Hello and welcome to the ThoughtWorks Beacon podcast.

I'm Johnny LaRoy and I'm here with Chelsea Comlow.

In this episode, we're discussing security and in particular how that fits into an agile process and into agile delivery teams.

So it seems like every day we are hearing more and more about security in the headlines.

And for good reason, businesses

are the ones to bear the cost if there's a security breach. People are really concerned.

And, you know, we see this happen every single day. A business might make the headlines,

and they bear the cost not only financially. There's now starting to be regulations around if there's been a data breach,

businesses will face fines, but also in the reputation. So, you know, if something were to

happen with user data, people will think about this and it'll be correlated with that company in the

future. The damage to brand reputation is really a big risk. Oh, yeah, huge. Yeah, exactly.

So a year or so ago in our technology radar, we came up with this phrase of the security

sandwich, which we were seeing as a bit of an anti-pattern, or at least a way to describe

more traditional security approaches. And we called it the sandwich because the meat of your delivery was in the middle, but then

security came on either side, like the two pieces of bread.

There'd be some upfront security planning and documentation, and then some penetration

testing and certification at the end.

While that's good and useful and important, most businesses are now moving to much more agile, continuous processes.

And so we're really on a mission to work out how to bake security processes into continuous delivery approaches.

And that's really what we want to talk about today.

And in some ways, there's similar parallels to what we saw in other areas over

the last decade or so. For example, moving QA, quality assurance and testing into delivery

...