Journey to Continuous Deployment with a Value Stream Map
30:46

Charting the Journey to Continuous Deployment with a Value Stream Map

Josh Armitage

Un-complicate authorization maintenance
1:00:00

Un-complicate authorization maintenance

Alex Olivier

Related Articles

View all articles
Andre Braun, GitLab
Now is the time for industrialized software development
Now is the time for industrialized software development Recently, I received a letter from my car’s manufacturer alerting me to a recall. They had discovered a defective part and wanted to replace it. It was easily fixed, and I might have forgotten a...
Now is the time for industrialized software development
Chris Heilmann
WeAreDevelopers LIVE days are changing - get ready to take part
Starting with this week's Web Dev Day edition of WeAreDevelopers LIVE Days, we changed the the way we run these online conferences. The main differences are:Shorter talks (half an hour tops)More interaction in Q&AA tips and tricks "Did you know" sect...
WeAreDevelopers LIVE days are changing - get ready to take part

From learning to earning

Jobs that call for the skills explored in this talk.

Software Developer

Software Developer

Deutsches Krebsforschungszentrum (DKFZ)
Bonn, Germany

Intermediate
C++
Java
Python