Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping-Up-WithUpstream.pdf

Nicolas Byl
September 06, 2019
Technology
0
60

 Keeping-Up-WithUpstream.pdf

Nicolas Byl

September 06, 2019
Tweet

More Decks by Nicolas Byl

See All by Nicolas Byl
Lean Prototyping for Industrial-IoT Projects
nbyl
0
13
DevSecOps - Vom Unikum zur gut geölten Maschine
nbyl
0
31
Securing your software supply chain
nbyl
0
180
Dr. Kube und der Helm - Anatomie einer CD-Pipeline
nbyl
0
63
Securing the "other" supply chain
nbyl
0
180
Kubernetes - Auf die Cluster, Fertig, Los!
nbyl
0
84
Helm - Kubernetes Deployments richtig gemacht
nbyl
0
66
It's the developers, stupid!
nbyl
0
100
Das Gruselkabinett des Dr. Kube
nbyl
0
190

Other Decks in Technology

See All in Technology
テスト技法を使ったテストケースの表現方法/How to express test cases using test techniques
shimashima35
0
250
エンジニアのためのマネジメント入門/Introduction to Management for Software Engineers
dskst
1
280
人生がときめく自宅ネットワークの魔法
tatematsu_san
1
300
作って理解するバックドア
ad5jp
0
210
QMファンネルとQAキャリア
gen519
PRO
1
140
ノーコードAI開発プラットフォーム「AIMINA」のシステム設計コンセプトと技術的チャレンジ
sbtechnight
PRO
0
350
ITエンジニアとして大切にしている3つのこと
korodroid
1
250
就活は相談したもの勝ち
carta_engineering
0
110
PHP で学ぶ Cache の距離の話 / study_cache_with_php
hanhan1978
3
420
売上と開発環境を同時に改善するためにPerl Webアプリケーションをどのようにリプレイスするか
masashi_sutou
0
250
S3からBigQueryへ閉域ネットワーク経由でデータ転送する方法
sbtechnight
PRO
0
380
Bluesky と Android / Bluesky and Android
akiomik
0
110

Featured

See All Featured
The Invisible Side of Design
smashingmag
292
49k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
A better future with KSS
kneath
230
16k
The Cult of Friendly URLs
andyhume
70
5.2k
The Power of CSS Pseudo Elements
geoffreycrofte
53
4.4k
The Art of Programming - Codeland 2020
erikaheidi
36
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
55k
Agile that works and the tools we love
rasmusluckow
321
20k
Building Your Own Lightsaber
phodgson
96
4.9k
Support Driven Design
roundedbygravity
88
8.9k
Code Reviewing Like a Champion
maltzj
508
38k
Building Flexible Design Systems
yeseniaperezcruz
314
35k

Transcript

  1. 1
    Nicolas Byl

    View Slide

  2. 2
    This talk may
    contain fictional
    elements…
    2
    https://pxhere.com/de/photo/738184

    View Slide

  3. 3
    Part 1
    Marley’s Ghost
    3
    https://pxhere.com/de/photo/237

    View Slide

  4. 4
    A few days ago, in
    our café…
    4
    https://pxhere.com/de/photo/39

    View Slide

  5. 5
    Part 2
    The ghost of
    DevSecOps past
    5
    https://pxhere.com/de/photo/237

    View Slide

  6. 6
    At the backlog
    grooming…
    6
    https://pxhere.com/de/photo/1434201

    View Slide

  7. 7
    “Our development environment is a production
    environment”
    1
    Management and ownership needed for Build Server,
    Source Control, …
    Is there a pre-Dev environment?
    2
    3
    7
    7
    https://pxhere.com/de/photo/1033572

    View Slide

  8. 8
    Gathering metrics to support DevSecOps feedback
    loops
    1
    Understand and customize metrics
    Action is required
    2
    3
    8
    8
    https://pxhere.com/de/photo/893775

    View Slide

  9. 9
    Part 2
    The ghost of
    DevSecOps present
    9
    https://pxhere.com/de/photo/237

    View Slide

  10. 10
    In the middle of the
    night…
    1
    0
    https://pxhere.com/de/photo/1391800

    View Slide

  11. 11
    Source Code Analysis
    FindBugs, SonarQube, SAST, DAST
    1
    Dependency Analysis
    Maven, NPM, Pythin, Perl, …
    Operating Systems
    DEB, RPM, …
    Docker Images
    Anchore, clair, Aqua, snyk
    2
    3
    4
    11
    1
    1
    https://pxhere.com/de/photo/6643025

    View Slide

  12. 12
    Source Code Analysis
    FindBugs, SonarQube, SAST, DAST
    1
    Dependency Analysis
    Maven, NPM, Pythin, Perl, …
    Operating Systems
    DEB, RPM, …
    Docker Images
    Anchore, clair, Aqua, snyk
    2
    3
    4
    12
    1
    2
    https://pxhere.com/de/photo/893775

    View Slide

  13. 13
    How do you notify independent teams of needed
    actions?
    1
    Separate signals from noise
    Consolidate update sources (GitHub / GitLab, Docker
    Hub, binary repositories, mailing lists, …)
    Internal vs. external dependencies
    2
    3
    4
    13
    1
    3
    https://pxhere.com/de/photo/1565823

    View Slide

  14. 14
    Prepare for failure…
    1
    4
    https://pxhere.com/de/photo/1073983

    View Slide

  15. 15
    GitOps as single source of truth (source code, delivery
    code, infrastructure code)
    1
    Consider dynamic environments, record data for later
    analysis
    What was running at time X?
    Consider version pinning (library versions, Docker
    Image SHA sum)
    2
    3
    4
    15
    1
    5
    https://pxhere.com/de/photo/137541

    View Slide

  16. 16
    Part 3
    The ghost of
    DevSecOps future
    1
    6
    https://pxhere.com/de/photo/237

    View Slide

  17. 17
    At dawn…
    1
    7
    https://pxhere.com/de/photo/39

    View Slide

  18. Avoid Tree-Ring-Projects
    Don’tnotify aboutupdates, provide them
    Keep an eye on the current security statistics
    18
    https://pxhere.com/de/photo/1209019

    View Slide

  19. Don’t reinvent the wheel
    There is a reason for spezialisation
    Solve common problems with spezialized teams
    19
    https://pxhere.com/de/photo/1235822

    View Slide

  20. Make artifacts and the whole delivery process
    verifiable
    Preserve integrity of your binaries
    Use Docker Notary, Grafeas, in-toto, …
    20
    https://pxhere.com/de/photo/910704

    View Slide

  21. Policy trumps checklists
    Build your policy into your runtime platform
    Beware of cultural and political implications
    21
    https://pxhere.com/de/photo/1455413

    View Slide

  22. 22
    Keep the ghosts
    away!
    2
    2
    https://pxhere.com/de/photo/791236

    View Slide

  23. 23
    [email protected]
    23
    http://www.twitter.com/NicolasByl

    View Slide