DevSecOps Workshop: Putting Security Checks into your Build Pipeline
The main conference day offers 18 sessions, subdivided into three parallel tracks, focussing on topics like Modern Cloud & Container Infrastructure, DevSecOps and DevOps Transformation. And not only that – various surprises await you throughout the day. So it’s worth booking June 29-30 in your calendar, so you won’t miss anything exciting!
Whether you’re working from home or in the office, you decide from where you would like to take part.
Save on travel and hotel costs, as well as what matters most: your time!
Our seasoned and trusted DevOps Con speakers are highly experienced with the learning opportunities of online conferences and workshops.
On the main conference day, you can choose from 3 parallel sessions and switch between them at any time.
On the workshop days you can expect live coding and practical exercises on selected topics that cover state of the art technologies.
You will follow the speaker’s presentation via video stream and will be guided through the learning content.
All sessions on the main conference day will be recorded and made available to you after the conference is over.
Online workshop participants will also be provided with a recording so they can follow up on the content.
Interaction is a key focus of our online workshops!
With special Q&A sessions, a chat function, and the possibility for audio/video communication, individual questions can be taken into account and the pace of the workshop can be adjusted accordingly.
Virtual Get-Together – an online meeting with our experts in three virtual rooms on predefined topics.
The basic idea behind the DevOps principle is to bridge the gaps between different disciplines of IT and speeding up delivery cycles. You can easily imagine what this means for one as a person and for whole teams. It becomes more difficult when discussing the impact of DevOps for entire organizations and their ways of working. The DevOps transformation has some similarities with the agile transformation most companies are working on. However, DevOps transformation goes further than agile approaches.I will introduce our approach to applying DevOps principles at Hermes Germany and how we are trying to get things right.In my talk I’ll discuss how we aligned business and IT. I will also introduce our approach to developing our people and transforming our organization to make use of the new possibilities both DevOps principles and new technology offers. For example, at the current state of our journey, our organization looks completely different than at the start. And like all journeys, our journey comes with its own obstacles and pitfalls that we needed to solve. I address some of these and show potential solutions.
Your organization is evolving, moving towards managed services in one of the cloud offerings, but still relying on self-managed servers. Your team is comfortable managing and automating virtual servers, and is able of packaging services on the servers as you need them.You’ve been thinking of moving to containers, but felt too intimidated by the idea of managing your own container infrastructure. Just the idea of learning Kubernetes gives you that eerie feeling every time you think of all the things possibly going wrong. There must be an easier way of getting on board that ship...You’ve learned about the fully managed AWS Fargate service, but there just wasn’t proper justification for taking that route. This talk explores the motivation factors to make that move and start deploying containers within your organization.
Audience & Requirements
In this talk I share my experience over the past 20 years as I have worked with large number of companies, both in person and remote. Today I run a remote-first company that successfully implements agile practices.
Before IT organizations can reap the benefits Kubernetes provides for application delivery and orchestration, they must select, install and integrate the required components in the existing IT stack, ensure compliance with the security standards and implement tools and processes for the reliable operations of the container platform. This talk will discuss five pillars of production-grade Kubernetes and demonstrate, how an open-source solution like Rancher can accelerate the initial implementation of Kubernetes significantly and provide operations teams with a single, consistent tool to manage Kubernetes on any infrastructure.
How are you integrating security into the development process? Are you able to test for security without slowing down your developers? We’d like to share our new initiatives in addressing this familiar challenge. Veracode recently announced our new Static Analysis product family, which combines our existing static scan types with a new Pipeline scan. Veracode Static Analysis now incorporates the IDE Scan, which helps developers learn as they code and prevent new flaws, the Pipeline Scan, which provides feedback quickly so that production isn’t halted and the Policy Scan for reporting that satisfies security and auditor requirements. Please join us for this insightful session– we want to hear your challenges, answer your questions, and show you our latest technology and how it can address your application security problems. In this session, you’ll get:
Deep learning achieves the best performance for many computer vision, natural language processing, and recommendation tasks and thus it’s becoming increasingly more popular. However, it’s quite difficult to use deep learning in production as it requires a lot of effort to develop proper infrastructure for serving deep learning models.Platforms for serverless computing, such as AWS Lambda, provide a good alternative: they take care of scaling up and down and offer attractive pricing based only on actual usage. These platforms, unfortunately, have other limitations that make it problematic. In this talk, we show how to come around these limitations and be able to use AWS lambda and TensorFlow to serve deep learning models. We also discuss important maintenance aspects such as cost optimization, monitoring, deploying, and release management. Finally, we cover the limitations of AWS lambda, compare it with “serverful” solutions, and suggest workloads for which serverless is not the best option.
Der Markt verlangt von Unternehmen immer schnellere Reaktionen auf wechselndes Kundenverhalten und etabliert somit eine On-Demand-Kultur. DevOps-Methoden haben sich bewährt, um diesen neuen Anforderungen gerecht zu werden. Dabei ist es unabdingbar, die CI/CD-Pipeline, Container und Webanwendungen sicher zu betreiben.Im Webinar zeigen wir, wie Sie:
Traditional software development occurs in phases, where QA, security and other roles act as gatekeepers to production. This leads to silos, delays and it doesn’t scale. So, instead of waiting for a human to decide what is and isn’t valid, learn how to use automation to continuously enforce standards in your software. Let’s turn gatekeepers into build breakers!
Investigating production issues in a microservice architecture can make you feel like Sherlock Holmes, searching through evidence and gathering sources to recreate the scene of a crime. Often, this investigation involves digging into multiple log stores and dashboards to piece together an understanding of an issue. This is costly for engineering teams and customers – time spent sifting through clues only further delays the resolution. Distributed tracing can help. With distributed tracing, we see a request’s path through a complex system. But is that enough? At Netflix, we have taken distributed tracing, added in log correlation (with high-quality, detailed logs) and layered analysis on top. Not only does this reduce time for engineers to understand the root cause of an issue, we’ve provided this tool to customer operations, empowering them to understand the root cause and escalate with clarity. You’ll leave this talk with an understanding of distributed tracing and how to supplement traces with logs. You’ll see examples of how to shape your logs to clarify the business logic underneath a microservice’s response, and you’ll understand how tracing is the lynchpin to the type of detailed insights that will cut down on the cost of your team’s operational burden.
Do you want to make sure your workload doesn't crash your cluster? In this hands-on session, we show how to enforce limits on Pods. We will help you understand how the scheduler works and what the eviction (kubelet) is for. We will also discuss PodPriority, which is used to kill lesser important Pods in favor of the more important ones.
During this presentation, I will discuss and demonstrate how to orchestrate, automate, control and visualise your Software Delivery Pipelines from end to end at scale.
This session will include:
SSH connections reach the most sensitive systems in your infrastructure. Many organizations treat them with less login scrutiny than expense report applications. SSH should be integrated with SSO and other layers of security and logging without bogging down DevOps teams.
Organisations are speeding up their digitalisation and cloud adoption process. To achieve business agility in the competitive global market, protect the brand reputation, many businesses are turning to DevSecOps.
But it's not as simple as it might look to roll out a successful DevSecOps program. In this talk Ema will share what are the other industry related drivers to increase secure coding hygiene, what are the challenges, how business roll out secure coding program. Ema will also cover the most frequently seen vulnerabilities across all languages that are specific to DACH region, how they related to OWASP Top 10 and SANS Top 25 and link those vulnerabilities to major cyber incidents.
In diesem 45-minütigen Webinar erstellen wir gemeinsam mit unserem Kubernetes-Experten einen Kubernetes Cluster und deployen eine erste Applikation. Dabei bringen wir Ihnen die Grundlagen von Kubernetes näher und gehen unter anderem auf folgende Themen ein:
Operators are extensions to Kubernetes that simplify application install and management by leveraging on manage applications Custom Resources.
The Kubernetes Operator pattern tries the emulate the role of an human operator, who uses their deep knowledge of the application to install, operate and debug it. The Kubernetes Operators search to automate these tasks and facilitate the whole application life-cycle.
In this talk, we will explain how do we use Kubernetes Operators at OVHcloud, and how the help us to operate our Managed Kubernetes service at scale.
We will illustrate the talks with three concrete examples: Harbor Operator, LoadBalancing Operator and our incoming NodePool operator.
Containers are all the rage these days. They’re fast, they make deployment easy, they handle dependencies, they slice, they dice, they make julienne fries! But… what are they? What exactly is a container and how does it work? Just how does a container differ from the “old” silver bullet, virtual machines?
Here’s a hint: It has nothing to do with boats, or whales, or shipping. That’s all marketing fluff.
Containers are simply a shorthand name for leveraging newer features of operating system kernels that let the OS lie to programs about how they’re running. In fact, all of modern software is built on lies. That’s what’s useful about it!
To understand how that works, why it’s so useful, and where it’s not, let’s dive into how software actually works on a modern Linux system to see how those kernel features fit into the big picture, building up to “containers” along the way. Pull back the veil of lies and see how your computer really works.
Some DevOps transformations flourish, but many others are stalling. Why is that? This talk will make the case that Operations is the most predictable differentiator.
So much of the energy in DevOps has been about activities that start in Dev and move towards Ops — continuous delivery, deployment pipelines, automated testing, and of course, the unofficial mantra of “deploy, deploy, deploy.“ However, when it comes to Operations, too many DevOps transformations maintain the status quo and leave questionable Operations practices in place.
This talk will first examine the trouble with the various siloed, ticket-driven, low trust, and centralized practices that have been accepted in Operations for far too long. Then we will look at the specific techniques used by high-performing Operations organizations who are fundamentally transforming how they operate.
Sebastian Meyen, DevOpsCon chair, weill welcome you to the DevOpsCon Online Edition and will introduce you to the conference program.
By embracing DevOps methodology we are living in a different era: one in which the speed of new releases of software products is necessarily much higher than in the past: "Users in the business are happy with that, but security people have a lot of trouble with it". Part of the solution is the integration of automated security testing in the DevOps toolchain. This is crucial to be able to intervene quickly and on time. Every time a new version of application or process is introduced, you know that security is fact-based. This approach is also known as Evidence Based Security Testing. Topics covered are:
Presentation is about the following kind: Security Testing, DevOps, Agile Test Automation, Test Tooling, FitNesse, Zap Top 10 OWASP, CI/CD.
If you’ve been using Terraform just by following the official documentation, you are not getting all from it. As soon as one cloud provider announces a new service or a feature, you dream that Terraform has zero-day support for it. Well, it is not always like this, and I will show what we can do about it. Are you using Terraform and keep asking yourself why I should copy-paste so much? What if you need to manage more than a dozen resources with Terraform (e.g., hundreds of GitHub repositories with permissions, or hundreds of IAM users and their permissions)? How can I use Terraform with GitHub Actions to act as an onboarding tool? What is beyond Terraform modules? What is a really dynamic module and what Terraform 0.12 will help us with? Let's see the advanced solutions of how Terraform can be extended, integrated, executed, or merely hacked to get the job done with the help of external open-source services and integrations.
Digital transformation requires transformational talent. As more organizations move forward with DevOps, the principle of "shifting left" is opening up opportunities for developers, operational staff, security and others to supplement their core competencies with a broad set of general skills so as to migrate from an I-shaped specialist to multi-dimensional T-shaped professional. T-shaped practitioners are in the highest demand in the talent market today. For most IT professionals, it’s easy to identify the depth of knowledge that forms the stem of the T (e.g., developer). Grooming the right skills for the right role at the top of the T (e.g., testing) can be more challenging. In this session, Jayne Groll will explore emerging trends in DevOps skills modernization by presenting the benchmarks, and insights from the first Upskilling: 2019 Enterprise DevOps Skills Report. The fact-based report was fielded by the DevOps Institute and is based on a detailed global DevOps open community survey as well as interviews with several enterprises, industry and hiring leaders. Groll will also help attendees understand the characteristics of the T-shaped model and provide guidance for getting started in building personal and organizational learning paths.
Agile DevOps organizations often still rely on legacy AppSec solutions such as static and dynamic Application Security Testing and Web Application Firewalls which produce a lot of False-Positives and don’t fit very well in today’s processes. With Application Instrumentation we can protect applications from inside out. Faster, more efficient, significant better security, more scalable.
Contrast Security is a comprehensive AppSec platform combining Interactive Application Security Testing (IAST), Software Composition Analysis (SCA) and Runtime Application Self Protection (RASP). Contrast automatically detects and fixes vulnerabilities and defends against targeted attacks and bots – no scanning or scheduling required. Contrast is not a scanner or static analysis tool. Instead, Contrast uses software instrumentation to both find vulnerabilities and block attacks. The instrumentation approach provides access to not only the code and HTTP traffic, but also full data flow, control flow, configuration, libraries and frameworks, architecture, and much more. This wealth of information yields to incredible accuracy. And because Contrast is fully embedded throughout your SDLC and provides results in real time, you can provide security at DevOps speed and portfolio scale.
- Challenges of agile development and security teams
- Burden of legacy AppSec tools in SSDLC
- How Application Instrumentation works
- How fully embedded AppSec model speeds up your processes
What does it mean for our software and systems to be resilient during a global pandemic? What does Resilience mean when there's not only technical impact, but it affects the talented engineers tasked with keeping it all running? What does it mean to be Resilient as we all adjust to the "new normal" we're confronted with? We'll discuss the questions and some potential answers, through the lens of how the Netflix Critical Operations & Reliability Engineering (CORE) team grappled with the situation and what we're thinking for the future.
Easy-to-understand monoliths are giving way to distributed systems: microservices, serverless, meshes, and proxies in every possible combination. These systems offer developers the freedom to build new features and technology faster, as they are no longer beholden to the elaborate release processes associated with monolithic architecture.
But, like all good things, there is a price: distributed systems are inherently difficult to operate and maintain. When something breaks—which it invariably will—how can you quickly comb through the myriad dependencies? How can you separate good hypotheses from bad ones?
Learn how observability helps developers understand multi-layered architectures: what’s slow, what’s broken, and what needs to be done to improve performance.
Modern software demands velocity, and traditional “outside in” scanning and firewalling are creating bottlenecks and slowing things down. In this talk, Jeff will approach application security from the “inside out”. We will show you how to create simple agents that get inside a running application (like a profiler or debugger) and give you access to everything you need for fantastic security observability. We’ll demonstrate real agents that identify vulnerabilities without changing any code, scanning, or extra steps. We’ll identify vulnerabilities, analyze access control, and even prevent RCE attacks. Unlike scanning and firewalling, this approach establishes a safe and powerful way for development, security, and operations teams to collaborate. We’ll discuss how software security instrumentation works, how it’s being used in many organizations, and the implications for the practice of application security.
It is clear that utilising the cloud is a trend that continues to grow. It is important to realise that risks and challenges grow at a similar or higher rate. In this talk Taco Scargo will highlight 10 tips everyone can benefit from on their journey into the cloud and DevSecGitOps. Learn how companies like Apple, Netflix, Twitter and Uber benefitted from the technology solutions from D2iQ.
Applications built over the years carry historical design assumptions, such as that a few hours of downtime for maintenance upgrades every six months is acceptable. Today, embracing continuous delivery practices means more frequent releases, which means more downtime.This is the problem Poppulo faced and successfully overcame, going from monthly deployments with a couple of hours of downtime to zero-downtime deployments on demand. Pierre Vincent will show that by mapping out a deployment process, it becomes possible to progressively reduce its impact on users. He will also give practical advice on how to avoid downtime, such as online database migrations or progressive application rollouts. Finally, he will go through the operational improvements required to have consistent, repeatable, and observable deployments so that you can have the confidence to run them with live traffic.Zero-downtime deployments don’t mean that everything stays up, or that everything is immediately running the latest version; they simply mean users don’t notice a thing while all this is happening.
Contact us: [email protected]
Ausgefeilte Ingenieurskunst und modernste Technik vereint in einer Drohne: Mit der Mavic-2-Pro und ihrer ikonischen Hasselblad-Bildqualität, entdeckt ihr die Welt der Luftbildfotografie in herausragender Detailgenauigkeit völlig neu.
Meldet euch jetzt für die Online Edition an und gewinnt mit etwas Glück eine Mavic-2-Pro-Drohne im Wert von 1499 €!
Wir drücken Euch die Daumen!