top of page

Andy Dennis

Shift Down - Foundational Security with Internal Developer Platforms (IDP)


Andy Dennis is VP of Consulting at Modus Create, leading the Platform and Cloud Practice. Andy has 20+ years experience in industry focused on Security, DevOps and Platform Infrastructure. In Andy’s spare time he tutors undergraduate Computer Security for Goldsmith UoL’s online degree program and has an interest in OSINT. A published author and speaker, Andy has written 6 books on topics ranging from Docker to Raspberry Pi Home Automation. He has spoken most recently at the DEFCON Recon Village, BSides CT and BSides Orlando.



Shift Down: Foundational Security with Internal Developer Platforms

When we use the term platform we can use it in many contexts, here we explore two. First, platform meaning the hosting layer and environment that applications are deployed upon. The second, the self-service interface, tools and mechanisms by which individuals can build and expand upon that underlying hosting layer. Internal Developer Platforms (IDPs) sit within this second context, but leverage the first. An IDP enables platform teams to produce a catalog of reusable infrastructure templates and patterns. Supported by portal interfaces product engineers can leverage these reusable components to deploy supporting services themselves. IDP products such as Cortex and Backstage provide the opportunity for security and governance to be baked into these templating processes, ensuring secure-by-design infrastructure. Not only do we have self-service infrastructure, but self-service security. Here engineers can implement pre-canned secure components and shift security downwards. Complementing the move to “shift-left”, “shifting down” lets engineering teams take advantage of the pre-defined “security as code” available at the platform level. This allows teams to focus on the things that count, such as delivering new products, and not worrying about securely deploying infrastructure. In turn it also aids in reducing the burden placed on Infrastructure and DevOps teams. In this talk I will demonstrate how we can reduce the cognitive load on engineering teams to “learn all the security things” by using a “shift down” approach to secure platform development and the roll out of Internal Developer Platforms.


Introduction to DevSecOps Workshop

Introduction to DevSecOps Workshop provides BSides PR participants with an introduction to DevSecOps using GitHub and open source tools.

Attendees will learn about setting up a local development environment including pre-commit hooks and other preventative measures. Students will then progress into building out a simple CI/CD pipeline that uses free and open source tooling.

A Short Description

Introduction (15 mins)

Discussing the purpose of shifting left and security in software development

Pre-setup Phase

Students will be guided through:

● Setting up a GitHub user account

● Fork and Clone the example code repository

Security within the IDE (30 mins)

Attendees will learn to integrate security measure into their local development environment to

act as a preventative mechanism:

● Setting up pre-commit hooks will be explored. This includes tools such as Talisman.

● Git ignores. Git ignore files are a useful mechanism for preventing config files containing

secrets, or other files such as .zips being committed to a repository.

Scanning the Repository (60 mins)

Students will build a simple CI/CD pipeline which demonstrates techniques such as secrets

scanning and vulnerability detection:

● The first topic covered is how to enable branch protection rules and PR gating

mechanisms in GitHub. These can then be integrated with CI/CD tools to create a gating

mechanism. .

● Next a demonstration of how secret scanning can be performed in the source code will

be presented. This includes examples from GitHub and then open source Horusec tool.

● Students are then introduced to the concept of detecting security vulnerabilities (CVEs) in

the source code repository. Horusec and CodeQL will be used to demonstrate these


● Finally the subject of dependency analysis and SBOMs will be covered. GitHub’s

dependabot provides a mechanism for analyzing software dependencies associated with

a code base and understanding if they contain CVEs. Here we wrap up with a

walkthrough of dependabot and an overview of SBOMs

Wrap-up (15 mins)

● Recap of what we’ve learned

● Q&A

Setup Information:

Download TXT • 2KB

Andy Dennis
bottom of page