DevOps & Security
Tuesday, April 27, 2021
A CI/CD pipeline seems straightforward to implement and maintain. Yet it can often quickly become a tedious time sink and a source of universal frustration on many teams. From flaky builds, to long running builds, to flaky long running builds, the sources of frustration are endless. With the goal to ship more and faster as well as to compete in an ever changing industry, we can (and must) do better.
This talk will cover best practices for performance, stability, security, and maintainability of CI/CD pipelines, each supported with practical examples and counterexamples.
This talk is the perfect opportunity for you to see where Cloud Native PostgreSQL, developed by EDB, is currently standing and how it can be integrated in your Kubernetes and OpenShift Container Platform workloads.
Cloud Native PostgreSQL is built on solid concepts and principles such as immutable infrastructure, declarative configuration and application containers, making it also ideal to use in your CI/CD pipelines as part of the applications’ E2E tests.
Join me to discover how our operators adapt to public/private/hybrid environments, how core features such as self-healing, high-availability, scalability and updates work, and – last but not least – what our DevSecOps culture and processes have produced in the area of security.
As developers, we can remember the time when Nagios was state-of-the-art technology. We hated looking at all the numbers that seemed disconnected from our reality. The world has changed though, and Observability provides us with a new swiss army-knife in our toolbox. Used correctly it helps to improve reliability, brings additional focus on what matters, the business logic, and offers aid in case of problems or failures. Especially in time-critical situations, a distributed system with many service dependencies can be hard to analyze.
This session you will learn how to use Observability to assist developers instead of distract them.
Shifting Application Security Left and into the hands of developers has been a topic of discussion, but remains just that, a discussion. Legacy solutions in the market are not built from the ground up to enable this and achieve DevSecOps. In this session we will discuss the key features that your AppSec testing tools need to enable shift left, or shift everywhere, to empower developers to detect, prioritize and remediate security issues EARLY, as part of your agile development and unit testing processes, without slowing down DevOps. The talk will include specific examples from leading organizations that have deployed these solutions, the business impact they have achieved and the steps you can take to achieve the same, across your applications and APIs
Wednesday, April 28, 2021
Currently, white-box fuzzing is the most effective testing-approach to automatically identify vulnerability and stability issues within your software. For instance, Google already finds more than 80% of their bugs alone with fuzzing in contrast to all their other testing methods.
And it is very easy to use. In the future everyone will be able to integrate fuzz testing into their CI/CD. That’s why I say: “Developers should cover more security testing, themselves!”.
They are the experts! Developers know their own code best and with the right tools, they can identify bugs with little to no effort. And if by finding these bugs in an early stage of the development process, fixing them becomes very simple and cost-effective.
In my talk, you'll see why I'm so optimistic about the future!
We’ll cover the following topics:
- Modern fuzzing approaches (“feedback-based-fuzzing”)
- Instrumenting JVM code for fuzzing
- Automating fuzzing for web applications
- Integration of fuzzing in the development process
- Fuzzing web applications and integration into the CI/CD
Cloud Native software development principles have fundamentally changed the way modern IT organizations work. Teams who have operated in silo in the past, are now working more closely with each other, with developer teams owning the entire stack and lifecycle. In these scenarios, automation has become more critical than ever before. This includes building, testing, deploying and operating applications at scale and at a high frequency. Security and compliance needs to be treated the same way and cannot be an after-thought or slow down development or deployment.
In this session we will provide examples of how to embed a variety of security and compliance practices into a fully automated pipeline, from the perspective of development and security teams.
Join us to learn more about how you can secure your entire application lifecycle, starting as early as possible, putting into practice “shift left” without making compromises on security and compliance.
When we have to interconnect different decoupled components (databases, web services, streams,...), we usually write scriptish code as middleware to make that workflow of data. On this custom code, we are coupling something that should be decoupled. Could it be possible to decouple the systems while they are connected?
Integration Processes are the "glue" between these software components. Automating the data flows, adding conditional steps, handling credentials on a secure way,... That's usually a tedious and repetitive task lots of developers do again and again.
With Integration Processes frameworks we can make it simpler and reuse expertise from other developers. We could even build entire workflows without throwing a single line of code.
KEYNOTE: Publicis Sapient & Lloyds Banking Group -- Modern Engineering Helping to Adapt to the Changing and Complex WorldJoin on Hopin
The use of modern software development methods is drastically increasing the rate of software delivery among traditional banks and breaking the view that they can only deliver software every few months. This talk will explore the impact and practices of Modern Engineering and how it has enabled Lloyds Banking Group to adapt to the challenges of a complex world.
Stephen Hawking predicted the 21st century would be the century of complexity, a world which is unpredictable, ever-evolving and unbounded. This complex world requires the Bank to move from the old business paradigm and mindset of controlling time, scope and cost to the Modern Engineering-led business paradigm and mindset of quality, speed and value.
Bringing it to life, we will see how the Bank applied the Modern Engineering tool-sets to improve their ability to focus on quality, speed and value. We will share examples of how modern engineering practices have helped the Consumer Servicing Value Stream within the Bank to become more adaptable and to respond to COVID19 pandemic. Lastly, we will explore what the new business paradigm of quality, speed and value means for the Executives within the Bank.
Key audience takeaways from this talk:
• Learn how Lloyds Banking Group applied a practical application of Modern Engineering in the Consumer Servicing Value Stream
• Understand the modern engineering principles to help you and your organization adapt to our changing world
• Reflect on how to keep your skills relevant
• Reflect on whether you are clear on your products and how they deliver value to the customers
After executing a project to test a cloud-based microservices platform, we experienced a lot of challenges in both technical and social manners and tried to develop solutions to cope with them. Finally, we have wrapped them up to make a list of golden rules to successfully manage a test project. The purpose of this talk is to give insights about how a test automation project is managed.
Our problems were:
Technically, if not managed properly, automated testing will lead to extra costs and could even be less effective than manual testing.
From another aspect, at some point, we had too many complaints in our retrospective meetings about the heavy deployment activities and redundant executions. We had lots of flaky tests, execution lists full of not clear test definitions. Everyone was sick and tired of maintenance issues and the team was not happy. We took actions to improve motivation in the team.
Our 4 fundamental solutions are:
* Being truly agile: Adapt new solutions quickly.
* Manage the progress: Be aware of what is going on by setting KPIs to track & monitor with tools like CloudWatch, Grafana
+ Technical part: Automation principles for the sake of robustness.
* Solutions to reduce flaky tests & analysis effort & costs: Code demos on Java API polling libraries, Selenium usage and others.
* How we solved flaky tests: Adaptations into the code and observing the effect of each application. A few examples are polling mechanisms (safe wait methods) and test design techniques
* For maintenance efforts: We keep test history in the pipelines and develop helper methods to improve quality.
Improve coverage from different aspects to reduce escaped bugs.
* Team spirit!
Results & Conclusion
After application of our proposals, we observed that waste is eliminated by prioritization and removing duplicated or dispensable work. After all, we believe that this submission has interesting content which can make great attention. Instead of theoretical claims, we discuss faced challenges and applied solutions. We analyze effects of solutions with before-after situations, graphs and evidence. Instead of what to do, we go over how to do it.
Proposed approaches can be applied by any organization by adapting according to the related work to achieve time and cost reduction. After this talk:
* Attendees will know our 4 golden milestones for successful agile testing: Being truly agile, Managing and improving internal processes, building a Good Automation Framework and Improving Efficiency.
* Attendees will be able to realize the importance of test coverage and see how it affects defects coming from production.
* Attendees will be able to realize the effect of test suites on sprint planning and execution effort.
* Attendees will be able to have some insights about increasing efficiency.
* Attendees will be able to utilize automation not only in implementation, but also in Executions, Reporting and other phases.
* Attendees will be able to analyze bugs. Just resolve and close them, or gain some lessons-learnt from them?
Introduction & project background
Importance of agility: Quality mindset, voice of customer
Demo 1: Collecting KPIs & metrics and monitor them on CloudWatch.
Demo 2: Code Blocks to reduce test smells on Java, Postman and Selenium.
Efficiency & Team Productivity
Demo 3: A game showing the effects of team work.
Close & Questions
Microservices running in Kubernetes and containerized environments are complex and hard to monitor and troubleshoot. Join us as we discuss the growth in the adoption of Kubernetes and containers and the challenges that they have presented us all, focusing on why standard metrics and logs by themselves are leaving gaps in your observability strategy.
Today we are talking a lot about security, data protection, privacy, but we are forget one pretty important stuff, a secure code. Normally most of IT professionals or security experts expect attack from outside. But what if the real enemy is our code? Many times we see that someone from developers forget to delete credentials from code, or just hard-code passwords, database endpoints, etc. From security perspective its very hard to detect it if app is already deployed.. In this session I would like to present how Endava integrate security into our CI/CD pipelines and how it help us to identify security issues.
It is not feasible to run an observability infrastructure that is the same size as your production infrastructure. Past a certain scale, the cost to collect, process, and save every log entry, every event, and every trace that your systems generate dramatically outweigh the benefits. If your SLO is 99.95%, then you'll be naively collecting 2,000 times as much data about requests that satisfied your SLI as those that burnt error budget. The question is, how to scale back the flood of data without losing the crucial information your engineering team needs to troubleshoot and understand your system's production behaviors?
Statistics can come to our rescue, enabling us to gather accurate, specific, and error-bounded data on our services' top-level performance and inner workings. This talk advocates a three-R approach to data retention: Reducing junk data, statistically Reusing data points as samples, and Recycling data into counters. We can keep the context of the anomalous data flows and cases in our supported services while not allowing the volume of ordinary data to drown it out.
While the business keeps increasing the pressure and demand of flexibility of the development team, the agile movement was pushed to the limits. CI/CD was born to reduce manual step to reduce human errors and increase speed to go-live! Last not least, with DevOps the teams took application responsibilities, from cradle to grave. Nevertheless, software security is still missing in many full-stack developers resume and application security responsibilities are pushed off to the security department still. Petty, because the exactly agile, CI/CD and DevOps are security enabling practices.
This session is explaining Shift-left, early security enablement in the development Lifecycle. As the application development becomes more developer centric, the developer’s toolset must match the new challenges to have responsibilities matching capabilities. Learn from rugged software to supply chain cleanliness. Learn to avoid the common pitfalls and benefits of modern application development strategies. Hear why security champions programs tend to fail, compliance driven security trainings are a waste of time and money. Take back the best practices, proven solutions and Shift Left beyond the development.
What would you do if you were asked to design a system to analyze transactions in near-real time to find money laundering? That was the challenge I has been working with the last year. I used microservices and after a while I had a fully functional system, but how to deploy it? How to keep control when each service acts independently from the rest of the system? How to deliver a system with high quality, availability, and reliability? The last piece of the puzzle was to add DevOps – and this is when things get interesting.
And during the process I must admit it, I have fallen in love with DevOps and the capabilities it brings. Come listen to a speech about the elegance and possibility’s I have learned.
It is often believed that there’s a built-in tension between software developers and security engineers. The first ones want to move fast with the latter wish to make sure the data, pipes and crown jewels are well protected.
Working in the cloud did give the developers the velocity they always wanted - they have their own account, they can provision cloud assets and can deploy frequently and easily. But they also use admin permissions and leave open buckets everywhere.
The security team at turn finds risky cloud misconfigurations and has to go back to the dev team to check if that was necessary or not. This is a repetitive, time-consuming process that creates friction and sometimes tension between the two teams.
In this talk I will share with you how working with developers instead of trying to clean up after them, actually makes their work much faster, better and more secure.