Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping-Up-WithUpstream.pdf

F029ec9c798e4dc447cab5e76f62fa17?s=47 Nicolas Byl
September 06, 2019
Technology
0
46

 Keeping-Up-WithUpstream.pdf

F029ec9c798e4dc447cab5e76f62fa17?s=128

Nicolas Byl

September 06, 2019
Tweet

More Decks by Nicolas Byl

See All by Nicolas Byl
F029ec9c798e4dc447cab5e76f62fa17?s=48 nbyl
0
41
F029ec9c798e4dc447cab5e76f62fa17?s=48 nbyl
0
42
F029ec9c798e4dc447cab5e76f62fa17?s=48 nbyl
0
70
F029ec9c798e4dc447cab5e76f62fa17?s=48 nbyl
0
69
F029ec9c798e4dc447cab5e76f62fa17?s=48 nbyl
0
58
F029ec9c798e4dc447cab5e76f62fa17?s=48 nbyl
0
86
F029ec9c798e4dc447cab5e76f62fa17?s=48 nbyl
0
170
F029ec9c798e4dc447cab5e76f62fa17?s=48 nbyl
0
47
F029ec9c798e4dc447cab5e76f62fa17?s=48 nbyl
1
43

Other Decks in Technology

See All in Technology
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
1
220
3e8f61263f14a620f21d5f3f89c4b846?s=48 gamella
1
4.7k
0b626efa067fc1732d0827b6ac1ca6e1?s=48 shoheiyamamoto
0
200
E598c2f9a8e5c94eea0e6505b4233d81?s=48 tomohide_tanaka
1
560
Ca6281fff64797dc419b78f51f25c0a5?s=48 fujiwara3
PRO
0
220
67683b0a8d24009c731787b49881a9de?s=48 tomuro
0
280
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
120
Aa2271fde3c839f2ab82d1d27dbbc650?s=48 takayukihayashi
1
270
8d5ec86449745c31872afc6efdaf2f0a?s=48 freedom_tk
1
170
2b680c5f22146e764e2998dd4595ec93?s=48 sue445
0
140
275fa343348e7dd4f5f7abfe09bb19d4?s=48 nishiodens
0
280
3aeee885003e0a7406ba970fb015c4bb?s=48 sakuracloud
0
100

Featured

See All Featured
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
330
16k
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
158
6.5k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
24
1.4k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
446
36k
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
195
15k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
66
3k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
779
240k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
221
15k
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
116
7.2k
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
64
3.8k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
108
14k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
93
3.1k

Transcript

  1. 1 Nicolas Byl

  2. 2 This talk may contain fictional elements… 2 https://pxhere.com/de/photo/738184

  3. 3 Part 1 Marley’s Ghost 3 https://pxhere.com/de/photo/237

  4. 4 A few days ago, in our café… 4 https://pxhere.com/de/photo/39

  5. 5 Part 2 The ghost of DevSecOps past 5 https://pxhere.com/de/photo/237

  6. 6 At the backlog grooming… 6 https://pxhere.com/de/photo/1434201

  7. 7 “Our development environment is a production environment” 1 Management

    and ownership needed for Build Server, Source Control, … Is there a pre-Dev environment? 2 3 7 7 https://pxhere.com/de/photo/1033572

  8. 8 Gathering metrics to support DevSecOps feedback loops 1 Understand

    and customize metrics Action is required 2 3 8 8 https://pxhere.com/de/photo/893775

  9. 9 Part 2 The ghost of DevSecOps present 9 https://pxhere.com/de/photo/237

  10. 10 In the middle of the night… 1 0 https://pxhere.com/de/photo/1391800

  11. 11 Source Code Analysis FindBugs, SonarQube, SAST, DAST 1 Dependency

    Analysis Maven, NPM, Pythin, Perl, … Operating Systems DEB, RPM, … Docker Images Anchore, clair, Aqua, snyk 2 3 4 11 1 1 https://pxhere.com/de/photo/6643025

  12. 12 Source Code Analysis FindBugs, SonarQube, SAST, DAST 1 Dependency

    Analysis Maven, NPM, Pythin, Perl, … Operating Systems DEB, RPM, … Docker Images Anchore, clair, Aqua, snyk 2 3 4 12 1 2 https://pxhere.com/de/photo/893775

  13. 13 How do you notify independent teams of needed actions?

    1 Separate signals from noise Consolidate update sources (GitHub / GitLab, Docker Hub, binary repositories, mailing lists, …) Internal vs. external dependencies 2 3 4 13 1 3 https://pxhere.com/de/photo/1565823

  14. 14 Prepare for failure… 1 4 https://pxhere.com/de/photo/1073983

  15. 15 GitOps as single source of truth (source code, delivery

    code, infrastructure code) 1 Consider dynamic environments, record data for later analysis What was running at time X? Consider version pinning (library versions, Docker Image SHA sum) 2 3 4 15 1 5 https://pxhere.com/de/photo/137541

  16. 16 Part 3 The ghost of DevSecOps future 1 6

    https://pxhere.com/de/photo/237

  17. 17 At dawn… 1 7 https://pxhere.com/de/photo/39

  18. Avoid Tree-Ring-Projects Don’tnotify aboutupdates, provide them Keep an eye on

    the current security statistics 18 https://pxhere.com/de/photo/1209019

  19. Don’t reinvent the wheel There is a reason for spezialisation

    Solve common problems with spezialized teams 19 https://pxhere.com/de/photo/1235822

  20. Make artifacts and the whole delivery process verifiable Preserve integrity

    of your binaries Use Docker Notary, Grafeas, in-toto, … 20 https://pxhere.com/de/photo/910704

  21. Policy trumps checklists Build your policy into your runtime platform

    Beware of cultural and political implications 21 https://pxhere.com/de/photo/1455413

  22. 22 Keep the ghosts away! 2 2 https://pxhere.com/de/photo/791236

  23. 23 nicolas.byl@codecentric.de 23 http://www.twitter.com/NicolasByl