DevOps & Security
Tuesday, November 17, 2020
The embrace of Infrastructure as Code risks suffering the same problems as early software approaches - out of date dependencies, and potentially exploitable vulnerabilities. Once the speed of development slows down, how do teams stabilize a project of interconnected infrastructure components (charts, images, etc) so that it can be kept up-to-date with a mature DevOps approach?
In this presentation Rhys Arkins will introduce industry best practices for managing software dependency updates and vulnerabilities and how these same practices are perfectly suited for the layered containerization approach of container orchestration tools like manifests, Helm charts, Kustomize templates, etc.
GitOps is nothing new. Or, to be more precise, the principles of GitOps existed long before the term was invented. But hey, that's the pattern in our industry. It is the fate of all good practices to be misunderstood, so we need to come up with new names to get people back on track. That is not to say that we are in a constant loop. Instead, I tend to think of it as a periodic reset trying to eliminate misinterpretations. GitOps is one of those resets. It fosters the practices and the ideas that existed for a while now and builds on top of them.
We'll explore the fundamental principles of GitOps and the outcomes of those principles. We also try to answer some fundamental questions like "why do we want GitOps?", "why isn't everyone using GitOps?", and whether GitOps is mature enough for everyone to adopt it. More importantly, we'll try to see how GitOps fits into continuous delivery and how it might change the way we define application lifecycle pipelines.
Through a hands-on demo, we'll explore a full lifecycle of applications in production. We'll use Terraform to create and manage a Kubernetes cluster and Argo CD to deploy applications. We'll rely on Codefresh to run pipelines that will tie those and other tools together.
Pen Testing is playing an important role in cloud security. Josh Stella, Fugue Co-founder and CTO, will walk through how Fugue developed a thorough understanding and approach when evaluating pen test vendors.
In the data center era, pen testing was generally focused on probing TCP/IP endpoints and employing various kinds of social engineering and phishing techniques. Cloud service providers (CSPs) are now responsible for the physical security for their data centers. But, in cloud, you need to be concerned with a lot more potential attack surface.
If you are running containers or VMs in the cloud, you are likely using trust relationships (such as AWS IAM) and attacks using IAM are common, and many of the pitfalls are not well known or understood. With functions-as-a-service, such as AWS Lambda, code injection becomes a major concern. With CSP-managed databases exposed credentials are a major attack vector. The methods the bad guys use in the cloud are different and different methods to secure your cloud are called for. No matter how confident you are in your security architecture and implementation, you haven't thought of everything. Pen testing helps with the discovery of weaknesses in your code. During this talk Josh will discuss 2 approaches to pen testing, how to assess skills of a pen testing team and using white hat hackers to find hidden vulnerabilities.
With increasing service traffic and services scaling, the need to ensure reliability and customer satisfaction has never been higher. How can we ensure that a service is reliable and the needs of customers are met?
Through defining and monitoring SLIs and SLOs! This talk will cover why strategically defining SLIs, SLOs and SLAs and monitoring SLIs can help improve the reliability of your service and ensure customer satisfaction in the long term. We follow this by walking through the process of defining these critical metrics, and go through some case studies and industry practices.