Keeping-Up-WithUpstream.pdf

Transcript

1. 1 Nicolas Byl

2. 2 This talk may contain fictional elements… 2 https://pxhere.com/de/photo/738184

3. 3 Part 1 Marley’s Ghost 3 https://pxhere.com/de/photo/237

4. 4 A few days ago, in our café… 4 https://pxhere.com/de/photo/39

5. 5 Part 2 The ghost of DevSecOps past 5 https://pxhere.com/de/photo/237

6. 6 At the backlog grooming… 6 https://pxhere.com/de/photo/1434201

7. 7 “Our development environment is a production environment” 1 Management

   and ownership needed for Build Server, Source Control, … Is there a pre-Dev environment? 2 3 7 7 https://pxhere.com/de/photo/1033572

8. 8 Gathering metrics to support DevSecOps feedback loops 1 Understand

   and customize metrics Action is required 2 3 8 8 https://pxhere.com/de/photo/893775

9. 9 Part 2 The ghost of DevSecOps present 9 https://pxhere.com/de/photo/237

10. 10 In the middle of the night… 1 0 https://pxhere.com/de/photo/1391800

11. 11 Source Code Analysis FindBugs, SonarQube, SAST, DAST 1 Dependency

    Analysis Maven, NPM, Pythin, Perl, … Operating Systems DEB, RPM, … Docker Images Anchore, clair, Aqua, snyk 2 3 4 11 1 1 https://pxhere.com/de/photo/6643025

12. 12 Source Code Analysis FindBugs, SonarQube, SAST, DAST 1 Dependency

    Analysis Maven, NPM, Pythin, Perl, … Operating Systems DEB, RPM, … Docker Images Anchore, clair, Aqua, snyk 2 3 4 12 1 2 https://pxhere.com/de/photo/893775

13. 13 How do you notify independent teams of needed actions?

    1 Separate signals from noise Consolidate update sources (GitHub / GitLab, Docker Hub, binary repositories, mailing lists, …) Internal vs. external dependencies 2 3 4 13 1 3 https://pxhere.com/de/photo/1565823

14. 14 Prepare for failure… 1 4 https://pxhere.com/de/photo/1073983

15. 15 GitOps as single source of truth (source code, delivery

    code, infrastructure code) 1 Consider dynamic environments, record data for later analysis What was running at time X? Consider version pinning (library versions, Docker Image SHA sum) 2 3 4 15 1 5 https://pxhere.com/de/photo/137541

16. 16 Part 3 The ghost of DevSecOps future 1 6

    https://pxhere.com/de/photo/237

17. 17 At dawn… 1 7 https://pxhere.com/de/photo/39

18. Avoid Tree-Ring-Projects Don’tnotify aboutupdates, provide them Keep an eye on

    the current security statistics 18 https://pxhere.com/de/photo/1209019

19. Don’t reinvent the wheel There is a reason for spezialisation

    Solve common problems with spezialized teams 19 https://pxhere.com/de/photo/1235822

20. Make artifacts and the whole delivery process verifiable Preserve integrity

    of your binaries Use Docker Notary, Grafeas, in-toto, … 20 https://pxhere.com/de/photo/910704

21. Policy trumps checklists Build your policy into your runtime platform

    Beware of cultural and political implications 21 https://pxhere.com/de/photo/1455413

22. 22 Keep the ghosts away! 2 2 https://pxhere.com/de/photo/791236

23. 23 [email protected] 23 http://www.twitter.com/NicolasByl