This document is a summary of a presentation on getting started with the Go programming language for DevOps. It introduces Go and explains why it became popular for infrastructure tools like Docker and Kubernetes. It covers basic Go concepts like variables, types, errors, and concurrency primitives. It also provides examples of building simple Go applications and contributing to open source Go codebases. The presentation aims to encourage attendees who are new to Go to start using the language and contributing to DevOps tools written in Go.
Writing concurrent program is hard; maintaining concurrent program even is a nightmare. Actually, a pattern which helps us to write good concurrent code is available, that is, using “channels” to communicate.
This talk will share the channel concept with common libraries, like threading and multiprocessing, to make concurrent code elegant.
It's the talk at PyCon TW 2017 [1] and PyCon APAC/MY 2017 [2].
[1]: https://tw.pycon.org/2017
[2]: https://pycon.my/pycon-apac-2017-program-schedule/
It was the talk, titled "Graph-Tool: The Efficient Network Analyzing Tool for Python", at PyCon APAC 2014 [1] and PyCon SG 2014 [2]. It introduces you to Graph-Tool by mass code snippets.
[1] https://tw.pycon.org/2014apac
[2] https://pycon.sg/
It is mainly about the multithreading and the multiprocessing in Python, and *in Python's flavor*.
It's also the share at Taipei.py [1].
[1] http://www.meetup.com/Taipei-py/events/220452029/
It is the slides for COSCUP[1] 2013 Hands-on[2], "Learning Python from Data".
It aims for using examples to show the world of Python. Hope it will help you with learning Python.
[1] COSCUP: http://coscup.org/
[2] COSCUP Hands-on: http://registrano.com/events/coscup-2013-hands-on-mosky
Making JavaScript Libraries More ApproachablePamela Fox
A talk given at NotConf in Phoenix, Texas in 2012.
(Alternative title: Why nested ternary operators make me want to kick inanimate objects in the nuts.)
Package manages and Puppet - PuppetConf 2015ice799
This talk will begin by explaining what a package manager is and how package managers work, at a high level. Next, we'll observe the common patterns seen on the internet of compiling software in a Puppet manifest and discuss why this not ideal. This talk will conclude by showing how you can add package repositories to your infrastructure using Puppet and what settings are important for ensuring secure access to remote package repositories.
Writing concurrent program is hard; maintaining concurrent program even is a nightmare. Actually, a pattern which helps us to write good concurrent code is available, that is, using “channels” to communicate.
This talk will share the channel concept with common libraries, like threading and multiprocessing, to make concurrent code elegant.
It's the talk at PyCon TW 2017 [1] and PyCon APAC/MY 2017 [2].
[1]: https://tw.pycon.org/2017
[2]: https://pycon.my/pycon-apac-2017-program-schedule/
It was the talk, titled "Graph-Tool: The Efficient Network Analyzing Tool for Python", at PyCon APAC 2014 [1] and PyCon SG 2014 [2]. It introduces you to Graph-Tool by mass code snippets.
[1] https://tw.pycon.org/2014apac
[2] https://pycon.sg/
It is mainly about the multithreading and the multiprocessing in Python, and *in Python's flavor*.
It's also the share at Taipei.py [1].
[1] http://www.meetup.com/Taipei-py/events/220452029/
It is the slides for COSCUP[1] 2013 Hands-on[2], "Learning Python from Data".
It aims for using examples to show the world of Python. Hope it will help you with learning Python.
[1] COSCUP: http://coscup.org/
[2] COSCUP Hands-on: http://registrano.com/events/coscup-2013-hands-on-mosky
Making JavaScript Libraries More ApproachablePamela Fox
A talk given at NotConf in Phoenix, Texas in 2012.
(Alternative title: Why nested ternary operators make me want to kick inanimate objects in the nuts.)
Package manages and Puppet - PuppetConf 2015ice799
This talk will begin by explaining what a package manager is and how package managers work, at a high level. Next, we'll observe the common patterns seen on the internet of compiling software in a Puppet manifest and discuss why this not ideal. This talk will conclude by showing how you can add package repositories to your infrastructure using Puppet and what settings are important for ensuring secure access to remote package repositories.
Derrière ce titre putaclic se cache une réalité pour une partie de notre industrie.
Les boucles for/while sont des structures itératives proposant le plus bas niveau d'abstraction. Les langages modernes proposent encore de nos jours ces structures car elles ont leur utilité dans quelques cas exceptionnels.
Ces 10 dernières années, de nouvelles structures d'itérations sont apparues, proposant un plus haut niveau d'abstraction : donc une meilleure productivité, moins de ligne de code, donc moins de bug potentiels (que nous décrirons).
Nous partirons d'exemples de code simple et montrerons leur équivalent via ces nouvelles structures puis observerons les avantages (et inconvénients ?). Les exemples seront en JavaScript mais bien entendu applicable dans d'autres langages (Java, C#, Python, Ruby, C++, Scala, Go, Rust, ...).
Many companies are looking for "DevOps'' in many forms, but what kind of skills or experiences are actually needed? I’ll debunk some of the myths surrounding what recruiters or internet lurkers might tell you and find out if you might actually have an aptitude for Site Reliability or Infrastructure Engineering. If so, what might be good knowledge areas to get started with? And if learning leads to an interview, what might that look like?
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018Mike Harris
I never wrote it; everybody else did! How many times have you waded through an ageing, decaying, tangled forrest of code and wished it would just die? How many times have you heard someone say that what really needs to happen is a complete rewrite? I have heard this many times, and, have uttered that fatal sentence myself. But shouldn’t we love our legacy code? Doesn’t it represent our investment and the hard work of ourselves and our predecessors? Throwing it away is dangerous, because, before we do, we’ll need to work out exactly what it does, and we’ll need to tweeze out that critical business logic nestled in a deeply entangled knot of IF statements. It could take us years to do, and we’ll have to maintain two systems whilst we do it, inevitably adding new features to them both. Yes we get to reimplement using the latest, coolest programming language, instead of an old behemoth, but how long will our new cool language be around, and who will maintain that code, when it itself inevitably turns to legacy? We can throw our arms in the air, complaining and grumbling about how we didn’t write the code, how we would never have written it the way it is, how those that wrote it were lesser programmers, possibly lesser humans themselves, but the code still remains, staring us in the face and hanging around for longer that we could possibly imagine. We can sort it out, we can improve it, we can make it testable, and we can learn to love our legacy code.
https://www.youtube.com/watch?v=qRP45l5UugE
"Puppet at GitHub / ChatOps" from PuppetConf 2012, by Jesse Newland
Video of "Puppet at GitHub": http://bit.ly/WVS3vQ
Learn more about Puppet: http://bit.ly/QQoAP1
Abstract: Ops at GitHub has a unique challenge - keeping up with the rabid pace of features and products that the GitHub team develops. In this talk, we'll focus on tools and techniques we use to rapidly and confidently ship infrastructure changes/features with Puppet using Puppet-Rspec, CI, Puppet-Lint, branch puppet deploys, and Hubot.
Speaker Bio: Jesse Newland does Ops at GitHub. His favorite hobby is SPOF wack-a-mole, followed closely by guitar and piano. Prior to GitHub, Jesse was the CTO at Rails Machine where he ran a large private cloud and managed several hundred production Ruby on Rails applications using Puppet. To the delight and/or chagrin of the Puppet community, Jesse is to blame for Moonshine, the Ruby DSL for Puppet before Puppet had a Ruby DSL.
With more and more digitized companies and software being a crucial asset to gain competitive advantage, some firms choose to beat competition adopting Open Source to boost innovation. However, this journey requires a clear Software Data Strategy to succeed.
This data-driven approach creates new ways to gather and visualize data to better find meaningful insights among software development activity, performance and community, for future reporting and decision making.
GrimoireLab (https://chaoss.github.io/grimoirelab) produces integrated, open source software for analyzing software and visualizing metrics for measuring community, activity, contributions, performance and project health. Is one of the founding software projects of CHAOSS (Community Health Analytics Open Source Software) project, from The Linux Foundation (https://chaoss.community).
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
Head in the Clouds: Testing Infra as Code - Config Management 2020Peter Souter
Infrastructure-as-code has been one of the key concepts within DevOps to allow the benefits of a full development cycle for infrastructure and allow better visibility of the operations process.
However, when we're writing and applying this IaC, we're often interacting with disparate systems, often geographically dispersed and with very different API's and responses. To further complicate things, different teams also have different concerns: Will this break prod? Will this cost too much? Will this comply with our policies?
We'll be discussing the different kinds of testing that organisations are doing, what tools are right for each job, and how to keep the various teams happy. To do that, we'll be giving some examples with most of the popular IaC tools, where policy fits in and even covering where testing blurs the lines with observability.
Consul Connect - EPAM SEC - 22nd september 2018Peter Souter
A service mesh is necessary for organizations adopting microservices and dynamic cloud-native infrastructure. Traditional host-based network security must be replaced with modern service-based security to accommodate the highly dynamic nature of modern runtime environments. In this talk, we will look at Connect a significant new feature in Consul that provides secure service-to-service communication with automatic TLS encryption and identity-based authorization. We will look at the features of Connect, how to enable Connect in an existing Consul cluster and how easy it is to secure service-to-service communication using Connect.
More Related Content
Similar to I don't know what I'm Doing: A newbie guide for Golang for DevOps
Derrière ce titre putaclic se cache une réalité pour une partie de notre industrie.
Les boucles for/while sont des structures itératives proposant le plus bas niveau d'abstraction. Les langages modernes proposent encore de nos jours ces structures car elles ont leur utilité dans quelques cas exceptionnels.
Ces 10 dernières années, de nouvelles structures d'itérations sont apparues, proposant un plus haut niveau d'abstraction : donc une meilleure productivité, moins de ligne de code, donc moins de bug potentiels (que nous décrirons).
Nous partirons d'exemples de code simple et montrerons leur équivalent via ces nouvelles structures puis observerons les avantages (et inconvénients ?). Les exemples seront en JavaScript mais bien entendu applicable dans d'autres langages (Java, C#, Python, Ruby, C++, Scala, Go, Rust, ...).
Many companies are looking for "DevOps'' in many forms, but what kind of skills or experiences are actually needed? I’ll debunk some of the myths surrounding what recruiters or internet lurkers might tell you and find out if you might actually have an aptitude for Site Reliability or Infrastructure Engineering. If so, what might be good knowledge areas to get started with? And if learning leads to an interview, what might that look like?
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018Mike Harris
I never wrote it; everybody else did! How many times have you waded through an ageing, decaying, tangled forrest of code and wished it would just die? How many times have you heard someone say that what really needs to happen is a complete rewrite? I have heard this many times, and, have uttered that fatal sentence myself. But shouldn’t we love our legacy code? Doesn’t it represent our investment and the hard work of ourselves and our predecessors? Throwing it away is dangerous, because, before we do, we’ll need to work out exactly what it does, and we’ll need to tweeze out that critical business logic nestled in a deeply entangled knot of IF statements. It could take us years to do, and we’ll have to maintain two systems whilst we do it, inevitably adding new features to them both. Yes we get to reimplement using the latest, coolest programming language, instead of an old behemoth, but how long will our new cool language be around, and who will maintain that code, when it itself inevitably turns to legacy? We can throw our arms in the air, complaining and grumbling about how we didn’t write the code, how we would never have written it the way it is, how those that wrote it were lesser programmers, possibly lesser humans themselves, but the code still remains, staring us in the face and hanging around for longer that we could possibly imagine. We can sort it out, we can improve it, we can make it testable, and we can learn to love our legacy code.
https://www.youtube.com/watch?v=qRP45l5UugE
"Puppet at GitHub / ChatOps" from PuppetConf 2012, by Jesse Newland
Video of "Puppet at GitHub": http://bit.ly/WVS3vQ
Learn more about Puppet: http://bit.ly/QQoAP1
Abstract: Ops at GitHub has a unique challenge - keeping up with the rabid pace of features and products that the GitHub team develops. In this talk, we'll focus on tools and techniques we use to rapidly and confidently ship infrastructure changes/features with Puppet using Puppet-Rspec, CI, Puppet-Lint, branch puppet deploys, and Hubot.
Speaker Bio: Jesse Newland does Ops at GitHub. His favorite hobby is SPOF wack-a-mole, followed closely by guitar and piano. Prior to GitHub, Jesse was the CTO at Rails Machine where he ran a large private cloud and managed several hundred production Ruby on Rails applications using Puppet. To the delight and/or chagrin of the Puppet community, Jesse is to blame for Moonshine, the Ruby DSL for Puppet before Puppet had a Ruby DSL.
With more and more digitized companies and software being a crucial asset to gain competitive advantage, some firms choose to beat competition adopting Open Source to boost innovation. However, this journey requires a clear Software Data Strategy to succeed.
This data-driven approach creates new ways to gather and visualize data to better find meaningful insights among software development activity, performance and community, for future reporting and decision making.
GrimoireLab (https://chaoss.github.io/grimoirelab) produces integrated, open source software for analyzing software and visualizing metrics for measuring community, activity, contributions, performance and project health. Is one of the founding software projects of CHAOSS (Community Health Analytics Open Source Software) project, from The Linux Foundation (https://chaoss.community).
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
Head in the Clouds: Testing Infra as Code - Config Management 2020Peter Souter
Infrastructure-as-code has been one of the key concepts within DevOps to allow the benefits of a full development cycle for infrastructure and allow better visibility of the operations process.
However, when we're writing and applying this IaC, we're often interacting with disparate systems, often geographically dispersed and with very different API's and responses. To further complicate things, different teams also have different concerns: Will this break prod? Will this cost too much? Will this comply with our policies?
We'll be discussing the different kinds of testing that organisations are doing, what tools are right for each job, and how to keep the various teams happy. To do that, we'll be giving some examples with most of the popular IaC tools, where policy fits in and even covering where testing blurs the lines with observability.
Consul Connect - EPAM SEC - 22nd september 2018Peter Souter
A service mesh is necessary for organizations adopting microservices and dynamic cloud-native infrastructure. Traditional host-based network security must be replaced with modern service-based security to accommodate the highly dynamic nature of modern runtime environments. In this talk, we will look at Connect a significant new feature in Consul that provides secure service-to-service communication with automatic TLS encryption and identity-based authorization. We will look at the features of Connect, how to enable Connect in an existing Consul cluster and how easy it is to secure service-to-service communication using Connect.
Monitoring a Vault and Consul cluster - 24th May 2018Peter Souter
Vault is an open source solution for identity and secrets management. Vault is well suited for both public cloud and private datacenter usage, but a common challenge is securely running Vault and accessing secrets in public cloud. This talk will show how to securely run Vault in the cloud, and be able to access those secrets securely from multiple differing cloud platforms. Additionally, the Vault 0.10 release is right around the corner and includes some major changes to improve the lives of both beginners and advanced users of Vault. We’ll spend some time looking at the latest features in Vault, and use these throughout the talk.
Your most important piece of equipment is yourself so we will talk us through the basics of good ergonomics at our desks and how he has put this into practice throughout his career.
Knee deep in the undef - Tales from refactoring old Puppet codebasesPeter Souter
As Puppet pushes into it’s second decade of reign, there are several organisations out there that have been using Puppet for a long time. Sometimes, even since the beginning!
With the EOL announcement Puppet 3.X release, we’ve had a number of customers approach us to help with their upgrade. Normally the upgrade itself is fairly, it’s the code base that gives the biggest challenge, especially those with over 3 years of organic growth.
So let’s spread the word of common anti-patterns and issues that can come back to bite you
We’ll be talking about how Hiera is both the best and worst thing to happen to Puppet, marvel at how people were happily running 0.2 Puppet in production and what hacky solutions that seemed good at the time will come back to bite you!
By the end of this, you’ll hopefully have learnt how to make sure that your Puppet code is defensively coded to to make sure your Puppet code base is healthy for the next decade!
If you work with or at a Telco, Financial Institution or a Government entity, you probably already know about compliance and the various acronyms and headaches it can bring.
How can we make this less of a painful process?
Well, if you think about it: compliance is a set of rules that someone has given you to enforce and prove that they're being enforced. What is Puppet? A series of rules for systems that need to be enforced. So compliance is the perfect use-case for configuration management.
Puppet is an awesome tool to automate the configuration of your infrastructure, but it's also a potential attack vector. In this talk, we'll discuss some common patterns and changes you can make to harden your Puppet infrastructure, from the basic good practises such as data abstraction in modules, to some advanced customisation you might need in a high-security setup.
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
Configuration management is a great tool for helping with hardening and securing servers. But with any addition of new technology comes a new attack vector: Who watches the watchers?
Security is painful. Luckily the invention of configuration management tools has made this process easier, by allowing repeatable configuration for common hardening. However there comes a catch-22: How do we harden the configuration management itself?
When you have a tool that enables you to change systems at a fundamental level, it's a fairly tempting target for malicious agents, and one that would cause a lot of problems if compromised.
We'll be discussing some general patterns we can use to mitigate these problems: - Whitelisting "master" API's - Encrypting sensitive data - Adding a security element to code review
And we'll talk about some application specific options for some of most popular tools out there, such as Puppet, Chef, Ansible, cfengine and Salt.
Little Puppet Tools To Make Your Life BetterPeter Souter
A short talk I gave at the first Puppet User Group in London about three tools I made to make my Puppet life easier:
* puppet-install-shell
* vagrant-puppet-install
* puppet-doc-lint
It's easy enough to test the correctness of the infracode we write with unit-tests and parsers, but testing it does what it's supposed to do in the enviornment itself is a little more challenging. In this talk, I'm going to talk about some of the tools and approaches to use to test your configuration automation tool of choice.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
2. @petersouter
“Technical Account Manager at HashiCorp
Peter Souter
Based in...
London, UK
This is my 4th CfgMgmentCamp
Been coming since 2014 (missed last year due
to baby!)
Worn a lot of hats in my time...
Developer, Consultant, Pre-Sales, TAM
Interested in...
Making people’s operational life easier and
more secure
DEVOPS ALL THE THINGS
Introductions - Who is this guy?
@petersouter
3. “
A Quick Primer on Golang
“The Go programming language was conceived in late 2007 as an
answer to some of the problems we were seeing developing software
infrastructure at Google.
[…]
Go was designed and developed to make working in [modern
infrastructure] more productive.
Besides its better-known aspects such as built-in concurrency and
garbage collection, Go's design considerations include rigorous
dependency management, the adaptability of software architecture as
systems grow, and robustness across the boundaries between
components.”
https://talks.golang.org/2012/splash.article#TOC_1
@petersouter
4. “
How did Golang get so popular in a DevOps world?
▪ Compiled binary
▪ Platform independent
▪ Static type checking
▪ Extremely fast
▪ Excellent CLI libraries
▪ Everyone else was doing it!
Simon Waldherr [CC BY-SA 4.0], from Wikimedia Commons
@petersouter
7. “
Another quick quote...
"Why Go?" I've talked a lot about this and for HashiCorp in particular
"Everyone else is doing it" wasn't a thing: Docker wasn't out yet,
CoreOS didn't exist, etc.
We chose Go through process of elimination. Also, I've said before that
Go is painfully pragmatic. Is it the safest? Nope. Is it the fastest? Nope.
Is it the biggest ecosystem? Nope. etc. But its damn "good enough"
at just about everything. And that's big!
- Mitchell Hashimoto
@petersouter
9. “
So finally after years of playing around...
“Ok, I should probably try this
stuff out then...”
@petersouter
10. “
Who else here is a “glue developer”?
More of an Ops background than Dev
Rubyist/Pythonista/Perler
Experience is more on scripting
Can PR a “good-ish” fix if needed!
@petersouter
11. “
Where am I at now?
“I know enough to get into
trouble”
@petersouter
13. “
Good things to know...
We don’t have time to go through
all the minutiae of Golang but let's
talk about the things that stuck out
to me the most...
@petersouter
14. “
Comparing two popular languages...
A quick primer of basics for
Golang vs Ruby
With help from
https://medium.com/devnetwork/golang-for-ruby-developers-c0a0ce19e3677
and
https://gobyexample.com/
@petersouter
15. “ // Golang
var a int = 1
// OR
// this dynamically declares
// type for variable a as int.
var a = 1
// this dynamically defines
variable a // and declares its
type as int.
a := 1
Golang vs Ruby: Variables
#Ruby
# since Ruby is
#dynamically typed we
#cant force a type
a = 1
# unless we specify the
creation method
a = Integer(1)
a.class
=> Integer
@petersouter
16. “
Golang vs Ruby: Types re-assignment
#Ruby
a = 1
a = "Hello"
a := 1
a := 2
// fine!
a = "Hello"
// not fine!
: cannot use "hello" (type
string) as type int is
assignment
@petersouter
18. “
Golang vs Ruby: Arrays
#Ruby
array = [1,2,3]
//Go
array := [3]int{1,2,3}
// or if we’re lazy, let the compiler
// count for us!
array := [...]int{1,2,3}
@petersouter
19. “
Slices: Unindexed arrays
package main
import "fmt"
func main() {
s := make([]string, 3)
fmt.Println("empty on creation:", s)
s[0] = "a"
s[1] = "b"
s[2] = "c"
// s[3] = "d" - Wont work: panic: runtime error: index
out of range
fmt.Println("added elements manually to limit of 3:", s)
// check length
fmt.Println("Length before append is:", len(s))
s = append(s, "d")
fmt.Println("Length after append is:", len(s))
fmt.Println("Elements after append:", s)
}
empty on creation: [ ]
added elements manually to limit of 3: [a b c]
Length before append is: 3
Length after append is: 4
Elements after append: [a b c d]
Adapted from
https://gobyexample.com/slices
[CC BY 3.0]
@petersouter
20. “
Slices: Memory Management
package main
import (
"io/ioutil"
"regexp"
"fmt"
)
var digitRegexp = regexp.MustCompile("[0-9]+")
// ruh roh, the returned slice points into an array containing the entire file!
func FindDigits(filename string) []byte {
b, _ := ioutil.ReadFile(filename)
return digitRegexp.Find(b)
}
// instead: copy the interesting data to a new slice before returning it.
// old array gets garbage collected
func CopyDigits(filename string) []byte {
b, _ := ioutil.ReadFile(filename)
b = digitRegexp.Find(b)
c := make([]byte, len(b))
copy(c, b)
return c
}
@petersouter
21. “
Golang vs Ruby: Unused variables
# Ruby
a = [1,2,3]
b = “123”
puts b
# No problem with unused
# variables in Ruby!
sum := 0
a := [3]int{1,2,3}
for index, num := range a {
sum += num
}
// not fine!
: index declared and not used
for _, n := range a {
sum += n
}
// a-ok!
pathFile, _ := os.Stat(path)
// Bad! This code will crash if path does not exist.
if pathFile.IsDir() {
fmt.Printf("%s is a directory!n", path)
}
@petersouter
25. “
Errors: Don’t worry about it...
“After you've been programming in Go a while you'll appreciate that
having to check the error for every function makes you think about
what it actually means if that function goes wrong and how you should
be dealing with it.”
-Nick Craig Wood
@petersouter
27. “
Errors: Giving More Context
type SyntaxError struct {
msg string // description of error
Offset int64 // error after reading Offset bytes
}
func (e *SyntaxError) Error() string {
return e.msg
}
if err := dec.Decode(&val); err != nil {
if serr, ok := err.(*json.SyntaxError); ok {
line, col := findLine(f, serr.Offset)
return fmt.Errorf("%s:%d:%d: %v", f.Name(), line, col, err)
}
return err
}
@petersouter
28. “
Errors: DRY-ing multiple errors
import "fmt"
func validError(errs ...error) error {
for i, _ := range errs {
if errs[i] != nil {
return errs[i]
}
}
return nil
}
func doSomething(x int) (int, error) {
if x == 2 {
return 0, fmt.Errorf("Oh noes: %d", x)
}
return x, nil
}
func handled() error {
x, err1 := doSomething(2)
y, err2 := doSomething(3)
if e := validError(err1, err2); e != nil {
return e
}
fmt.Println(x, y)
return nil
}
Adapted from
https://stackoverflow.com/questi
ons/18771569/avoid-checking-if-
error-is-nil-repetition
@petersouter
29. “
Errors: The Future in Go 2.0 (check/handle)
// old way
func printSum(a, b string) error {
x, err := strconv.Atoi(a)
if err != nil {
return err
}
y, err := strconv.Atoi(b)
if err != nil {
return err
}
fmt.Println("result:", x + y)
return nil
}
// new way
func printSum(a, b string) error {
handle err { return err }
x := check strconv.Atoi(a)
y := check strconv.Atoi(b)
fmt.Println("result:", x + y)
return nil
}
@petersouter
30. “
Best IDE for Go beginners IMHO?
Visual Code Studio
Or
GoLand
@petersouter
33. “
Lastly...packaging
• go mod actually simplifies a lot!
• No longer have to worry about $GOPATH
• go mod init converts from previous
approaches (Glide, Dep, Govendor etc)
• Otherwise, look into dep which was the
previously blessed approach
@petersouter
34. “
We only have 25 mins...
• Testing
• Makefiles
• JSON Marshaling
• Deferring
• Pointers
• Mutexes
• Channels
@petersouter
35. “I wanted to add some missing fields to the GCP
auth backend in the Vault Terraform provider:
• "bound_zones"
• "bound_regions"
• "bound_instance_groups"
• "Bound_labels"
Some help for starting on TF development
https://www.terraform.io/docs/extend/writing-custom-providers.html)
Real life example: Vault Terraform
Provider
@petersouter
38. “
Now how do we actually do a lookup?
https://github.com/terraform-providers/terraform-provider-vault/pull/227/files
if v, ok := d.GetOk("bound_service_accounts"); ok {
data["bound_service_accounts"] = v.(*schema.Set).List()
}
39. “
Now how do we actually do a lookup?
https://github.com/terraform-providers/terraform-provider-vault/pull/227/files
if v, ok := d.GetOk("bound_zones"); ok {
data["bound_zones"] = v.(*schema.Set).List()
}
40. “
Yay! We’re a go Developer now!
https://github.com/terraform-provi
ders/terraform-provider-vault/pull/
227
Merged! 🎉
41. “
But we were on easy mode...
But really we didn’t have to flex our go muscles
too much…
A lot of the existing work guided us…
Lets start from scratch and flex a little!
42. “
Project - A git helper CLI app
I want a simple git cli app to do
some basic cleanup of repos
43. “
List branches that have already
been merged into master, then give
the option to delete the branch
Project - gitsweeper
45. fmt.Printf("There are %d branchesn", len(branchHeads))
for branchName, branchHead := range branchHeads {
fmt.Printf("Branch %s head is: %sn", branchName, branchHead)
}
nonMasterBranchRefs := branchHeads
delete(nonMasterBranchRefs, "master")
masterCommits, err := repo.Log(&git.LogOptions{From: branchHeads["master"]})
err = masterCommits.ForEach(func(commit *object.Commit) error {
for branchName, branchHead := range nonMasterBranchRefs {
if branchHead.String() == commit.Hash.String() {
fmt.Printf("Branch %s head (%s) was found in master, so has been merged!n", branchName, branchHead)
}
}
return nil
})
47. “
Conclusion
▪ Go is a great language for a
devops world, and well worth
learning
▪ It’s not as hard to learn as you
think - If I can do it, anyone can!
▪ Get your hands dirty: try making
a CLI app or submit patches to
your favourite tools
▪ There’s a ton of great resources
out there!
48. “
Great Links
▪ https://gobyexample.com/
▪ https://tour.golang.org/welcome/1
▪ https://www.openmymind.net/The-Little-Go-Book/
▪ http://www.golang-book.com/books/intro
▪ https://www.terraform.io/docs/extend/writing-custom-providers.ht
ml
▪ https://www.hashicorp.com/resources/creating-terraform-provider-f
or-anything