You are viewing content from a past/completed QCon

Presentation: A Continuation of Devops: Policy as Code

Track: Security Transformation

Location: Whittle, 3rd flr.

Duration: 5:25pm - 6:15pm

Day of week: Tuesday

Slides: Download Slides

Share this on:

This presentation is now available to view on

Watch video with transcript


Organisations large and small are embracing devops and agile practices and transforming themselves into software companies. As part of that movement many organisations have embraced infrastructure as code, the idea that rather than systems administrators managing servers, databases and cloud infrastructure manually they instead describe that in software.

Security is about controls, but many of those controls are still maintained in spreadsheets, or described in baroque documents that not everyone has access to, or with people as the gatekeeper. How can we apply the patterns that have transformed infrastructure management to improve security?


In this talk we will:

  • Look at examples of tools that move security controls into code, with a focus on ModSecurity, InSpec and Open Policy Agent
  • Explore the properties of successful infrastructure management tools, and what is missing in security tools today
  • How policy as code can work at the team level; who has responsibility for what and how does this encourage collaboration

Speaker: Gareth Rushgrove

Product Manager @Docker

Gareth Rushgrove is a product manager at Docker. He works remotely from Cambridge, UK, helping to build interesting tools for people to better manage infrastructure and applications. Previously he worked for the UK Government Digital Service focused on infrastructure, operations and information security. When not working he can be found writing the Devops Weekly newsletter or hacking on software in new-fangled programming languages.

Find Gareth Rushgrove at

Last Year's Tracks