Chris Nesbitt-Smith

Policy as [versioned] code - you're doing it wrong

Is your 'policy as code' just creating new friction? Learn how treating policy like a versioned software dependency finally makes compliance a collaborative engineering task.

Policy as [versioned] code - you're doing it wrong
#1about 7 minutes

Introducing the key personas in policy management

An allegorical story illustrates the conflicting perspectives of a CIO, product manager, developer, and operations staff on policy.

#2about 4 minutes

Why simply codifying policy is not enough

Codified policies often fail due to being kept secret, causing breaking changes during deployment, and generating warnings that are ignored in CI/CD pipelines.

#3about 5 minutes

Applying software patterns to policy management

The solution is to treat policy like a software dependency by making it visible, applying semantic versioning, and including tests.

#4about 4 minutes

Implementing versioned policy with modern tooling

A demonstration shows how to manage versioned policies for Terraform and Kubernetes using tools like Checkov, Kyverno, and Renovate for automated updates.

#5about 3 minutes

The cultural importance of purpose-driven policy

Effective policy requires a clear narrative explaining the risk it mitigates, which encourages collaboration and allows the policy to evolve with the business.

#6about 22 minutes

Q&A on policy culture, tooling, and security

The speaker answers audience questions about cultural challenges, tooling like OPA, supply chain attacks, and the role of risk management.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

The challenges of managing policies as code in Git
20:42 MIN

The challenges of managing policies as code in Git

What we Learned from Reading 100+ Kubernetes Post-Mortems

Shifting security left to prevent incidents before deployment
02:55 MIN

Shifting security left to prevent incidents before deployment

OPA for the cloud natives

Q&A: Implementing DevOps and advocating for change
17:34 MIN

Q&A: Implementing DevOps and advocating for change

Shifting Stress to Progress— Understanding DevOps to do DevOps Better

Introducing Policy as Code and Open Policy Agent
04:57 MIN

Introducing Policy as Code and Open Policy Agent

Decoupled Authorization using Policy as Code

Implementing and enforcing supply chain policies
23:29 MIN

Implementing and enforcing supply chain policies

Securing your application software supply-chain

How to introduce policy enforcement gradually
13:07 MIN

How to introduce policy enforcement gradually

What we Learned from Reading 100+ Kubernetes Post-Mortems

Exploring the core principles of DevSecOps
06:10 MIN

Exploring the core principles of DevSecOps

DevSecOps: Security in DevOps

Introducing Open Policy Agent for custom policies
30:46 MIN

Introducing Open Policy Agent for custom policies

A practical guide to writing secure Dockerfiles

Featured Partners

Related Videos

See all videos
Un-complicate authorization maintenance1:00:00

Un-complicate authorization maintenance

Alex Olivier

Decoupled Authorization using Policy as Code32:16

Decoupled Authorization using Policy as Code

Anderson Dadario & Denys Vitali

OPA for the cloud natives26:23

OPA for the cloud natives

Philipp Krenn

Great DevEx and Regulatory Compliance - Possible?23:26

Great DevEx and Regulatory Compliance - Possible?

Martin Reynolds

Platform Engineering vs. DevOps Why not both?58:40

Platform Engineering vs. DevOps Why not both?

Christian Strack

Technology is Necessary, But Not Sufficient37:09

Technology is Necessary, But Not Sufficient

Simon Copsey

3 Key Steps for Optimizing DevOps Workflows24:31

3 Key Steps for Optimizing DevOps Workflows

Daniel Tao

DevSecOps: Security in DevOps33:20

DevSecOps: Security in DevOps

Aarno Aukia

From learning to earning

Jobs that call for the skills explored in this talk.

Product Owner

Product Owner

Scopevisio AG

JIRA
Scrum
DevOps
Confluence
Agile Methodologies