This document summarizes Derek Weeks' presentation on analyzing open source software supply chains using metrics like time to remediate vulnerabilities, time to update dependencies, and prevalence of stale dependencies. It finds that projects which release frequently, update dependencies quickly, and have larger development teams tend to be more secure, popular, and well-maintained. Projects are clustered into exemplars, laggards, features-first, and cautious groups based on these metrics. Exemplar projects with small, efficient teams are recommended as the best open source suppliers to use. The document advocates for automating security and supply chain management to achieve faster DevOps feedback loops.
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
Mandy Whaley, CISCO
Microservices create an explosion of internal and external APIs. These APIs need great docs. Many organizations end up with a jungle of wiki pages, swagger docs and api consoles, and maybe just a few secret documents trapped in chat room somewhere… Keeping docs updated and in sync with code can be a challenge.
We’ve been working on a project at Cisco DevNet to help solve this problem for engineering teams across Cisco. The goal is to create a forward looking developer and API doc publishing pipeline that:
Has a developer friendly editing flow
Accepts many API spec formats (Swagger, RAML, etc)
Supports long form documentation in markdown
Is CI/CD pipeline friendly so that code and docs stay in sync
Flexible enough to be used by a wide scope of teams and technologies
We have many interesting lessons learned about tooling and how to solve documentation challenges for internal and external facing APIs. We have found that solving this doc publishing flow is a key component of a building modern infrastructure. This is most definitely a culture + tech + ops + dev story, we look forward to sharing with the DevOps Days community.
DevOps and All the Continuouses w/ Helen BealSonatype
DevOps promises to make better software faster and more safely and many organizations begin by practicing Continuous Integration and moving on to Continuous Delivery and sometimes even extending as far as Continuous Deployment - but this is only the tip of the iceberg.
DevOps demands a fundamental shift in the way we work and requires all participants in an organization to live its principles. It’s much more than a tool chain.
When you are delivering software in an Agile manner in fortnightly sprints, are you still funding in an annual manner? Are you adhering to The Third Way? I.e. are you practicing Continuous Experimentation? Continuous Learning? How are you doing Continuous Testing? Are you including security in that? Have you have Continuous Improvement in your organization for years? When does Continuous Everything turn into Continuous Apathy?
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
DevOps Will Save The World! : Public Safety, Public Policy, and DevOps In Context
Joshua Corman, CTO, Sonatype
Link to video: https://www.youtube.com/watch?v=K-hskShNyoo
Scale DevSecOps with your Continuous Integration PipelineDevOps.com
Hear from AppSec and Development leaders on how they apply the principles of DevOps to deliver secure products and services to customers. Learn how you can scale your DevSecOps initiatives to reduce time-to-deployment and lower costs as you deliver secure software. During this webinar, you will learn about the latest tools and techniques that will enable your development teams to embed security scanning into your IDE as you are coding, returning most scans in seconds – all while integrating into your CI pipeline. Our speaker will provide:
An overview of Veracode Greenlight and its integrations with developer tools;
A summary of recent Greenlight use cases and successes;
Examples of how Greenlight integrates into your CI pipeline
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
Mandy Whaley, CISCO
Microservices create an explosion of internal and external APIs. These APIs need great docs. Many organizations end up with a jungle of wiki pages, swagger docs and api consoles, and maybe just a few secret documents trapped in chat room somewhere… Keeping docs updated and in sync with code can be a challenge.
We’ve been working on a project at Cisco DevNet to help solve this problem for engineering teams across Cisco. The goal is to create a forward looking developer and API doc publishing pipeline that:
Has a developer friendly editing flow
Accepts many API spec formats (Swagger, RAML, etc)
Supports long form documentation in markdown
Is CI/CD pipeline friendly so that code and docs stay in sync
Flexible enough to be used by a wide scope of teams and technologies
We have many interesting lessons learned about tooling and how to solve documentation challenges for internal and external facing APIs. We have found that solving this doc publishing flow is a key component of a building modern infrastructure. This is most definitely a culture + tech + ops + dev story, we look forward to sharing with the DevOps Days community.
DevOps and All the Continuouses w/ Helen BealSonatype
DevOps promises to make better software faster and more safely and many organizations begin by practicing Continuous Integration and moving on to Continuous Delivery and sometimes even extending as far as Continuous Deployment - but this is only the tip of the iceberg.
DevOps demands a fundamental shift in the way we work and requires all participants in an organization to live its principles. It’s much more than a tool chain.
When you are delivering software in an Agile manner in fortnightly sprints, are you still funding in an annual manner? Are you adhering to The Third Way? I.e. are you practicing Continuous Experimentation? Continuous Learning? How are you doing Continuous Testing? Are you including security in that? Have you have Continuous Improvement in your organization for years? When does Continuous Everything turn into Continuous Apathy?
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
DevOps Will Save The World! : Public Safety, Public Policy, and DevOps In Context
Joshua Corman, CTO, Sonatype
Link to video: https://www.youtube.com/watch?v=K-hskShNyoo
Scale DevSecOps with your Continuous Integration PipelineDevOps.com
Hear from AppSec and Development leaders on how they apply the principles of DevOps to deliver secure products and services to customers. Learn how you can scale your DevSecOps initiatives to reduce time-to-deployment and lower costs as you deliver secure software. During this webinar, you will learn about the latest tools and techniques that will enable your development teams to embed security scanning into your IDE as you are coding, returning most scans in seconds – all while integrating into your CI pipeline. Our speaker will provide:
An overview of Veracode Greenlight and its integrations with developer tools;
A summary of recent Greenlight use cases and successes;
Examples of how Greenlight integrates into your CI pipeline
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give the audience a leg up on starting a DevSecOps program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of DevSecOps quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a DevSecOps journey.
Security Implications for a DevOps TransformationDeborah Schalm
If your organization is undergoing a DevOps transformation, you’re probably thinking about where security fits in. All too often, we tack on security testing at the end of the delivery process, which means significant problems go undetected until development is complete. As we adopt DevOps principles and practices, we enable a natural solution to this problem: ensure that security experts are involved throughout the delivery process.
In this webinar, DevOps.com and Puppet defined a reference implementation of DevOps from the ground up, by illustrating how the software delivery process evolves at a hypothetical startup. Once we've laid a technical foundation for DevOps, we discussed the implications for security. We also discussed:
Benefits for and challenges to security during a DevOps transformation
How to craft a DevOps-ready security practice
Refinements of a standard DevOps workflow to address security needs
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
Security as Code: A DevSecOps ApproachVMware Tanzu
SpringOne 2021
Session Title: Security as Code: A DevSecOps Approach
Speakers: Alvaro Muñoz, Staff Security Researcher at GitHub; Tony Torralba, Software Engineer at GitHub
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
There are numerous examples of DevOps and Continuous Delivery reference architectures available, and each of them vary in levels of detail, tools highlighted, and processes followed. Yet, there is a constant theme among the tool sets: Jenkins, Maven, Sonatype Nexus, Subversion, Git, Docker, Puppet/Chef, Rundeck, ServiceNow, and Sonar seem to show up time and again.
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
Security Testing for Containerized ApplicationsSoluto
Everybody wants to run their code on Kubernetes these days, but it requires a radical change to your deployment process. You want to make sure you don’t create new vulnerabilities when you take this leap. What kind of security tests can you run in this pipeline to assert that this code does not contain any known vulnerabilities?
At Soluto, we started to migrate services to Kubernetes in the recent months, and we would like to share with you what we did. In this session I’m planning to cover our CI/CD pipeline, and give extra attention to the following points:
Scanning code dependencies
Scanning containers
Testing for insecure Kubernetes configurations
Securely deploy to Kubernetes cluster
Join this session to hear our story and learn about many useful tools you can start using today to deploy secure apps to your Kubernetes cluster. All the tools I’ll present are open source tools, so using them should be as simple as possible.
DevOps Workshop, DevOps for DoD ProfessionalsTonex
DevOps and DevSecOps are organizational software engineering culture and best practices, aiming to unify software development (Dev), security (Sec) and operations (Ops).
The main feature and goal is to automate, monitor and apply security at all stages of the software life cycle: planning, development, construction, testing, release, delivery, deployment, operation and monitoring.
DoD’s legacy software acquisition and development practices and processes don't provide the agility to deploy new software “at the speed of operations”.
In addition, security is usually an afterthought, not inbuilt from the start of the lifecycle of the appliance and underlying infrastructure. DevOps and DevSecOps are the industry best practice for rapid, secure software development.
With the increasing demand for security development, testing, and deployment of IT professionals to improve business efficiency, DevOps has become a software development process that emphasizes communication and collaboration between products, software developers, and operations professionals .
Tonex Offers DevOps Training Workshop, DevOps for DoD Professionals
The DevOps workshop, The DevOps professional training workshop for DoD professionals will assist you master the art and science knowledge to enhance the event and operation activities of the whole DoD team.
Participants will use configuration management tools such as Puppet, SaltStack, and Ansible to build expertise in continuous deployment. The DoD enterprises DevOps and DevSecOps of the Department of Defense (DoD) focus on DOD needs DevOps to accelerate IT service delivery.
Participants will improve their knowledge and skills in the DevOps field through comprehensive courses covering DevOps, Git and GitHub, Jenkins' CI/CD, configuration management, Docker, Kubernetes and many other concepts.
Training Objectives
Learn how to build DevOps skills to meet team needs
Increase knowledge and skills in DevOps methodology
Use continuous integration and continuous delivery (CI/CD) to improve the productivity to gain a competitive advantage
Build and deepen knowledge about configuration management and containerization
Gain knowledge of Github, Chef, Jenkins, ChefSpec, Inspec, Test Kitchen, Groovy, Maven and JFrog Artifactory
Become skilled at cloud, source code control, deployment automation and DevOps on cloud platforms
Course Outline:
Introduction to DevOps
DoD DevOps Conceptual Model
DoD DevOps Ecosystem
DevOps Tools and Activities
DevOps Implementation
Overview of DevOps and DevSecOps Product Stack
Audience:
Engineers
Program and Project Managers
Developers
Application Team
Software Engineers, Managers and Directors
IT Executives
Operations Managers
QA and Test Engineers and Managers
Project Managers
Release and Configuration Managers
Scrum Masters
Learn More:
https://www.tonex.com/training-courses/devops-workshop-devops-for-dod/
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
DevOps is not a new technology or a product. It’s an approach or culture of software development that seeks stability and performance at the same time that it speeds software deliveries to the business. In this sharing, we will discuss what DevOps is from CAMS model that represents culture, automation, measurement and sharing. In addition, I will share some practical experiences in Trend Micro.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give the audience a leg up on starting a DevSecOps program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of DevSecOps quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a DevSecOps journey.
Security Implications for a DevOps TransformationDeborah Schalm
If your organization is undergoing a DevOps transformation, you’re probably thinking about where security fits in. All too often, we tack on security testing at the end of the delivery process, which means significant problems go undetected until development is complete. As we adopt DevOps principles and practices, we enable a natural solution to this problem: ensure that security experts are involved throughout the delivery process.
In this webinar, DevOps.com and Puppet defined a reference implementation of DevOps from the ground up, by illustrating how the software delivery process evolves at a hypothetical startup. Once we've laid a technical foundation for DevOps, we discussed the implications for security. We also discussed:
Benefits for and challenges to security during a DevOps transformation
How to craft a DevOps-ready security practice
Refinements of a standard DevOps workflow to address security needs
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
Security as Code: A DevSecOps ApproachVMware Tanzu
SpringOne 2021
Session Title: Security as Code: A DevSecOps Approach
Speakers: Alvaro Muñoz, Staff Security Researcher at GitHub; Tony Torralba, Software Engineer at GitHub
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
There are numerous examples of DevOps and Continuous Delivery reference architectures available, and each of them vary in levels of detail, tools highlighted, and processes followed. Yet, there is a constant theme among the tool sets: Jenkins, Maven, Sonatype Nexus, Subversion, Git, Docker, Puppet/Chef, Rundeck, ServiceNow, and Sonar seem to show up time and again.
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
Security Testing for Containerized ApplicationsSoluto
Everybody wants to run their code on Kubernetes these days, but it requires a radical change to your deployment process. You want to make sure you don’t create new vulnerabilities when you take this leap. What kind of security tests can you run in this pipeline to assert that this code does not contain any known vulnerabilities?
At Soluto, we started to migrate services to Kubernetes in the recent months, and we would like to share with you what we did. In this session I’m planning to cover our CI/CD pipeline, and give extra attention to the following points:
Scanning code dependencies
Scanning containers
Testing for insecure Kubernetes configurations
Securely deploy to Kubernetes cluster
Join this session to hear our story and learn about many useful tools you can start using today to deploy secure apps to your Kubernetes cluster. All the tools I’ll present are open source tools, so using them should be as simple as possible.
DevOps Workshop, DevOps for DoD ProfessionalsTonex
DevOps and DevSecOps are organizational software engineering culture and best practices, aiming to unify software development (Dev), security (Sec) and operations (Ops).
The main feature and goal is to automate, monitor and apply security at all stages of the software life cycle: planning, development, construction, testing, release, delivery, deployment, operation and monitoring.
DoD’s legacy software acquisition and development practices and processes don't provide the agility to deploy new software “at the speed of operations”.
In addition, security is usually an afterthought, not inbuilt from the start of the lifecycle of the appliance and underlying infrastructure. DevOps and DevSecOps are the industry best practice for rapid, secure software development.
With the increasing demand for security development, testing, and deployment of IT professionals to improve business efficiency, DevOps has become a software development process that emphasizes communication and collaboration between products, software developers, and operations professionals .
Tonex Offers DevOps Training Workshop, DevOps for DoD Professionals
The DevOps workshop, The DevOps professional training workshop for DoD professionals will assist you master the art and science knowledge to enhance the event and operation activities of the whole DoD team.
Participants will use configuration management tools such as Puppet, SaltStack, and Ansible to build expertise in continuous deployment. The DoD enterprises DevOps and DevSecOps of the Department of Defense (DoD) focus on DOD needs DevOps to accelerate IT service delivery.
Participants will improve their knowledge and skills in the DevOps field through comprehensive courses covering DevOps, Git and GitHub, Jenkins' CI/CD, configuration management, Docker, Kubernetes and many other concepts.
Training Objectives
Learn how to build DevOps skills to meet team needs
Increase knowledge and skills in DevOps methodology
Use continuous integration and continuous delivery (CI/CD) to improve the productivity to gain a competitive advantage
Build and deepen knowledge about configuration management and containerization
Gain knowledge of Github, Chef, Jenkins, ChefSpec, Inspec, Test Kitchen, Groovy, Maven and JFrog Artifactory
Become skilled at cloud, source code control, deployment automation and DevOps on cloud platforms
Course Outline:
Introduction to DevOps
DoD DevOps Conceptual Model
DoD DevOps Ecosystem
DevOps Tools and Activities
DevOps Implementation
Overview of DevOps and DevSecOps Product Stack
Audience:
Engineers
Program and Project Managers
Developers
Application Team
Software Engineers, Managers and Directors
IT Executives
Operations Managers
QA and Test Engineers and Managers
Project Managers
Release and Configuration Managers
Scrum Masters
Learn More:
https://www.tonex.com/training-courses/devops-workshop-devops-for-dod/
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
DevOps is not a new technology or a product. It’s an approach or culture of software development that seeks stability and performance at the same time that it speeds software deliveries to the business. In this sharing, we will discuss what DevOps is from CAMS model that represents culture, automation, measurement and sharing. In addition, I will share some practical experiences in Trend Micro.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
Continuous delivery in larger shops can run into people and technological roadblocks related to complex systems and organizational structures. This presentation looks at some of those challenges and how to overcome them.
Node.js core contributor James M Snell will highlight the unique benefits that the Node.js core project brings to the enterprise, as well as share tips and tricks on tools and frameworks that Node.js developers can use when building enterprise-scale cloud apps.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Strategies on How to Overcome Security Challenges Unique to Cloud-Native AppsVMware Tanzu
As IT organizations build and release software continuously, how do security teams become enablers of this pace? How can you ensure that the higher rate of change is not leading to lesser security?
Join our webinar to learn how Pivotal and Signal Sciences work together to make app deployments faster *and* safer in cloud-native environments.
This webinar will cover:
- Best practices for implementing new security programs and incentivizing their adoption
- How to simplify application layer security deployments across a variety of apps, teams and cloud infrastructures
- How threat visibility and real time attack telemetry brings security context into DevOps teams, and improves response times.
Presenters: Zane Lackey, Signal Sciences and Kamala Dasika, Pivotal
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...The Linux Foundation
The tech world does not live in silos: security vulnerabilities can impact an entire ecosystem (case in point Meltdown and Spectre).
This session will introduce different patterns for managing the disclosure of security vulnerabilities in use today: we will look at what different types of vendors (distros, product vendors, cloud providers or a combination of them) and the Xen Project security team do from the discovery of a vulnerability to it being deployed. We will also look at the interaction between the Xen Project and these downstreams in the context of our security policy.
This talk will give you a glimpse into a quite extensive machinery which kicks into gear across different organisations when security vulnerabilities are discovered and fixed behind the scenes.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...DevOpsDays Tel Aviv
Fifteen years ago, we'd barely started to use S3, and ten years ago DevOps was the new thing. Today, we can add a new tool, technology, or trick every week, and more and more work is shifted into the application developer's workflow. If security, resiliency, and incident response become part of product teams, where will we be ten years from now, and what should we do today to get ready?
DOES15 - Ernest Mueller - DevOps Transformations At National Instruments and...Gene Kim
Ernest Mueller, Lean Systems Manager, AlienVault
DevOps Transformations At National Instruments and Bazaarvoice (And Infosec!)
In this presentation, I’ll share the thrills and chills of the real-world successes and setbacks in culture and collaboration, speeding up software releases, embedding DevOps engineers into product teams, implementing agile processes with operations teams, integrating testing and information security into daily work, automation and its pitfalls, metrics and their weaponization, and more. I’ll also discuss how we integrated security objectives into all these initiatives.
Git into the Flow, with the Ultimate Continuous Delivery Workflow on HerokuSalesforce Developers
Any suspicion that Linus Torvalds was a Linux one-hit-wonder was dispelled when he released the Git distributed versioning system. Git is a popular source code management tool, and sophisticated software delivery flows are now built around its powerful branching model. Join us to learn how to leverage Git and GitHub for maximum delivery velocity, and for an introduction to how Heroku GitHub Integration, Review Apps, and Pipelines let you deliver software with ease and confidence.
This is a 90 min talk with some exercises and discussion that I gave at the DHS Agile Expo. It places DevOps as a series of feedback loops and emphasizes agile engineering practices being at the core.
The DevOps Panel - Innotech Austin CD SummitErnest Mueller
The Agile Admins - Ernest Mueller, James Wickett, Karthik Gaekwad, and Peco Karayanev - share some thoughts and answer panel questions on the state of DevOps at the CD Summit happening at Innotech Austin 2016.
Similar to DevOps Days Columbus - Derek Weeks - 2019 (20)
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
30+ Nexus Integrations to Accelerate DevOpsSonatype
No single tool can deliver on the promise of DevOps. Instead it’s a collection of tools, easily integrated, tightly managed, and effectively automated. Learn how Nexus integrates with more DevOps tools you use everyday.
Starting and Scaling DevOps In the EnterpriseSonatype
Gary Gruver, Gruver Consulting
In my role, I get to meet lots of different companies, and I realized quickly that DevOps means different things to different people. They all want to do “DevOps” because of all the benefits they are hearing about, but they are not sure exactly what DevOps is, where to start, or how to drive improvements over time. They are hearing a lot of different great ideas about DevOps, but they struggle to get every-one to agree on a common definition and what changes they should make. It is like five blind men describing an elephant. In large orga-nizations, this lack of alignment on DevOps improvements impedes progress and leads to a lack of focus.
This session is intended to help structure and align those improvements by providing a framework that large organizations and their executives can use to understand the DevOps principles in the context of their current development processes and to gain alignment across the organization for success-ful implem
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
In today’s world, a company must be a “Learning Organization” in order to be successful and innovative. Learning from both failure and success, in order to implement small incremental improvements is critical. But until you implement and apply new information, you haven’t truly “learned” anything and you certainly haven’t improved.
According to the 2015 Monitoring Survey, most companies leverage metrics from monitoring and logging purely for performance analytics and trending. If high availability and reliability are important, they also leverage metrics to alert on fault and anomaly detection. Despite these “best practices”, the metrics are primarily only used as context to keep things “running” or return them back to “normal” if there’s a problem. Rarely is that data used as a method to identify areas of improvement once services have been restored. When an outage occurs to your system, you will absolutely repair and restore services as best you know how, but are you paying attention to the data from the recovery efforts? What were operators seeing during diagnosis and remediation? What were their actions? What was going on with everyone, including conversations? A step-by-step replay of exactly what took place during that outage.
This “old-view” perspective on the purpose of monitoring, logging, and alerting leaves the full value of metrics unrealized. It fails to address what’s important to the overall business objective and it lacks any hope of seeking out innovation or disruption of the status quo.
This talk will illustrate how to identify if your company is making the best use of metrics and ways to not only learn from failure, but to become a “Learning Company”.
A Small Association's Journey to DevOps w/ Edward RuizSonatype
Small and medium-size businesses are under the same pressure to innovate-at-speed as large corporations. They face these challenges with shoestring IT budgets and limited staff who are stretched thin and forced to wear multiple hats. These limits are particularly acute in the world of nonprofit associations. But with the right vision and culture, even small teams can successfully implement a DevOps philosophy and bust the barriers to high-speed IT innovation.
In this presentation, I will recount our small membership association’s transformative journey to DevOps and share the lessons we learned along the way. I will offer first-hand experiences and practical ideas on how to cultivate a collaborative team culture to realize faster deployment cycles while improving build quality and delighting customers with great software.
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
Operational data mining gives us a rich source of data for the third devops way - continual learning by experimentation. It also shows us just how damaging those 90 day password resets can be. This talk will look at what can go wrong, and the renewed fight to fix the problem at the root.
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
Lee Calcote, Solar Winds
Running a few containers? No problem. Running hundreds or thousands? Enter the container orchestrator. Let’s take a look at the characteristics of the four most popular container orchestrators and what makes them alike, yet unique.
Swarm
Nomad
Kubernetes
Mesos+Marathon
We’ll take a structured looked at these container orchestrators, contrasting them across these categories:
Genesis & Purpose
Support & Momentum
Host & Service Discovery
Scheduling
Modularity & Extensibility
Updates & Maintenance
Health Monitoring
Networking & Load-Balancing
High Availability & Scale
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
Justin Collins, Brakeman Security
It is not enough to have fast, automated code deployment. We also need some level of assurance the code being deployed is stable and secure. Static analysis tools that operate on source code can be an efficient and reliable method for ensuring properties about the code - such as meeting basic security requirements. Automated static analysis security tools help prevent vulnerabilities from ever reaching production, while avoiding slow, fallible manual code reviews.
This talk will cover the benefits of static analysis and strategies for integrating tools with the development workflow.
Automated Infrastructure Security: Monitoring using FOSSSonatype
Madhu Akula, Automation Ninja
We can see attacks happening in real time using a dashboard. By collecting logs from various sources we will monitor & analyse. Using data gleaned from the logs, we can apply defensive rules against the attackers. We will use AWS for managing and securing the infrastructure discussed in our talk.
For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market.
As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customise and deploy their very own FOSS based centralised visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
Erlend Oftedal, Blank
Immutable infrastructure and serverless architectures have very interesting security properties. This talk will give an introduction to immutable infrastructure and serverless architecture and try to highlight some of the properties of such architectures. Next we will look at the positive effects this can have on the security of our systems, but also highlight some of the negative aspects and potential problems.
At the conclusion of this sessions, we hope to have shed some light on the positive and negative security effects of such architectures.
Getting out of the Job Jungle with JenkinsSonatype
Damien Corabouef, Multipharma, Clear2Pay
Implementing a CI/CD solution based on Jenkins has become very easy. Dealing with multiple feature, staging and release branches? Not so much. Having to handle that for multiple teams and multiple projects becomes a real challenge. This presentation shows a solution to scale to several thousands of jobs, used by dozens of different development and test teams, 24 hours a day, 7 days a week, on a worldwide schedule.
I will talk about the challenges that we’ve met, and how we’ve put in place a scalable and on-demand solution, secure and simple to use.
This is a real-life, real-scale story of making CI/CD a day-to-day reality by allowing development and test teams to consider automation as a simple and customisable service.
Nathen Harvey, Chef
Automation at scale is the foundation of every successful high velocity organization.
Automation requires dynamic infrastructure that is managed as code. Modern infrastructure code means bringing the lessons from software development to your infrastructure. Automation is managed in version control systems, tests drive code development, code moves through a continuous pipeline from the workstation to the production environment. What will this look like in five years? We will see a continued improvement in the way teams work together toward common goals, build more operable applications, and embrace complexity while improving ease-of-use.
Continuous Everyone: Engaging People Across the Continuous PipelineSonatype
Jayne Groll, DevOps Institute
Culture is undoubtedly one of the most critical aspects of any DevOps initiative. While much emphasis is placed on the automation of the deployment pipeline, there is also a need for a “Continuous People Pipeline”. Continuous People Pipelines help individuals and teams recognize their contribution to the value stream, provide realistic approaches and milestones for ongoing communication and collaboration and can be the basis for shared accountabilities and meaningful metrics. Most importantly, people pipelines help increase trust, flow, feedback and connection across IT silos.
This session will provide insight on the value, creation and support of Continuous People Pipelines. It will help attendees understand some of the human dynamics of change that must be considered – cultural debt, adoption models, acceptance curves, collaboration, immersion and conflict management. At the end of this session, leaders will take away some innovative strategic and tactical ideas for overcoming silo constraints and creating a collaborative culture that excites, engages and unifies people towards common business goals.
Michiel Rook, make.io
It's a situation many of us are familiar with: a large legacy, monolithic application, limited or no tests, slow & manual release process, low velocity, no confidence... A lot of refactoring is required, but management keeps pushing for new features.
How to proceed? Using examples and lessons learned from a real-world case, I'll show you how to replace a legacy application with a modern service-oriented architecture and build a continuous integration and deployment pipeline to deliver value from the first sprint. On the way, we’ll take a look at the process, automated testing, monitoring, master/trunk based development and various (possibly controversial!) tips and best practices.
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...Sonatype
Daniël van Gils, Cloud 66
So you’ve already containerized the shit out of your code, broken down monoliths, microserviced the hell out of your app and have run some awesome workloads in your local, dev and test environments. It’s all looking good, but now what?
Running Docker commands is one thing, but maintaining containers in production is a whole other ballgame. So during this talk I’ll show you the REAL wild world of Docker in production. With the added benefit of talking to and observing how over 900 of our customers have been using Docker in production, I’ll be presenting some of these data points and sharing our observations on how to get it right.
My aim? I want to turn the conversation on its head and dispel some of the ‘silver bullet’ assumptions flying around by taking an inside-out approach to building with Docker. The idea is to provide you with a framework for how to get your code into containers, streamline the Docker build flow and avoid common pitfalls when moving from dev to live environments.
Because remember, Docker will NOT, and I repeat, will not solve your bad dev and ops behaviours. So don’t end up with a ‘hot mess’ (more on that later), and attend my talk to get container smart
I, For One, Welcome Our New Robot OverlordsSonatype
Mykel Alvis, Coviti Labs
Infrastructure-as-code is how we build deployments now. If your infrastructure cannot be automated using code, then you might want to reconsider your life choices. However, even if it can be described as code, the process by which that infra-code is delivered is often of low quality. Having your infrastructure describable with poorly managed source code is only a slight step up from not managing it at all.
Poor testing and bad release-management practices make many of the efforts of automation hard to replicate. The resulting codebases are often a mass of poorly organized scripting and binaries committed to source control, much of which has never been validated except by a set of Mk I eyeballs.
Cotiviti has taken what turns out to be a radical approach to this problem, although in retrospect it should not have been so radical. Our approach uses artifact repositories, formal release mechanisms, and enforced testing gatekeepers to ensure the quality of the generated result. Because the approach is well-regimented, it is trivially easy to automate. Because the automation applies tests automatically, it tends to produce very high-quality artifacts. Because the output was delivered through a formal release process, it is repeatable. Because everything in that artifact is code, it is reviewable and auditable. And when any of these are untrue, we have a solid path toward remediating that problem.
I have done bespoke deliveries by hand in the past. I’m never going back to my not-having-automation-ways again.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Strategies for Successful Data Migration Tools.pptxvarshanayak241
Data migration is a complex but essential task for organizations aiming to modernize their IT infrastructure and leverage new technologies. By understanding common challenges and implementing these strategies, businesses can achieve a successful migration with minimal disruption. Data Migration Tool like Ask On Data play a pivotal role in this journey, offering features that streamline the process, ensure data integrity, and maintain security. With the right approach and tools, organizations can turn the challenge of data migration into an opportunity for growth and innovation.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
1. Derek E. Weeks
VP and DevOps Advocate, Sonatype
Co-founder, All Day DevOps
@weekstweets
Exemplars, Laggards, and Hoarders
A Data-Driven Look at Open Source Software Supply Chains
2. …once it ceases to
sacrifice quality for speed
C R E D I T : N E I L B E Y E R S D O R F
12. Two Different Worlds
Enterprise Open Source
Multiple deploys per day Versioned releases
Consistent development team Fluid group of developers
Predictable, well-resourced Variable resource availability
@weekstweets
13. With Similar Metrics
Enterprise Open Source
Deployment Frequency Release Frequency
Organizational Performance Popularity
Mean Time to Restore Time to Remediate Vulnerabilities
@weekstweets
14. With Similar Metrics
Enterprise Open Source
Deployment Frequency Release Frequency
Organizational Performance Popularity
Mean Time to Restore Time to Remediate Vulnerabilities
@weekstweets
16. Attributes Measure
Popularity Avg. daily Central Repository downloads
Size of Team Avg. unique monthly contributors
Development Speed Avg. commits per month
Release Speed Avg. period between releases
Presence of CI Presence of popular cloud CI systems
Foundation Support Associated with an open source foundation
Security More complicated
Update Speed More complicated
@weekstweets
19. Projects that release frequently:
are 5x more popular.
attract 79% more developers.
have 12% greater foundation support rates.
@weekstweets
20. With Similar Metrics
Enterprise Open Source
Deployment Frequency Release Frequency
Organizational Performance Popularity
Mean Time to Restore Time to Remediate Vulnerabilities
@weekstweets
34. Hypothesis 2
Projects that update dependencies more frequently
are generally more secure.
(VALIDATED)
@weekstweets
35. Most projects stay secure by staying up to date.
55% have MTTR and MTTU within 20% of each other.
Only 15% maintain better than average MTTR.
@weekstweets
37. Hypothesis 3
Projects with fewer dependencies will stay more up to date.
(REJECTED)
Components with more dependencies actually have better MTTU.
@weekstweets
38. More dependencies
correlate with larger
development teams.
@weekstweets
Larger development
teams have 50% faster
MTTU and release 2.6x
more frequently.
39. More dependencies
correlate with larger
development teams.
@weekstweets
Larger development
teams have 50% faster
MTTU and release 2.6x
more frequently.
42. @weekstweets
Hypothesis 4
More popular projects will be better about staying up to date.
(REJECTED)
There are plenty of popular components with poor MTTU.
Popularity does not correlate with MTTU.
43. 5 Behavioral Clusters
@weekstweets
Small Exemplar
(606)
Large Exemplar
(595)
Laggards
(521)
Features First
(280)
Cautious
(429)
Small development
teams (1.6 devs),
exemplary MTTU.
Large development teams (8.9
devs), exemplary MTTU, very
likely to be foundation
supported,
11x more popular.
Poor MTTU, high stale
dependency count, more
likely to be commercially
supported.
Frequent releases, but
poor TTU.
Still reasonably
popular.
Good TTU,
but seldom
completely up
to date.
Rest of the population: 8,142
47. We schedule updating
dependencies as part of our
daily work
We strive to use the
latest version (or latest-
N) of all our dependencies
We use some process to
add a new dependency
(e.g., evaluate, approve,
standardize, etc.)
We have a process to
proactively remove
problematic or unused
dependencies
We have automated tools
to track, manage, and/or
ensure policy compliance of
our dependencies
46%
YES
50%
YES
30%
YES
37%
YES
Enterprise Devs Manage Dependencies
@weekstweets
n = 658
38%
YES
48. When Devs climb the mountain every day, it’s easier.
@weekstweets
An organization’s journey to excellence begins once it ceases to sacrifice quality for speed.” - Neil Beyersdorf Infographic published by Neil Beyersdorf linkedin.com/in/neilbeyersdorf
FASTER IS BETTER
46 times more frequent code deployments
more profitable and have higher market share.
They have 7 times lower change failure rates
They are 2,604x faster time In their times to recover
High performing DevOps teams are 1.75x more
likely to extensively use open source software
====
* Nicole Forsgren PhD, Jez Humble, Gene Kim. Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations. IT Revolution Press, March, 2018.
It was this extensive use of open source in high performing DevOps teams
that led to an intersection of research that I had been leading for five years in the SSC report,
And research that Dr. Steven Magill, Gene Kim, Bruce Mayhew, Gazi Mahmud, and I embarked upon a year ago
You see, Gene Kim shared the Three Ways of DevOps inside The Phoenix Project,
with the first way being
“Emphasize performance of the entire system and never pass a defect downstream.”
146 billion download requests for Java
11 billion package downloads for JavaScript
On average, developers had access to more than 21,448 new open source component releases every day, since the beginning of 2018.
You have over 2700 suppliers of external code.
How do you pick the best suppliers for your code? How does Toyota pick the best suppliers for its code?
since we are here at the devops Enterprise Summit I want to start with the core devops mantra “faster is better”
so is there a convention we've heard a lot about both anecdotally and then in some great research by Nicole Forsgren, Jez humble and a gene Kim support for this concept that
“improved deployment time and frequent deployments leads to a number of positive outcomes including in the dimensions of profitability, market share, quality and so forth.
We’re all familiar with that from the Enterprise side, but one question that we wanted to ask is “does this trend hold an open source software?”
and there's no reason necessarily to think that it would. these are two very different worlds.
the Enterprise and open source so on the Enterprise side we can achieve multiple deploys per day on the open-source side
For Better or Worse we're stuck in this world of versions releases on using things like semantic versioning
on the Enterprise side we have consistent development teams where within open-source that's more and more fluid group of developers
on the Enterprise side we have well resource development or if your snickering at that at least predictably resource development teams on the open-source side as much less predictable much less variable
I want to talk a little bit about the dataset so first of all we focused on Java projects publish to Maven Central there about 260,000 of those and then we apply the number of filters to get down to a course out of components that we that we felt we could analyze well
so those filters were first of all we looked in the last 5 years I can develop development Trends culture tools and Technology of changed over time we wanted to find things that hold today and in the last five years we also throughout components that we didn't have enough data about to really draw conclusions so for example we wanted to measure release frequency the average time between new releases the component is only put one release out there there's never been a follow-up release we can't even met her by chance they don't use any open source libraries and they're not used by any other projects so there's sort of isolated off of it all by themselves so when we apply all of these we get down to a course out of 36000 components and our research and for those components
we looked at a number of different attributes things like popularity the size of the development team development Speed release speed and so forth from any of these we have data across those entire 36,000
so for example popularity we Define as the average daily Maven Central downloads and we have that data for every component of other things like size of development team we get that from GitHub data associated with the project so we only have that for the projects that are on guitar and they're about ten thousand of those
I answer most of these attributes are self-explanatory
there's a couple of the bottom though that warrant a little bit more discussion so security and update speed a little bit more complicated because of the complexity of Open Source Supply chains
so now we can look at a couple of these attributes and say you know does this faster is better relationship hold an open source and look at release frequency vs. popularity
and this is one of the hypotheses that we enter this project with let's see if we can find data to validate this hypothesis that projects that release frequently have better outcomes and in fact we find support for this so if you look at the top 20% by release frequency that group is 5 times more popular than the rest of the population attracts on average 79% more developers to contribute to the project and has 12% of Greater rates of foundation support
should view these as a descriptive statistics about the population, where we could see the correlation and not the causation
Let’s go back to 1945
when W. Edwards Deming started advising Japanese manufacturers to
detect and fix defects at the beginning of the manufacturing process.
He advised them to:
Source materials from the best suppliers
Source only the best parts from those top suppliers
Companies like Mitsubishi and Toyota Motor Co. applied Deming’s TQM practices are rose to global dominance
In 1981, Ford adopted these principles and within 6 years became the most profitable US auto manufacturer
Now tied into high-performance production processes, six-sigma manufacturing today aims a defect rate goal of 3.4 parts per million.
Today, software is at 1 in 10
How can we pick the best suppliers?
----
Among the key disciplines he preached:
Source materials from the best suppliers
Source only the best parts from those top suppliers
Trace and track the location of parts from start to finish, throughout the supply chain manufacturing process
Provide a Bill of Materials after a vehicle is released to conduct an orderly recall in the event of a faulty part
“Cease dependence on mass inspection.”
Emphasize performance of the entire system and never pass a defect downstream
Inspection does not improve quality. Nor guarantee quality. Inspection is too late.
Harold F. Dodge: “You cannot inspect quality into a product”
Automatic inspection and recording require constant vigil.
What were we looking to measure across these 36,000 projects?
Here is a visualization of three components A, B, &C and the dependency relationship between them
time is marching along from left to right
======
how those are Define so here we have an example of so the weight of you this chart is
so version 2.2 of B comes out then version 2.2 of a wave inversion 2.3 l A and so on
left or right the lines show dependency relationships.
so for example version 2.2 of C depends on version 2.2 of B and then we also have a vulnerability disclosure represented here
so there's a point in time at which there's a vulnerability reported against component B there's a and then B releases version 2.3 to mitigate that there's a. Of time where B is vulnerable and because C includes be as a dependency there's a. Of time where C is vulnerable and so we can measure each of these times
but if you think about it from Cedar Point of View the important time frame to think about is how long it takes him to respond to the release of the past version of B is really the first opportunity C has to know mitigate this Downstream security risks that use imported via his software supply chain security relevant metric that we measure and we call that time to remediate TTR
we also just measure update time in general and so that's a new release of these or see is you know take some time to incorporate that new releases be that's the update time for B is not a time for A as well even though there's no security vulnerability against that
every new release or some Associated time to update
we looked at is this notion of stale dependency so we often see a project release and maybe some of its dependencies wheel will be updated to the latest version but others others will be behind
you see that happening here with C where a version 2.3 has been released at the point where C version 2.2 comes out but C is not using that they're not using latest version of its time to update and steel dependency switch or just general update hygiene mix and
In this visualization, we wanted to understand and measure
A vuln is found in B 2.2
B 2.3 updates it
We also wanted to understand how fast C would update all dependencies, including A
I want to focus on the security relevant part for just a bit because of what Derek was saying about the the prevalence of vulnerabilities in the supply chain and how that trickles down into two users of those open source projects
so if we look at the time it takes these projects to apply security relevant patches the median time is about six months which is already not great and it gets even worse if you look sort of it the right of the speaker at the 95th percentile we see that 5% of projects take three and a half years or more
Ago by a security relevant patch and these are not projects that just like never like they did eventually apply it just took them three and a half years to get there
Do these projects stay up to date in general? (The projects with strong MTTR)
They are many more updates to perform in general, than vulnerabilities to correct.
Most projects stay secure by staying up-to-date.
55% have MTTR and MTTU within 20% of each other.
Only 15% maintain better than average MTTR with worse than average MTTU.
actually we do see a correlation between update behavior in general and update behavior for security relevant updates of how quickly projects applying for developing updates versus how quickly we apply security Roman updates and we see we see a reasonable correlation here there's a point six correlation coefficient between two and you certainly see projects that fall on one side or the other in a bit better about security or for whatever reason that end up performing better on on security
but if you if you dig into the date a little bit more we see that 55% of project have an empty tea are in an empty Tu that are within 20% of each other so they're sort of close to this line and and if you look for projects that manage to stay up-to-date from a security perspective while not updating at dependencies in general so they they do very good and remediating vulnerabilities but don't keep the rest of their dependencies up to date
so small population only 15% of projects end up having that exhibiting odd behavior so stay secure by staying up to date as a common behavior is just stay up-to-date in general and as a consequence so that was a second hypothesis that we entered into this research with and
Only 15% maintain better than average MTTR with worse than average MTTU.
we found some data to validate that another hypothesis that we came in with was that projects with fewer dependencies will stay up-to-date better and intuitively this seems to make sense
if you only have two or three dependencies it should be pretty easy to keep them up-to-date with the latest version certainly easier than if you have 10 or 15
in fact we actually found the opposite so components with more dependents he's actually had better update hygiene they would save more on top of their dependency version updates to statistically significant levels so it actually the reason this occurs is because components with more dependents he's also tends I have larger development teams
if you look at the large development teams just having a larger development team associated with a faster in TTU rate as a faster release frequency so you can see here is a plot of number of dependencies is increasing as you go to the right size of development team is increasing as you go up is a smooth plot so you can see the trend line better but there's a correlation between the size and dependency number
and again we don't know which direction it goes you need more developers to manage all these dependencies or maybe every developer brings his own favorite to Hennessy and you end up with like for unit testing libraries
we really wanted to look into this one because so many people use popularity as a proxy for security
everyone else is using it so it must be a good project they must have security must be useful
we have investigated hypothesis for was that more popular projects will be better about staying up State and we really wanted to look into this one because so many people use popularity as a proxy for security right everyone else is using it so it must be a good project they must have security must be useful
we have investigated hypothesis for was that more popular projects will be better about staying up State and we really wanted to look into this one because so many people use popularity as a proxy for security right everyone else is using it so it must be a good project they must have security must be useful
Data for this so first of all there's plenty of popular components with 4 update hiking but there's always those outliers right but more interestingly we don't see any sort of correlation between these two attributes and even if you look at the most popular projects you say okay I'm just going to look at the top 10% by popularity those are not statistically better with respect to update Behavior than the general population
so I took you take one thing away from this talk don't choose your components just based on popularity
The law states that "given enough eyeballs, all bugs are shallow"; or more formally: "Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone."
Linus's Law - Wikipedia
Linus Torvalds
With more eyeballs, all bugs are shallow.
Again, we did not find support in the data for this.
There is no correlation between POPULARITY and STAYING UP-TO-DATE
If you take one thing away from this talk: don’t choose your components based on popularity
====
we have investigated hypothesis for was that more popular projects will be better about staying up State and we really wanted to look into this one because so many people use popularity as a proxy for security right everyone else is using it so it must be a good project they must have security must be useful
we have investigated hypothesis for was that more popular projects will be better about staying up State and we really wanted to look into this one because so many people use popularity as a proxy for security right everyone else is using it so it must be a good project they must have security must be useful
Data for this so first of all there's plenty of popular components with 4 update hiking but there's always those outliers right but more interestingly we don't see any sort of correlation between these two attributes and even if you look at the most popular projects you say okay I'm just going to look at the top 10% by popularity those are not statistically better with respect to update Behavior than the general population
so I took you take one thing away from this talk don't choose your components just based on popularity
====
Most popular projects are not statistically different on average from others with respect to MTTU.
we wanted to just break the dataset in up into groups based on this update hygiene and look to see what sort of behavior is another associate attributes we see with these difference of populations and so we identified five different groups of Interest
exemplary update behavior and then three that that are not expect updates what was interesting in the Exemplar categories of exemplary update hygiene there are always think I'm stayed there The Cutting Edge they immediately abilities quickly
then you saw a sizeable subpopulations there that has small development teams as well as populations in the small category the average step team sizes just 1.6 developer so this is very small projects but still managing to stay very much up-to-date
I'm in the largest category you see on average 9 developer teams exemplary MGT you either very likely to be Foundation supported which is interesting and they're all so much more popular than the rest of the population - as of this is sort of the open source industrial complex if you are open source Foundation contact
the bottom 20% with respect to update hygiene and interesting classes so sitting frequently so they have a update bandwidth to stay up-to-date with these are just not focusing their effort there right the releasing new versions releasing presumably new features and so forth but not maintaining their dependency a
nd then there is this conscious Group which is kind of interesting so they stay generally up-to-date with their dependencies but not at the bleeding edge by they tend to adopt updates a little bit later after maybe they've been vetted by the community
the sizes of the classes are there in parentheses and this is just a nice graphical depiction of what I showed you before
so we have the difference of populations in different colors you can see the exemplars over here at the lab so this is the plot of popularity vs. update
I'm So at the left you see products releasing frequently and they tend to be more popular in the exemplars in particular are more generally more popular and release frequently
and then another thing to note is what I said before about hypothesis for not all popular projects or exemplary by so that you can see through the prevalence the big spread of red dots across their right in and some very popular projects that have very poor update I had
It was then no mistake in 2010, when Jez Humble and Dave Farley advised people to “Build Quality In” in their seminal book “Continuous Delivery”
as people heard about and strove to achieve Allspaw’s 10 deploys a day.
For organizations who tamed their supply chains, the rewards were impressive: use of known vulnerable component releases was reduced by 55%.
Imagine quality at insane speed
Imagine secure development
Imagine machines developing their own code
Imagine quality at insane speed
Imagine secure development
Imagine machines developing their own code
Imagine quality at insane speed
Imagine secure development
Imagine machines developing their own code
Imagine quality at insane speed
Imagine secure development
Imagine machines developing their own code
Machines making software: paving and maintaining the road with zero trust open source
Imagine quality at insane speed
Imagine secure development
Imagine machines developing their own code
An organization’s journey to excellence begins once it ceases to sacrifice quality for speed.” - Neil Beyersdorf Infographic published by Neil Beyersdorf linkedin.com/in/neilbeyersdorf