Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Keeping-Up-WithUpstream.pdf
Search
Nicolas Byl
September 06, 2019
Technology
0
150
Keeping-Up-WithUpstream.pdf
Nicolas Byl
September 06, 2019
Tweet
Share
More Decks by Nicolas Byl
See All by Nicolas Byl
Die Flucht aus der Prototypen-Hölle
nbyl
0
41
Lean Prototyping for Industrial-IoT Projects
nbyl
0
38
DevSecOps - Vom Unikum zur gut geölten Maschine
nbyl
0
89
Securing your software supply chain
nbyl
0
350
Dr. Kube und der Helm - Anatomie einer CD-Pipeline
nbyl
0
110
Securing the "other" supply chain
nbyl
0
250
Kubernetes - Auf die Cluster, Fertig, Los!
nbyl
0
170
Helm - Kubernetes Deployments richtig gemacht
nbyl
0
120
It's the developers, stupid!
nbyl
0
180
Other Decks in Technology
See All in Technology
Kotlin Coroutine Mechanisms: A Surprisingly Deep Rabbithole
amanda_hinchman
2
100
急成長を支える基盤作り〜地道な改善からコツコツと〜 #cre_meetup
stefafafan
0
130
Wasm元年
askua
0
150
Oracle Audit Vault and Database Firewall 20 概要
oracle4engineer
PRO
3
1.7k
【PHPカンファレンス 2025】PHPを愛するひとに伝えたい PHPとキャリアの話
tenshoku_draft
0
120
TechLION vol.41~MySQLユーザ会のほうから来ました / techlion41_mysql
sakaik
0
190
第9回情シス転職ミートアップ_テックタッチ株式会社
forester3003
0
260
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
910
AIとともに進化するエンジニアリング / Engineering-Evolving-with-AI_final.pdf
lycorptech_jp
PRO
0
110
Prox Industries株式会社 会社紹介資料
proxindustries
0
330
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
26k
生成AI時代 文字コードを学ぶ意義を見出せるか?
hrsued
1
610
Featured
See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Building an army of robots
kneath
306
45k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
Embracing the Ebb and Flow
colly
86
4.7k
A designer walks into a library…
pauljervisheath
207
24k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.8k
The Straight Up "How To Draw Better" Workshop
denniskardys
234
140k
Documentation Writing (for coders)
carmenintech
72
4.9k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.3k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.4k
Producing Creativity
orderedlist
PRO
346
40k
Transcript
1 Nicolas Byl
2 This talk may contain fictional elements… 2 https://pxhere.com/de/photo/738184
3 Part 1 Marley’s Ghost 3 https://pxhere.com/de/photo/237
4 A few days ago, in our café… 4 https://pxhere.com/de/photo/39
5 Part 2 The ghost of DevSecOps past 5 https://pxhere.com/de/photo/237
6 At the backlog grooming… 6 https://pxhere.com/de/photo/1434201
7 “Our development environment is a production environment” 1 Management
and ownership needed for Build Server, Source Control, … Is there a pre-Dev environment? 2 3 7 7 https://pxhere.com/de/photo/1033572
8 Gathering metrics to support DevSecOps feedback loops 1 Understand
and customize metrics Action is required 2 3 8 8 https://pxhere.com/de/photo/893775
9 Part 2 The ghost of DevSecOps present 9 https://pxhere.com/de/photo/237
10 In the middle of the night… 1 0 https://pxhere.com/de/photo/1391800
11 Source Code Analysis FindBugs, SonarQube, SAST, DAST 1 Dependency
Analysis Maven, NPM, Pythin, Perl, … Operating Systems DEB, RPM, … Docker Images Anchore, clair, Aqua, snyk 2 3 4 11 1 1 https://pxhere.com/de/photo/6643025
12 Source Code Analysis FindBugs, SonarQube, SAST, DAST 1 Dependency
Analysis Maven, NPM, Pythin, Perl, … Operating Systems DEB, RPM, … Docker Images Anchore, clair, Aqua, snyk 2 3 4 12 1 2 https://pxhere.com/de/photo/893775
13 How do you notify independent teams of needed actions?
1 Separate signals from noise Consolidate update sources (GitHub / GitLab, Docker Hub, binary repositories, mailing lists, …) Internal vs. external dependencies 2 3 4 13 1 3 https://pxhere.com/de/photo/1565823
14 Prepare for failure… 1 4 https://pxhere.com/de/photo/1073983
15 GitOps as single source of truth (source code, delivery
code, infrastructure code) 1 Consider dynamic environments, record data for later analysis What was running at time X? Consider version pinning (library versions, Docker Image SHA sum) 2 3 4 15 1 5 https://pxhere.com/de/photo/137541
16 Part 3 The ghost of DevSecOps future 1 6
https://pxhere.com/de/photo/237
17 At dawn… 1 7 https://pxhere.com/de/photo/39
Avoid Tree-Ring-Projects Don’tnotify aboutupdates, provide them Keep an eye on
the current security statistics 18 https://pxhere.com/de/photo/1209019
Don’t reinvent the wheel There is a reason for spezialisation
Solve common problems with spezialized teams 19 https://pxhere.com/de/photo/1235822
Make artifacts and the whole delivery process verifiable Preserve integrity
of your binaries Use Docker Notary, Grafeas, in-toto, … 20 https://pxhere.com/de/photo/910704
Policy trumps checklists Build your policy into your runtime platform
Beware of cultural and political implications 21 https://pxhere.com/de/photo/1455413
22 Keep the ghosts away! 2 2 https://pxhere.com/de/photo/791236
23
[email protected]
23 http://www.twitter.com/NicolasByl