Kubecon 2020 NA Deck

Transcript

1. Dan Papandrea - Sysdig / POPCAST with Dan POP Steven

   Terrana - Chief Engineer @ Booz Allen Everything You Should Be Doing, But Aren’t: DevSecOps for K8s Workflows

2. What is DevSecOps? Integrate security into every step of the

   Software Development Lifecycle Application Dependency Scanning Static Code Analysis Container Image Scanning Continuous Compliance Dynamic Application Security Testing Accessibility Assurance Secure Dependencies Secure Code Secure Artifacts Secure Infrastructure Secure Interfaces Accessible Interfaces Configuration Governance Secure Configurations Trusted Software Supply Chain Runtime Security Assess and Prevent

3. How to build a pipeline Open your IDE Automate running

   Unit Tests on PR Automate every kind of quality and security test for every type of application across every team lolz good luck

4. Why is this so hard? typically pipelines are built on

   a per-application basis, which makes life… difficult Time Complexity Standardization Sustainment Onboard teams one at a time Duplicate and tweak each pipeline copy/paste != governance Good luck updating every Jenkinsfile in every branch of every repo

5. There’s a better way Jenkins Templating Engine: tool-agnostic, reusable pipelines

6. Bad News: This still isn’t good enough! Good News: we

   can fix that, too.

7. And NOW FALCO (Runtime)

8. None
9. None

10. Learn More! Falco Jenkins Templating Engine

11. None
12. None