Tuesday, February 8, 2022
Speed is the name of the game in continuous integration. The quicker a developer can get feedback on her changes, the quicker she can address problems and move on to the next feature.
Imagine shaving 10 minutes off your build. For a developer pushing code 5 times a day, this is 40 hours of time savings a year.
In this session, Ben will offer 7 actionable tips that mobile developers can apply to their own CI pipelines to enjoy super fast CI responsiveness.
OPEN TALK: Learn How to Find & Fix Security Issues in Kubernetes Manifests Using Open Policy Agent and RegulaJoin on Hopin
Teams can now run pre-deployment security checks on their Kubernetes (K8s) manifests using Open Policy Agent (OPA), the open standard for policy as code and a Cloud Native Computing Foundation project.
In this session, Aidan O'Connor (Senior Solutions Engineer at Fugue) will walk through using OPA and Regula (an open source OPA-based tool purpose built for IaC checks) to find and fix security issues (measured against Center for Internet Security Benchmarks) in your K8s manifests pre-deployment.
Attendees will walk away with an understanding of:
-The kinds of security risks that need to be considered with K8s manifests
-Using OPA and Regula to catch security vulnerabilities and learn how to remediate them
-How automated K8s manifest checks can be integrated into DevOps workflows
“The smarter an application is, the dumber its code should be.”
Have you ever tried to add a minor feature to your application only to discover that you’ll have to re-write large blocks of code first? Or maybe you’ve spent hours deciphering hundreds, or perhaps thousands, of lines of existing code just to find out a task only required two lines of additional code. If you’re like most developers, you’ve wasted countless, frustrating hours wading through immensely complicated code trying to force it to do things it wasn’t built for.
In this presentation, we’ll discuss 5 principles to help you create stupidly-simple applications that are maintainable, extendable, and bug-resistant. If your code is already suffering from “genius syndrome”, we’ll also be discussing strategies for refactoring existing code to avoid the infamous “grand rewrite.”
Testing in production used to be a joke. In fact, it was a popular "Most interesting man in the world" meme. But as life often imitates art, this meme has become reality. As it turns out, the best tests to learn from are the ones that match production. So when looking for feature flag solutions, developers and software delivery teams find themselves looking for ways to test their code and deployments in prod!
In this talk we will dip our toes into the world of feature flags. We'll begin with an overview of what feature flags are, how to think about them, and why both engineers and business users find them valuable. In addition, you’ll also learn about how to get started with feature flags, and the key things to look out for once you "Do it live!" .
I just wrote some code that can have a positive effect on our customers and I’m motivated to release it as quickly as possible. I need your help but you are busy and motivated to continue working on your own code. I call this conflict The Pull Request Paradox.
This problem is not theoretical - it effects most developers every day. The average pull request takes 4 days to merge from when it's opened and half of that time is idle time. Which means every PR sits idle for two days on average! That idle time reduces our code quality, kills our flow and makes it really hard to plan our sprints accurately.
In this talk I'm sharing:
* New ideas to to merge your PRs faster based on analysis of 733K PRs from 26K developers
* Why asynchronous is NOT better than synchronous when it comes to PR code reviews
* Context you can add to your pull requests to get it reviewed by your team 5X faster
* How idle time in PRs reduces situational awareness and increases cognitive load
* Why the time of day you open your pull request effects how quickly you merge
Secure software development isn’t always a top concern to the business unless you are in a highly regulated industry. Today, time to market is often more important than security, increasing the value of the product that you sell with continuous improvement and quick software releases. To create and maintain a lead on the competition, you have to be really good at Agile and DevOps.
A potential scenario: the security team has called an emergency meeting. A new vulnerability has been publicly disclosed that impacts not only your software, but your company and your customers. Will the required remediation take hours or even weeks to complete? It depends on your preparedness.
To improve your readiness and reduce impact, we will look at tips and actions you can take now.
1. Learn more about the scope of the mess that was created by the Log4j CVE.
2. Why most companies struggled to address it quickly.
3. What steps you can take now to be ready for the next one.
Having good reliability means that incidents are nothing special, merely variations of our regular work. Such a perfect dream of Site Reliability Excellence means that there are clear paths to expertise and common grounding between teams happens frequently. To make this vision a reality, we run an open session at Blameless that builds on musical traditions of improvisation. Inspired by western jazz and Indonesian percussion orchestras, our weekly session seeks to build group intuition through a discipline of iterative collaboration. In this talk I introduce our approach to continuous learning, Practice of Practice Gamelan.
What we've created is an opportunity for coming together in a collaborative way without the anxiety of performing under pressure. We share mental models through the telling of stories, playing of games, and riffing of ideas. Different areas of our socio-technical system are explored as seen through different eyes. By learning about how our coworkers view the system we operate together, we continuously build new connections through our newly shared perspectives. We not only learn how our teammates strive towards Reliability Excellence in their daily work, we also reduce unknowns about the system itself, giving us more flexibility to adapt around inevitable ambiguity. Come see how we want incidents to be just another time to get together and jam about some fascinating part of the system that has suddenly revealed itself as a wrong note we can learn by.
Learn how developers can use Synopsys® Code Sight™ plug-in to quickly find and fix security defects in source code, open source dependencies, IaC and more, without leaving the IDE. It’s easy to try, and provides quick time to value. It helps them write better code, fix issues before code commit, and avoid costly rework caused by issues not found until downstream testing.
Traditional monitoring and observability platforms continue to support the same approach: DevOps and SRE teams must centralize logs, metrics, and traces before they can start to analyze them. Faced with exploding data volumes, teams dependent on these platforms are left trying to predict which systems and datasets to monitor and centralize. What doesn’t meet the bar gets neglected or discarded altogether. You shouldn’t have to compromise data visibility to stay within budget. In this session, Edge Delta CEO and Co-Founder, Ozan Unlu will break down Edge Observability -- a novel approach to observability that aims to solve this issue. You will learn how DevOps and SRE teams can maximize visibility, optimize costs, and respond to issues orders of magnitude faster.
Implementing a search experience for a single database of content can be straightforward. However, many companies operate several distinct websites that each feature important content for their customers. For example, your marketing site, product documentation library, developer hub, and community portal may all use separate content management systems, possibly managed by different teams.
If each site has its own isolated search experience, then the information from each is siloed. As a result, your customers may not find what they're looking for when they visit one of your web properties. Or, your users may find a helpful article, but they may not be exposed to some of your other content that's relevant to their query. If you create a combined search experience that incorporates the content from each of your sites, you can address both of these problems.
This talk presents a solution for a federated search experience. The federated search will serve a content library that spans disparate content types and databases. This issue was tackled by Linode during a redevelopment of the Linode Docs website (https://www.linode.com/docs) in 2020. The presented solution is powered by Algolia. The talk will outline the technical architecture for our Algolia search indices, how they are queried, and how they are kept up-to-date with the content present in each of our web properties.
Finally, once you have implemented a federated search experience, the search backend can also be used to power interesting non-search navigation for your sites. For example, the Linode Docs site features a tree navigation that includes all of the content that we offer. The talk will explore how this was accomplished.
A well-crafted container or kubernetes avoids using excessive privileges, shipping unused packages, leaking credentials, and will expose a minimal attack surface. By removing known risks in advance, you’ll reduce security management and operational overhead; however, not everything can be known and prevented in advance. You cannot forget about security since the container is running.
Join this session to gain clear direction on how to:
- Image build and apply Dockerfile best practices
- Reduce the attack surface and optimize size for distribution using multistage builds
- Manage threats and vulnerabilities, like log4j
Our ability to manage infrastructure, reason about the impacts of changes and keep it secure and compliant has grown in complexity. Full stop. The proliferation of development tools in the market with a variety of teams adopting different solutions on different infrastructures creates a silo effect that is real and painful for many operators today. Choices that were once the domain of the operations team are now handed directly to application teams, with an ever increasing push to adopt new technologies. This talk will focus not only on “the why” of this complexity but more importantly on “the how” to get your team on the right path to manage this complexity in a way that allows you to continue to deliver software and services quickly but in a secure and scalable way. It will explore how tools, practices and organizational structures all play a role in not only surviving, but thriving in a world of ever expanding infrastructure complexity.
Cadence is an exciting new technology open sourced by Uber in 2017 and that is a foundation technology for Uber and several other leading tech companies. Cadence makes it easier and much more efficient to develop and operate long-running, highly reliable process-based business logic (or workflows) at the highest levels of reliability and scale.
This session will explain the basic concepts of Cadence by walking through some simple code examples, discuss how to determine if your use-case is a good fit for Cadence, and outline some considerations for the successful adoption of Cadence in your organization.
Wednesday, February 9, 2022
Creating functional deployments for k8s is hard enough without even beginning to think about doing it securely. Part of your team are at war backing Helm vs Kustomize and your dirty secret is that you love straight up yaml!
As a security fan you’re looking for an easy win with zero budget to help make sure the “Department of No” doesn’t block the deployment regardless of your Infrastructure as Code choice.
In this live demo, we’ll see how Checkov (you love Star Trek too!), the open source IaC scanning tool by Bridgecrew, can handle all of that AND do so right in your IDE.
DevOps + Security = SomethingSomething… let’s figure it out together.
As of 2017, 90 percent of public clouds workloads ran on Linux. Linux allows organizations to make the most of their cloud-based environments and power their digital transformation strategies. Many of today’s most cutting-edge cloud-based applications and technology run on Linux, making it a critical area of modern technology to secure.
According to a recent Linux Threat Report, most threats arise from systems running end-of-life versions of Linux distributions. This includes 44 percent from CentOS versions 7.4 to 7.9. In addition, 200 different vulnerabilities were targeted in Linux environments in just six months. This means attacks on Linux are likely taking advantage of outdated software with un-patched vulnerabilities.
This session will reveal steps you can take to ensure the security across workloads and cloud presence powered by Linux and how to effectively respond to the possible threats.
Join Aaron as he walks through the data, speaks to the threat, and highlights the top three mitigation strategies for all enterprises.
Attendees will learn:
• How to utilize free Linux native tools including Iptables, seecomp, PaX, etc., for configuration assessment, vulnerability patching and activity monitoring.
• Simple steps you can take to secure containers effectively.
• Best practices in Appsec, including testing, scanning and Open Source (SCA).
Access control in AWS is done via IAM policies. Policies and permissions in IAM can get really complex really fast, leaving a ton of room for mistakes and misconfigurations. To put this in perspective:- There are six types of IAM policies- Policies can have a combination of Deny and Allow statements- Each statement includes Actions, Resources, Principal, Conditions- Each statement can also have negations (exceptions) such as NotResource or StringNotEquals in Conditions- And many other details and tricksIt is best practice to configure least privileged policies. However, to get it right is often more challenging than it looks. As a result, most policies are written with wildcards (*) in Actions, or Resources, or both, with no meaningful Conditions.It is also very difficult to understand the net effective permissions of a policy that contains both Allow and Deny statements, with seemingly contradicting conditions and exceptions. AWS provides an IAM policy simulator that helps, but only helps to a limited extent. With the IAM policy simulator, you have to specify the service(s), action(s), and/or resource(s) and get a “yes/no” answer back telling you if a policy grants the permission to that known combination. It cannot answer the broader question of “given a policy, what resource permissions does it grant access to” in general.
DevOps involves integrating development, testing, deployment, and release cycles into a collaborative process. Security is often considered an afterthought; something to be inserted just before release.Thinking ahead to integrate security throughout the DevOps cycles involves intelligence, situational awareness, and collaboration. This is called DevSecOps.Join this session to learn about the importance of DevSecOps, the practicalities of implementing a strong solution and hear a couple of use cases to demonstrate why.
OPEN TALK: How Beta Testing Can Support Automated Testing to Help You Release Better Mobile Apps FasterJoin on Hopin
53% of users have reported uninstalling or removing a mobile app with issues such as errors and freezes. As developers, a critical bug making it through to your end users, in turn leading to customer and revenue loss, is one of your biggest nightmares. Especially, if you never got this feedback from real users, during testing.
When application performance and stability can make or break your business, how can you prevent bugs from reaching end-users and deliver the best possible mobile app experience, every time? Well, part of the solution lies in completing your automated testing strategy with mobile app beta testing, to help you quickly deploy beta versions of your apps, get critical real-user feedback, and iterate at a faster pace.
Join Wim Selles, Lead Solutions Architect at Sauce Labs, as he discusses how you can address the key challenges inherent to mobile app development by optimizing your beta testing processes. Wim will demonstrate how a developer-centric mobile testing solution can enable you to improve both the quality and release velocity of your mobile applications.
You will take away:
- How seamless access to mobile beta testing capabilities can help you take your mobile app development to the next level
- How to implement beta testing best practices, including finding the right beta users, enabling them to report more bugs faster, and getting the most value of bug reports
- How to streamline your iOS and Android app distribution, and optimize your mobile app beta testing processes to shorten app development cycles
During this session, we will guide the audience on the important role that DevSecOps has to effectively and efficiently drive and support cybersecurity compliance for enterprises. Specifically, we will explain how achieving a cybersecurity audit can help businesses focus their efforts on driving revenue and sales. We’re experts on the topic -- our team at Strike Graph takes customers from zero to 100 by helping their teams (like DevSecOps) to manage and automate important audits effectively and efficiently.
We will share tips and insights to help you maximize efficiency for compliance, such as:
What is DevSecOps really?
Why is security operations a revenue issue?
What is the lifecycle and distribution of security activities?
How to scope and operationalize security from a technology executive perspective.
What are security controls and how do I avoid “Security Theater”?
How to automate procedures and drive DevSecOps towards effective security.
How to take credit for your security practices that drive towards valuable certifications.
How to manage your auditor as opposed to being managed by your auditor.
Open source software is the de facto standard for many new applications, this is especially true in the database industry. Currently, MySQL, PostgreSQL, MariaDB, MongoDB, Elastic, and others have shown up in every industry and organization in the world in some form or another. People are no longer choosing a single database for the company, they are letting developers and architects choose the best database for the job.
This has led to an increase in the number of technologies operations teams have to support. Couple that increases in technologies with a growing micro-service ( or cloud-native ) development paradigm where every service has its own database and where all the data is valuable.
Now companies are now faced with dozens of technologies, hundreds or even thousands of individual database instances, and petabytes of data. The management of the complexity of such an environment is changing the way we look at systems and operations.
Let’s talk about the trends and tell you what you need to know about how to manage the new multi-verse of data.
CI/CD success comes with iteration and continuous improvement. Harnessing the power of logs from the CI/CD process can be key to driving improvement. In this session we will demonstrate an easy path to bring CI/CD logs from Jenkins (or any platform utilizing cloud object storage in AWS or GCP) to drive success with CI/CD.
During the demonstration of the ChaosSearch Data Platform, we’ll share how you can easily access and leverage:
Velocity and Trends of CI/CD progress
Build failure trends and debugging
Visualizations & Dashboards
Alerts and Integration opportunities
The Jamstack movement has forever changed the trajectory of the web by decoupling backend and frontend technologies. Today, the Jamstack provides nearly limitless choices to developers designing the best customer experiences in web applications. Netlify’s platform unites the Jamstack ecosystem of modern web technologies with a great developer experience, helping developers create dynamic, scalable, secure apps..
To deliver the speed and agility that developers need when moving to a modern Jamstack architecture, Netlify continues to expand its platform to provide a workflow and productivity that natively integrates with every major web framework, API and developer tool. In this session, Matt will introduce the concepts of this architecture, highlight how to best utilize this integrated platform, and unveil how these workflows can unleash developer productivity for your team.
According to Product School’s annual State of Product Report, more than 45% of product managers say prioritization is their biggest challenge faced.
Backlog prioritization can feel like an ongoing rat race where you’re juggling a myriad of inputs and trying to keep up with demands. And yet, PMs are challenged to be the CEOs of their product and think strategically and proactively.
According to a study by Workato, a leader in enterprise automation, two-thirds of product managers report concern over managing their integration backlog and the volume of integration requests they receive.
Fortunately, product managers can have it all by leveraging the Workato Embedded Platform. Learn how the solution can help you become the hero CEO of your product and efficiently tackle integration requests that save engineering resources for building core product features, all while driving new revenue for your product.
Cloud deployments offer the potential for almost infinite resources and flexible scalability. But there are so many options! It can be overwhelming to know which services are best for your use case. Building distributed systems which take advantage of in-memory computing only adds to the complexity.
During this session we will introduce a new cloud service for Apache Ignite in-memory computing platform and the best practices we followed in implementing this service . We will look at the advantages and disadvantages containers vs. VMs, the value of standardized configurations, how to size system resources based on the workload, and how we configured security and networking.
The software we write does not always work as smoothly as we would like. In order to know if something went wrong, understand the root cause and fix the problem, we need to monitor our system and get alerts whenever issues pop up. There are many useful tools and practices for Kubernetes based applications. As we adopt serverless architecture can we continue to use the same practice? Unfortunately, the answer is no.
In this session, we will discuss:
- The differences between monitoring Kubernetes and serverless based applications
- Best practices for serverless monitoring
- Methods to efficiently troubleshoot serverless based applications
OPEN TALK: Fake Your Data: Mimicking Production to Maximize Testing, Shorten Sprints, and Release 5x FasterJoin on Hopin
Raise your hand if you’ve ever written a script or built a tool to generate test data for your staging environment. Keep your hand up if it was fun. And easy. And still works. If your hand (and shoulders and morale) fell, rest assured you’re not alone. Now for the good news: help is here.
With the increasing complexity of today’s data ecosystems and the expanding reach of privacy regulations, generating useful, safe test data has become more difficult and riskier than ever. An effective test data solution must work across a variety of database types and de-identify production in a way that ensures privacy. Challenging? Yes. Attainable? That, too.
Technologies now exist that integrate directly into your data ecosystem to create test data that looks, acts, and behaves just like your production data. By hydrating QA and staging with useful, safe, fake data, dev teams are upleveling testing, catching bugs faster, and shortening their development cycles by as much as 60%. Data mimicking sets a new standard of quality test data generation that combines the best aspects of anonymization, synthesis, and subsetting.
Explore these technologies in a live demo and discover how to use them to:
- Maintain consistency in your test data across tables and across databases
- Subset your data from PB down to GB without breaking referential integrity
- Achieve mathematical guarantees of data privacy
- Increase your team’s efficiency by 50%
- Realize 5x more releases per day
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session, Oleg Chunikhin, CTO of Kublr, describes best practices for “configuration as code” in a Kubernetes environment. He will demonstrate how a properly-constructed containerized app can be deployed to both Amazon and Azure, and how Kubernetes objects, such as persistent volumes, ingress rules and services, can be used to abstract from the infrastructure.
Why pay a lot of money for public and private cloud providers, when you already have your own, free, server farm? I will show you how you can utilize your organizational resources to run serverless functions for free, at scale, using open source serverless platforms (or your own platform), in a few easy steps. This is the next step in cloud/serverless evolution - see my article here: https://firstname.lastname@example.org/you-are-your-own-cloud-7c1cf7256ce2
By now, most of us have experienced the benefits of automated drift detection and reconciliation. Any application running in Kubernetes is benefiting from those. No matter what happens to our resources, Kubernetes will always try to converge the actual into the desired state without human intervention.
Why don't we have those features when working with infrastructure? Why don't we embrace Kubernetes API for everything, and not only for infra? If we do, we'll be able to manage all our resources in the same way and rip the same benefits, no matter whether those resources are applications, infrastructure, services, or anything else.
In this talk, we'll explore the effects of having (and not having) automated drift detection and reconciliation applied on infrastructure and explore Crossplane as one possible solution that enables us to leverage the Kubernetes control plane to manage everything, including infra.
Coined in 1994, “Zero-trust” has only recently come into focus as a powerful tool to combat the recent explosion of cybersecurity attacks. In short, the concept advocates a default posture to deny access under the assumption that nothing in the IT infrastructure can be fully secured. But how does Zero Trust relate to DevSecOps and how can developers work within a Zero Trust framework while still maintaining agility and flexibility? In this session, Anant Misra will guide developers through best practices for upholding Zero Trust principles throughout the application development lifecycle.
Attendees will learn:
1. What Zero Trust DevSecOps means, why it is important, and how it can be used to proactively combat cyberattacks
2. How to set up Zero Trust DevSecOps in their organization
3. How to create a holistic Zero Trust DevSecOps strategy that doesn’t slow down development or release timelines
Understanding what is happening with a solution that is built from multiple components can be challenging. While the solution space for monitoring and application log management is mature, there is a tendency for organizations to end up with multiple tools which overlap in this space to meet different team needs. They also work on aggregate then act, rather than consider things in a more granular way.
FluentD presents us with a means to simplify the monitoring landscape, address challenges of hyper-distribution occurring with microservice solutions, allowing different tools needing log data to help in their different way.
In this session, we’ll explore the challenges of modern log management. How its use can make hybrid and multi-cloud solutions easy to monitor.
The requirements of digital operations for businesses in any industry can stretch resources and cause stress. Keeping on top of your organization’s technical platforms is daunting. It’s easy to miss things when your team is embroiled in an incident, but one thing you can never go short on is communications with your users during an incident. Your Customer Service team is critical to not just communicating with users when things go wrong, but to the incident identification and response process itself. As the team closest to the customer, incorporating customer service teams into the DevOps lifecycle will reduce silos, shorten feedback loops, empower agents and delight your customers.
Full-Case Ownership is a methodology that brings customer service teams in line with development teams, organizational goals, and ultimately the final customer experience. In this talk, you will learn the importance of full-case ownership and customer service ops, and how to help your customer service and dev teams establish strong practices of collaboration as one team in service of your customers.
PRO TALK (CloudWorld): How an AI Driven Approach Reduces Cloud Cost and Makes Your Kubernetes Infrastructure AutonomousJoin on Hopin
Measuring and controlling costs in cloud environments is often complex. But it does not need to be. In this session, we will discuss how an AI driven approach renders your cloud native applications on Kubernetes fully autonomous and rightsizes your cluster in sub-minute intervals the cloud compute resources. We will go over an experiment with the deployment of an application, and apply autonomous techniques that fiercely controls and optimizes the cluster.
We will discuss how to control and optimize in minutes the cost of your AWS EKS, Google GKE and Azure AKS applications. Instantly. You will learn about powerful -yet simple- strategies to rightsize your clusters: automated scaling up and scaling down to zero your nodes and pods, smart selection of VM shapes, and the automated use of spot instances.
Embedding security into DevOps practices is critical for enterprises making the transition into Secure DevOps. The Secure DevOps evolution is enabling continuous security which is achieved by shifting left to the development team. Market leading application security tool HCL AppScan makes is simple for developers to scan in every stage of the process with DAST SAST IAST capabilities.
Learn how with market leading tools and the right approach, you can build applications securely, without compromising speed.
One of the tough challenges in adopting containers and Kubernetes across all enterprise applications is the availability of shared data services native to Kubernetes. Developers often fraught with making a trade-off between choosing the flexibility that Kubernetes offers vs. enterprise rich data management that comes with traditional IT. This session presents novel architecture principles in delivering a Kubernetes native data store that addresses the needs of cloud native modern applications. The audience will learn about NetApp's shared file service solution that delivers enterprise grade data management to Kubernetes applications.