$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Keeping-Up-WithUpstream.pdf
Search
Nicolas Byl
September 06, 2019
Technology
0
110
Keeping-Up-WithUpstream.pdf
Nicolas Byl
September 06, 2019
Tweet
Share
More Decks by Nicolas Byl
See All by Nicolas Byl
Die Flucht aus der Prototypen-Hölle
nbyl
0
29
Lean Prototyping for Industrial-IoT Projects
nbyl
0
21
DevSecOps - Vom Unikum zur gut geölten Maschine
nbyl
0
81
Securing your software supply chain
nbyl
0
320
Dr. Kube und der Helm - Anatomie einer CD-Pipeline
nbyl
0
95
Securing the "other" supply chain
nbyl
0
210
Kubernetes - Auf die Cluster, Fertig, Los!
nbyl
0
140
Helm - Kubernetes Deployments richtig gemacht
nbyl
0
110
It's the developers, stupid!
nbyl
0
140
Other Decks in Technology
See All in Technology
そろそろOn-Callの通知音について考えてみよう (PagerDuty編)
tk3fftk
1
180
LLMOps: Eval-Centric を前提としたMLOps
asei
4
280
共創するアーキテクチャ ~チーム全体で築く持続可能な開発エコシステム~ / Co-Creating Architecture - A Sustainable Development Ecosystem Built by the Entire Team
bitkey
PRO
1
3.5k
コンパウンド戦略に向けた技術選定とリアーキテクチャ
kworkdev
PRO
1
3.7k
ARRが3年で10倍になったプロダクト開発とAI活用の軌跡
akiroom
0
150
モバイルアプリ開発未経験者が プロダクト開発に携わるまでに取り組んだこと/nikkei-tech-talk-27-3
nikkei_engineer_recruiting
0
110
Yahoo! JAPANトップページにおけるマイクロフロントエンド - 大規模組織におけるFE開発を加速させるには
lycorptech_jp
PRO
0
1.6k
140年の歴史あるエンタープライズ企業の内製化×マイクロサービス化への航海
yussugi
0
3.2k
CDCL による厳密解法を採用した MILP ソルバー
imai448
5
430
最強DB講義 #35 大規模言語モデルに基づく検索モデル
mpkato
1
110
もし大規模障害が、10分で解決できたら?
masaaki_k
0
130
KotlinユーザのためのJSpecify入門 / JSpecify 101 for Kotlin Devs
eller86
0
170
Featured
See All Featured
Visualization
eitanlees
145
15k
Making Projects Easy
brettharned
115
5.9k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Raft: Consensus for Rubyists
vanstee
136
6.7k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
How STYLIGHT went responsive
nonsquared
95
5.2k
Six Lessons from altMBA
skipperchong
27
3.5k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
1
200
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Transcript
1 Nicolas Byl
2 This talk may contain fictional elements… 2 https://pxhere.com/de/photo/738184
3 Part 1 Marley’s Ghost 3 https://pxhere.com/de/photo/237
4 A few days ago, in our café… 4 https://pxhere.com/de/photo/39
5 Part 2 The ghost of DevSecOps past 5 https://pxhere.com/de/photo/237
6 At the backlog grooming… 6 https://pxhere.com/de/photo/1434201
7 “Our development environment is a production environment” 1 Management
and ownership needed for Build Server, Source Control, … Is there a pre-Dev environment? 2 3 7 7 https://pxhere.com/de/photo/1033572
8 Gathering metrics to support DevSecOps feedback loops 1 Understand
and customize metrics Action is required 2 3 8 8 https://pxhere.com/de/photo/893775
9 Part 2 The ghost of DevSecOps present 9 https://pxhere.com/de/photo/237
10 In the middle of the night… 1 0 https://pxhere.com/de/photo/1391800
11 Source Code Analysis FindBugs, SonarQube, SAST, DAST 1 Dependency
Analysis Maven, NPM, Pythin, Perl, … Operating Systems DEB, RPM, … Docker Images Anchore, clair, Aqua, snyk 2 3 4 11 1 1 https://pxhere.com/de/photo/6643025
12 Source Code Analysis FindBugs, SonarQube, SAST, DAST 1 Dependency
Analysis Maven, NPM, Pythin, Perl, … Operating Systems DEB, RPM, … Docker Images Anchore, clair, Aqua, snyk 2 3 4 12 1 2 https://pxhere.com/de/photo/893775
13 How do you notify independent teams of needed actions?
1 Separate signals from noise Consolidate update sources (GitHub / GitLab, Docker Hub, binary repositories, mailing lists, …) Internal vs. external dependencies 2 3 4 13 1 3 https://pxhere.com/de/photo/1565823
14 Prepare for failure… 1 4 https://pxhere.com/de/photo/1073983
15 GitOps as single source of truth (source code, delivery
code, infrastructure code) 1 Consider dynamic environments, record data for later analysis What was running at time X? Consider version pinning (library versions, Docker Image SHA sum) 2 3 4 15 1 5 https://pxhere.com/de/photo/137541
16 Part 3 The ghost of DevSecOps future 1 6
https://pxhere.com/de/photo/237
17 At dawn… 1 7 https://pxhere.com/de/photo/39
Avoid Tree-Ring-Projects Don’tnotify aboutupdates, provide them Keep an eye on
the current security statistics 18 https://pxhere.com/de/photo/1209019
Don’t reinvent the wheel There is a reason for spezialisation
Solve common problems with spezialized teams 19 https://pxhere.com/de/photo/1235822
Make artifacts and the whole delivery process verifiable Preserve integrity
of your binaries Use Docker Notary, Grafeas, in-toto, … 20 https://pxhere.com/de/photo/910704
Policy trumps checklists Build your policy into your runtime platform
Beware of cultural and political implications 21 https://pxhere.com/de/photo/1455413
22 Keep the ghosts away! 2 2 https://pxhere.com/de/photo/791236
23
[email protected]
23 http://www.twitter.com/NicolasByl