OPEN Expo Innovation Stage
Tuesday, February 8, 2022
OPEN TALK: Learn How to Find & Fix Security Issues in Kubernetes Manifests Using Open Policy Agent and Regula
Teams can now run pre-deployment security checks on their Kubernetes (K8s) manifests using Open Policy Agent (OPA), the open standard for policy as code and a Cloud Native Computing Foundation project.
In this session, Aidan O'Connor (Senior Solutions Engineer at Fugue) will walk through using OPA and Regula (an open source OPA-based tool purpose built for IaC checks) to find and fix security issues (measured against Center for Internet Security Benchmarks) in your K8s manifests pre-deployment.
Attendees will walk away with an understanding of:
-The kinds of security risks that need to be considered with K8s manifests
-Using OPA and Regula to catch security vulnerabilities and learn how to remediate them
-How automated K8s manifest checks can be integrated into DevOps workflows
Conversation Intelligence (CI) APIs enables to build applications that go beyond basic speech to text, creating a new array of sophisticated AI-driven experiences and functionalities. Basic speech recognition is designed to recognize or respond to explicit words and phrases, while conversation intelligence is capable of contextual comprehension of any human conversations to effectively extract key insights, identify user intent, surface actionable insights, detect sentiment, and more.
Conversation Intelligence has given a rise to a new generation of AI driven applications and platforms across various verticals such as revenue intelligence, tele-health, call centers and customer support, collaboration and productivity platforms and more…
“I really want to develop a tool that aggregates user interactions!”, said no developer ever.
Product-Led Growth (PLG) has stormed into our lives over the past few years. Concepts like usage-based pricing, seamless onboarding, built-in security, and product analytics are now taking a toll on developers. Companies are investing more and more engineering resources on developing self-service features that are shifting the focus from building innovative code for your product’s core technology.
From the product side, this surely looks innovative and unique. However, from the development side, it adds another variable into the equation, which already includes bugs, security issues, never-ending product feedback loops, and other things that stop developers from building exceptional code.
But while investing resources in creating a seamless product experience is crucial, isn’t the core value of the product more important? How can developers build self-service features, while achieving their innovative selves?
In this talk, we will be discussing the application side of the story for PLG success. This will be a practical demonstration of how developers can integrate self-service and data-driven by-design capabilities, while ensuring speed, flexibility, and full user observability, without sacrificing innovation.
As you adopt cloud native technologies and Kubernetes, you will face a myriad of technology, process, policy and people decisions. What tools and patterns are needed to be successful? How can you ensure Kubernetes is a success across your DevOps team and organization?Rachel Sweeney, Product Advocate SRE at Fairwinds, discusses why Kubernetes plays an important role in your DevOps experience and the 5 things to help your team succeed at Kubernetes. Learn a few critical steps to achieving your Kubernetes Maturity around technology, security, visibility and consistency.
The recommendation algorithm is not new for the modern apps or platform business. However, with a chat feature and mobile-first strategy, Hirect is creating a new engine for job marketplace - just like the engine behind the refreshing user experience of Tiktok. Based on the algorithm, Hirect can not only gives a better distribution and matching of jobs and candidates list, giving more exposure to small business, breaking the domination of the top 10% of the giant companies from the traditional paid-ads promotion model but also react instantly to users' feedback and activities.
I just wrote some code that can have a positive effect on our customers and I’m motivated to release it as quickly as possible. I need your help but you are busy and motivated to continue working on your own code. I call this conflict The Pull Request Paradox.
This problem is not theoretical - it effects most developers every day. The average pull request takes 4 days to merge from when it's opened and half of that time is idle time. Which means every PR sits idle for two days on average! That idle time reduces our code quality, kills our flow and makes it really hard to plan our sprints accurately.
In this talk I'm sharing:
* New ideas to to merge your PRs faster based on analysis of 733K PRs from 26K developers
* Why asynchronous is NOT better than synchronous when it comes to PR code reviews
* Context you can add to your pull requests to get it reviewed by your team 5X faster
* How idle time in PRs reduces situational awareness and increases cognitive load
* Why the time of day you open your pull request effects how quickly you merge
The business demanded rapid innovation. Software development and IT figured out how to provide it. But now we have a whole host of new problems. In the resulting world of cloud-native apps, microservices, and API-driven applications, what we came to rely on for keeping it all running and secure is no longer enough.
In this new fog, we are basically “flying blind”. Modern applications are extremely hard to secure and protect as they are complex and continuously changing. Our visibility of what we have, how it is behaving, and how it is being used (and abused) has diminished tremendously. So how do we begin to see through the fog once again?
In this session you’ll learn:
- Why are we flying blind
- 4 key areas to focus on to stop flying blind
- A way to get started quickly (for free!)
With testing and new releases, errors are going to creep through the cracks and new debugging approaches are needed. Nick Hodges, Developer Advocate at Rollbar, will uncover the 4 main insights that are transforming the ways we approach debugging to help return more productive time to developers.
Implementing a search experience for a single database of content can be straightforward. However, many companies operate several distinct websites that each feature important content for their customers. For example, your marketing site, product documentation library, developer hub, and community portal may all use separate content management systems, possibly managed by different teams.
If each site has its own isolated search experience, then the information from each is siloed. As a result, your customers may not find what they're looking for when they visit one of your web properties. Or, your users may find a helpful article, but they may not be exposed to some of your other content that's relevant to their query. If you create a combined search experience that incorporates the content from each of your sites, you can address both of these problems.
This talk presents a solution for a federated search experience. The federated search will serve a content library that spans disparate content types and databases. This issue was tackled by Linode during a redevelopment of the Linode Docs website (https://www.linode.com/docs) in 2020. The presented solution is powered by Algolia. The talk will outline the technical architecture for our Algolia search indices, how they are queried, and how they are kept up-to-date with the content present in each of our web properties.
Finally, once you have implemented a federated search experience, the search backend can also be used to power interesting non-search navigation for your sites. For example, the Linode Docs site features a tree navigation that includes all of the content that we offer. The talk will explore how this was accomplished.
Magic is more than just a plug-and-play passwordless auth that enables a delightful onboarding experience for end-users.
Instead of usernames and passwords, Magic uses blockchain-based public and private keys to authenticate users under the hood. A decentralized identifier is signed by the private key to generate a valid authentication token that can be used to verify user identity.
Traditionally, usernames are publicly recognizable identifiers that help pinpoint a user, whereas passwords are secrets that were created by the user and are supposed to be something only they know.
You can think of public and private keys as materially improved versions of usernames and passwords. The public key is the identifier and the private key is the secret. Instead of being created by users and prone to human error (e.g. weak/reused passwords), the key pair is generated via elliptic curve cryptography that has proven itself as the algorithm used to secure immense value sitting on mainstream blockchains like Bitcoin and Ethereum.
Using blockchain key pairs for authentication gives Magic native compatibility with blockchain, supporting over a dozen of blockchains. This enables web3 developers to use Magic SDK to provide user-friendly onboarding experiences to mainstream users and tap into the potential of the rapidly expanding blockchain industry that is growing 56.1% year over year and projected to reach $69.04 billion by 2027.
The key pairs are also privacy-preserving (no personally identifiable information) and exportable. This allows user identity to be portable and owned by users themselves (self-sovereignty). The world is already moving towards this direction with novel solutions from companies like Workday and Microsoft.
As a first step, we are committed to enabling a passwordless future, by providing developers with the easiest way to integrate passwordless login methods into their apps, but having blockchain key-pairs actually connects us to other future-proof infrastructure such as IPFS for decentralized user identity data storage, which will pave the way towards worldwide adoption of decentralized identity.
If you want to see just how seamless both the developer and user experiences are with Magic, or you want to learn how Magic plans to onboard the next billion users into web3, do not sleep on this talk.
Roughly 60% of stream processing is spent doing mundane transformation tasks like format unification for ML workloads, filtering for privacy, simple enrichments like geo-ip translations, etc.
In this session, we will show you how easy it can be to do streaming data transformations while also eliminating data ping-ponging between storage and compute — thanks to Redpanda’s built-in support for WebAssembly (WASM). We’ll share best practices for data transforms using Redpanda, our Kafka API-compatible streaming data platform.
We will also cover:
- Overview of Redpanda and our WASM architecture
- Example use cases for data transforms
- Live demo of data transforms
It has never been more important to build secure applications from the ground up starting with developers implementing the DevSecOps framework. One facet of DevSecOps is building code that emits high quality telemetry so development teams can deliver new software and services at agile speed without compromising application security. In this session, Cribl technical evangelist Ed Bailey, will discuss three ways to instrument applications at the code level to give operations and security observability platforms enhanced data to provide next level fault detection capabilities that are not otherwise available. We have never seen a more challenging environment to monitor and secure modern applications and advanced telemetry based observability is the only way to meet this challenge.
Wednesday, February 9, 2022
Spinning up exact copies of your application in multiple regions is as easy as git commit and git push. Now security policies and decisions for these applications can be just as easy. Learn how to extend your GitOps workflow to include policy-as-code. By using Open Policy Agent to write your application policy and security, you can have the benefits of GitOps for your security policies.
The rest of your application has moved to cloud-native; now it's time your application and security policies do as well. Long gone are the days of programming servers one by one. Infrastructure is now all push-button deploy powered by configurations that live in Git. The next logical step is to commit the security decisions that protect these systems into Git repositories. Becoming very popular over the last few years, GitOps has standardized application and infrastructure management processes. Within GitOps, smaller branches are starting to emerge to handle specific areas of your application. With tools like Open Policy Agent (OPA), we can define application and infrastructure security policies using Policy As Code and commit them to Git.
OPA is a general purpose policy engine that comes with a custom built dedicated policy language called Rego. Rego allows you to declaratively state the intent of your security policies using human readable expressions. It comes equipped with over 150 built-in functions tailor made for policy authoring. Together OPA and Rego allow you to supercharge your Policy As Code workflow in a Cloud Native way.
Join this talk to gain a general understanding of what policy-as-code is, the benefits in adding it to your application workflow, and see some examples of everyday use cases implemented with OPA and Rego.
Qt is widely recognized as a premier development framework for native, cross-platform applications and devices. But do you know what else is cross-platform? The web! Join us to see how the latest version of Qt supports the WebAssembly standard.
While the age-old choice between native vs. HTML5 development solutions will never be straightforward, we’ll show you how there can be overlap. We’ll also take a look at how you can leverage the latest Qt enhancements to expedite cross-platform deployment.
OPEN TALK: Fake Your Data: Mimicking Production to Maximize Testing, Shorten Sprints, and Release 5x Faster
Raise your hand if you’ve ever written a script or built a tool to generate test data for your staging environment. Keep your hand up if it was fun. And easy. And still works. If your hand (and shoulders and morale) fell, rest assured you’re not alone. Now for the good news: help is here.
With the increasing complexity of today’s data ecosystems and the expanding reach of privacy regulations, generating useful, safe test data has become more difficult and riskier than ever. An effective test data solution must work across a variety of database types and de-identify production in a way that ensures privacy. Challenging? Yes. Attainable? That, too.
Technologies now exist that integrate directly into your data ecosystem to create test data that looks, acts, and behaves just like your production data. By hydrating QA and staging with useful, safe, fake data, dev teams are upleveling testing, catching bugs faster, and shortening their development cycles by as much as 60%. Data mimicking sets a new standard of quality test data generation that combines the best aspects of anonymization, synthesis, and subsetting.
Explore these technologies in a live demo and discover how to use them to:
- Maintain consistency in your test data across tables and across databases
- Subset your data from PB down to GB without breaking referential integrity
- Achieve mathematical guarantees of data privacy
- Increase your team’s efficiency by 50%
- Realize 5x more releases per day
OPEN TALK: IBM Developer Technology Sandbox and IBM API Hub - Removing Barriers to Exploring Technologies for Developers
Before taking a car out for a test drive we don’t expect to be given instructions and a box of parts and be told to build it first. Most of us expect to be handed the keys and told “let’s go!“. The same should be true when we are kicking the tires on new tech to build your next application. IBM Developer Sandbox was created with that experience in mind. This session will use micro-solutions built around IBM API Hub services and other products, and made available through our developer sandbox to create a new way to explore technology from IBM and our ecosystem partners.
If you work in an organization that uses open source to develop applications, by now you are probably aware of the recently disclosed vulnerability in log4j, commonly being referred to as the Log4Shell vulnerability.
Virtually every organization that uses Java (Maven/Gradle) uses log4j and has likely been impacted. According to data tracked by Tidelift, log4j-core has over 3,600 dependent packages in the Java language ecosystem and over 20,900 dependent software repositories on public code collaboration platforms.
Tidelift solutions architect Sean Wiley breaks down the current Log4Shell situation and shares tips for remediating the issue—including ways Tidelift can help your organization prepare for the next zero day vulnerability.
Embedding security into DevOps practices is critical for enterprises making the transition into Secure DevOps. The Secure DevOps evolution is enabling continuous security which is achieved by shifting left to the development team. Market leading application security tool HCL AppScan makes is simple for developers to scan in every stage of the process with DAST SAST IAST capabilities.
Learn how with market leading tools and the right approach, you can build applications securely, without compromising speed.