Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Build and secure containers to support your CI/...

João Rosa
January 22, 2019
Technology
0
290

Build and secure containers to support your CI/CD pipeline - Xebia Knowledge Exchange 2019-01-22

Today CI/CD servers support containers. However, in some restricted environments, people are not willing to shift the responsibility to create the containers to the development teams. Based on a recent assignment at a customer, it shows a way to allow teams to create their own build & deploy containers and at the same time maintain a level of security, paramount for a financial organisation.

João Rosa

January 22, 2019
Tweet

More Decks by João Rosa

See All by João Rosa
Intentional Architecture @ FlowCon 2024
joaoasrosa
0
290
Why should I care about sociotechnical systems? @ Fast Flow meetup 2023
joaoasrosa
0
260
An enabling approach to an organisation transformation @ FastFlowConf London 2023
joaoasrosa
0
420
Why should I care about sociotechnical systems? @ DDD SoCal
joaoasrosa
1
380
From EventStorming to CoDDDing @ Bucharest Software Architecture Summit 2021
joaoasrosa
0
290
Panel: Practical Open Agile Architecture standard and Domain-Driven Design @Xebia Academy Webinar Week 2020
joaoasrosa
0
330
From EventStorming to CoDDDing @ DDD Taiwan
joaoasrosa
0
220
Implementing Domain-Driven Design Bounded Context with Ports and Adapters architecture @ Codemotion Online 2020
joaoasrosa
0
910
A DevOps journey at ABN AMRO @ DevOpsDays oNLine 2020
joaoasrosa
1
660

Other Decks in Technology

See All in Technology
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
320
AGIについてChatGPTに聞いてみた
blueb
0
130
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
120
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
610
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
320
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
540
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
110
強いチームと開発生産性
onk
PRO
34
11k
Lambdaと地方とコミュニティ
miu_crescent
2
370

Featured

See All Featured
Building Applications with DynamoDB
mza
90
6.1k
Designing Experiences People Love
moore
138
23k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Six Lessons from altMBA
skipperchong
27
3.5k
Typedesign – Prime Four
hannesfritz
40
2.4k
Writing Fast Ruby
sferik
627
61k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
The Invisible Side of Design
smashingmag
298
50k

Transcript

  1. Build and secure containers to support your CI/CD pipeline

  2. Hello! I am João Rosa I am Software Consultant, focused

    on Quality. You can find me at @joaoasrosa 2

  3. Horror story What we found at a customer 1.

  4. The most important systems in your organisation are: the payroll

    system and the CI/CD server. 4

  5. Problems found with CI/CD server Lifecycle management There is not

    a lifecycle management on the tool. It has Critical CVE’s. Misconfiguration The server holds multiple services. Also, the configuration of the services is not secure. Agents drift The build and deploy agents are in a drift state. Plus, old frameworks are installed. 5

  6. LEAD TIME For new capabilities. Such as a new version

    of a framework, or new tool features. 6

  7. A way out What we proposed to the customer 2.

  8. SaaS Move from the on-premises solution, to a SaaS solution.

    It will mitigate some of the risks. Proposed solution Shift responsibilities From manage tooling, to enable development teams to deliver value. 8

  9. Use containers to build and deploy ▪ Today, mature solutions

    offer containers as compute unit ▪ Isolated by default (between jobs) ▪ Granular capabilities ▪ Allow teams to create the container images 9

  10. With great power, comes great responsibility! Ben Parker 10

  11. How about security? Teams are creating their own containers! 11

    Photo by Alistair MacRobert on Unsplash

  12. Back to basics… on software development code test deploy 12

  13. A (possible) solution Implementation details 3.

  14. What test means for containers in a financial institution? We

    can understand it as testing the capabilities and security. Other definitions? 14 Photo by Saffu on Unsplash

  15. What does that means? ▪ Test the dependencies ▪ Scan

    the dependencies 15

  16. Test Test the container image, to assert the dependencies are

    installed according to the expectations. What does that mean? Scan Scan the container image, discovering if there are problems with any of the dependencies. Bonus, is it possible to monitor it? 16

  17. Implementation ▪ The container image definition is a Dockerfile ▪

    Testing using Google’s Container Structure Tests ▪ Scanning and monitoring using Snyk However there are other tools! :) 17

  18. DEMO TIME 18

  19. Container Structure Tests ▪ Command tests ▪ File Existence tests

    ▪ File Content tests ▪ Metadata tests ▪ License tests * 19 * (licenses allowed by Google)

  20. Snyk ▪ Scan dependencies ▪ Monitoring snapshots of the dependencies

    20

  21. Thanks! Any questions? You can find me at ▪ @joaoasrosa

    [email protected] 21

  22. Credits Special thanks to all the people who made and

    released these awesome resources for free: ▪ Presentation template by SlidesCarnival ▪ Photographs by Unsplash 22