Security, Automation and the Software Supply Chain

•

0 likes•270 views

This document discusses software supply chain security and container deployment best practices. It recommends using continuous integration/continuous delivery pipelines to automate building, testing, and deploying container images. The document also advocates for scanning container images for vulnerabilities, digitally signing images, and controlling access to images and runtimes using policies. Canary and blue/green deployments are introduced as strategies to reduce risk when deploying changes.

Software

THE CLOUD
CONNECTIVITY COMPANY
CLOUD CONNECTIVITY
1

THE CLOUD
CONNECTIVITY COMPANY
■ The Software Supply Chain
■ Finding Vulnerabilities
■ Additional Concerns
4

THE CLOUD
CONNECTIVITY COMPANY
1. Make change
2. See change in production
6

THE CLOUD
CONNECTIVITY COMPANY
1. Make change
2. See change in development
environment
3. See change in production
7

THE CLOUD
CONNECTIVITY COMPANY
1. Make change
2. Unit testing
3. See change in development
environment
4. Integration testing
5. See change in production
8

THE CLOUD
CONNECTIVITY COMPANY
1. Make change
2. Push to git
3. Jenkins/CI builds the app
4. Unit testing
5. See change in development
environment
6. Integration testing
7. See change in production
9

THE CLOUD
CONNECTIVITY COMPANY
1. Make change
2. Push to git
3. Jenkins/CI builds the app
4. Push to container registry
5. Unit testing
6. See change in development
environment
7. Integration testing
8. See change in production
10

THE CLOUD
CONNECTIVITY COMPANY
■ Start with small portion of
audience
■ Check results
■ Roll out to the rest of the
audience
Canary deployment
■ Create new environment
■ Shift traﬃc to new
environment
■ Test
■ Shift back or repurpose old
environment
Blue/Green deployment
12

THE CLOUD
CONNECTIVITY COMPANY
■ The whole image every time
■ Catches vulnerabilities even if
library names change
Full image scanning
■ Just changes since the last
scan
Layer analysis and differentiation
15

THE CLOUD
CONNECTIVITY COMPANY
■ Black Duck/Synopsys
■ JFrog/Xray
■ FOSSA
■ Literally hundreds more
Commercial tools
■ Anchore Engine
■ CoreOS/Clair
■ Vuls.io
■ OpenScap
Open source tools
16

THE CLOUD
CONNECTIVITY COMPANY
■ Get the Common
Vulnerabilities and Exposures
(CVE) number
■ Note the layer the CVE is in
■ Possible to override speciﬁc
CVEs
17

THE CLOUD
CONNECTIVITY COMPANY
■ Using base images
■ Using private registries
18

THE CLOUD
CONNECTIVITY COMPANY
■ Public key cryptography
■ Works by tag
20

$THE CLOUD CONNECTIVITY COMPANY docker tag myimage nickchase/imageswecansign:1 docker trust key generate mykey docker trust signer add --key mykey.pub mysignerkeys nickchase/imageswecansign docker trust sign nickchase/imageswecansign:1 Signing an image DOCKER_CONTENT_TRUST=1 docker pull nickchase/imageswecansign:1 { "content-trust": { "mode": "enforced" } } Using a signed image 21$

THE CLOUD
CONNECTIVITY COMPANY
■ Each step adds a new
signature
■ All signatures must be
present
22

THE CLOUD
CONNECTIVITY COMPANY
■ Runs as server
■ Data
■ Query
■ Policy
■ Returns true/false
23

THE CLOUD
CONNECTIVITY COMPANY
{
"joe": [
"read"
],
"anika": [
"read",
"write"
]
}
Data
24

THE CLOUD
CONNECTIVITY COMPANY
{
"input": {
"user": "anika",
"operation": "write"
}
}
Query input
25

$THE CLOUD CONNECTIVITY COMPANY package myapi.policy import data.myapi.acl import input default allow = false allow { access = acl[input.user] access[_] == input.access } Policy whocan[user] { access = acl[user] access[_] == input.access } 26$

THE CLOUD
CONNECTIVITY COMPANY
$ curl -X POST http://localhost:8181/v1/data/myapi/policy/allow
--data-binary '{ "input": { "user": "joe", "access": "write" } }' | jq
{
"result": false
}
27

THE CLOUD
CONNECTIVITY COMPANY
■ Prevent changes to tags
○ Tags send the code down
the pipeline
29

THE CLOUD
CONNECTIVITY COMPANY
■ Dev/staging
■ Production
30

THE CLOUD
CONNECTIVITY COMPANY
■ Make sure it supports cloud
■ Static deﬁnitions don't work
well with dynamic pod
scheduling
■ Accessible when necessary
for audit
31

THE CLOUD
CONNECTIVITY COMPANY
■ Both global and per application
■ Alert if tampered with
■ Audit log of changes
■ Flow logs and evidence reports for audit
32

THE CLOUD
CONNECTIVITY COMPANY
33
Image RegistrySecurity scan
& sign
Traditional
Third Party
Microservices
docker store
DEVELOPERS IT OPERATIONS
Control Plane

THE CLOUD
CONNECTIVITY COMPANY
■ Integrate security scanners for containers
■ Centralize user identity and access control capabilities
■ Isolate containers running microservices from each other and the
network
■ Encrypt data between apps and services
34

Continuous Deployment allows teams to get immediate feedback, debug, iterate, and fail fast, ultimately getting a better product into the hands of users faster. In this talk, Kendra and Celia will talk about the challenges and benefits of continuously deploying their staging environments and how they applied that to their production environment during the development of CockroachCloud. They will discuss their use of: Iterative development including PR structure and feature decomposition Pushing all PR to staging environment Feature Flags to make the customer magic happen

Implementing a Reliable, Auto-Healing Scalable Platform at VMware

OlyaSurits

An API gateway is the most critical piece of enterprise integration for IT. Therefore, we needed to implement a robust API gateway in a reliable, auto-healing scalable platform. This talk will share how we implemented an open source gateway on a Kubernetes platform with multi-datacenter auto failover to achieve this objective. For this implementation, we developed a customized monitoring script to execute the auto failover between the data centers in case of API gateway failures. The result was 99.95 percent uptime. With this architecture in place, we also succeeded in performing chaos engineering using a combination of open source and in-house chaos tools. Key takeaways will include: • How to implement a robust API gateway in a reliable, auto-healing scalable platform • How we achieved 99.95 percent uptime • How to combine open source and in-house tools to successfully perform chaos engineering

Building Bridges Between Applications and Data

OlyaSurits

Simply connecting to a Kubernetes Service or a load balancer is nice -- if that is even an option. These days, operators have to contend with hybrid and multi-cloud. Namespaces are not enough; it's not uncommon to operate numerous K8s clusters in a single region with traffic being dynamically routed across multiple control planes. This session dives into the process of identifying requirements for a Kubernetes gateway that needs to handle both HTTP based services as well as hyper-optimized TCP workloads. Attendees will walk away with a working knowledge and a process to develop out ingress solutions that fit their needs, including: Deploying a local K8s cluster with K3d Installing the DataStax Kubernetes Operator for Apache Cassandra with Helm Provisioning and running a multi-node Cassandra cluster Deploying Kong Gateway with Helm Implementing multiple ingress approaches through Kong Gateway, with an accompanying discussion on the pros and cons of each Validation of each approach through an external client application

The Building Blocks of DX: K8s Evolution from CLI to GitOps

OlyaSurits

Kubernetes has become the default container orchestrator framework, setting the standards for application deployment in a distributed architecture. Wider adaptability of the tool prompted the diversification of the end-user base, and a consistent DX for cluster interaction became essential for Kubernetes. The community channeled herculean efforts towards the enhancement of developer experience, by extending the cluster CLI, building portals and highly-responsive UIs. This talk will focus on the cluster interaction chronicles, showcasing tools and add-ons which contributed to a wider adoption for Kubernetes. An emphasis will be place on kubectl plugins and cluster state managers using mechanisms such as GitOps, ClickOps and even SheetOps.

Full Stack Automation With Go

OlyaSurits

Modern architectures can quickly grow in complexity, which often means introducing new tools to your environment. Building images and provisioning infrastructure and features can all require distinct tooling -- and often even different workflows and programming languages. The dependencies between these can often mean automation failures and difficult rollback scenarios. There are open source tools that allow you to use the same languages and toolset you’re familiar with to build and deploy your applications. In this hands-on session, we’ll show you how to: Provision infrastructure like Storage buckets, managed Kubernetes and Load Balancers using Go Create and deploy applications without leaving the safety of your favorite programming language

Cloud Native Testing, 2020 Edition: A Modern Blueprint for Pre-production Tes...

OlyaSurits

Cloud native applications can benefit greatly from end-to-end testing before deployment, but integration testing of microservices is often discouraged because it's costly and difficult. This talk proposes a modern blueprint for cloud native application testing, focusing on pre-production testing and in particular integration testing. Topics discussed include how to handle common challenges with end-to-end and integration testing, such as: Dealing with state How to speed up tests runs for improved developer feedback loops How to test the configuration of a whole system in the era of Infrastructure-as-Code We will also discuss other types of testing (such as testing in production), and pre-production workarounds often used as an alternative to integration testing (such as contract testing and test doubles), evaluating the pros and cons of each approach, and how they can complement each other.

No Risk, No Reward: The Joys Of Testing In Production.

UXDXConf

Natalia and Fabio will share their story of how the HBC DevOps culture and mindset evolved. Follow their journey from moving to a distributed microservice architecture to enable simple, quick and frequent production roll-outs, through phased deployments to dark and live canary nodes, to a radical 'no staging environment' approach. Hear about the benefits and caveats they've experienced along the way.

APIOps: Automated Processes for Even Better APIs

OlyaSurits

The development of APIs always begins with the old -- and meanwhile boring -- battle of API-first or code-first. However, working with APIs involves a process that includes design, development and operation. With this in mind, along with the various ways API gateways and API platforms can support these processes, the question of how to automate these processes arises very quickly. In this session, Daniel Kocot will show how API gateways and API platforms can positively influence the development process of APIs based on the DevOps concept and CAMS model to deliver better and better APIs to consumers.

Ingress gateways are a quick and easy way to enable external clients to communicate with a service mesh. To demonstrate this, we implemented a powerful ingress gateway with a reliable ingress controller in an auto-healing, scalable platform. In this talk, we will demo several use cases, including service-to-service authorization with mTLS, service segmentation, and connectivity of services running on any platform to the service mesh. The solution we will share is built using HashiCorp Consul Ingress Gateway with Kong Ingress Controller on a Kubernetes platform with Consul Envoy proxy.

Automating the API Product Lifecycle

OlyaSurits

Creating a successful API requires a proper process from concept and design, through development, and into ongoing maintenance and good developer support. There are many steps to a good API. As developer expectations for better-quality APIs increase, tools have made it easier to do this well. Looking at the full API Product Lifecycle to design an API people will use, Jeremy Glassenberg will share the newest tools -- and potentially upcoming opportunities -- to better automate the planning and creation of a solid developer program.

Crossing the Streams! Rollout Strategies to Keep Your Users Happy!

VMware Tanzu

Meetup 23 - 03 - Application Delivery on K8S with GitOps

Vietnam Open Infrastructure User Group

Building successful business Java apps: How to deliver more, code less, and c...

Red Hat Developers

Building business applications is, in a higher-level perspective, a way to translate business needs into runnable software. Unfortunately, this is easier said than done. The complexity of encoding business requirements requires overcoming several challenges, such as improving communication between stakeholders and increasing agility of delivery. In this presentation, we'll learn how developers can "up" their game, deliver more in the cloud with less effort, and even increase communication skills.

The journey to GitOps

Nicola Baldi

GitOps with ArgoCD

CloudOps2005

Connectivity Is the Future

OlyaSurits

As we grow our businesses, we transform our applications to become distributed and decoupled to iterate faster on customer feedback, adapt quicker to market transitions and improve reliability and availability. In this new distributed and decoupled era, we introduce service connectivity at the backbone of our applications at an unprecedented scale, and we need to adopt a new kind of platform to abstract away service connectivity from the application teams so that the business can innovate with minimal fragmentation and maximum speed. We need a service connectivity platform that allows the organization to break down vertical silos like API management and service mesh for a fully integrated connectivity abstraction. In this session, we will explore the market transitions that are defining this new distributed and decoupled era, and we will identify the main foundations for the new service connectivity platform category.

[Konveyor] adding security to dev ops for your kubernetes native applications

Konveyor Community

See how Kubernetes-native security differs from traditional security approaches. We'll talk about how you can find and fix blind spots, critical vulnerabilities, and misconfigurations that are unique to Kubernetes to increase protection. And to get your team to adopt this, you'll also see how to help shorten the learning curve for them. Lastly, you'll see how to minimize operational risk by using scalable enforcement functions, while keeping operations simple. The demo will be on how to use Red Hat Advanced Cluster Security/Stackrox to implement Kubernetes-native security on containers that are running across k8s/OpenShift clusters and implement best practices across use cases like visibility, vulnerability management, and more. Presented by Krishnan Narayana Swamy, Specialist Solution Architect, Red Hat

12 FACTOR APP WITH DOCKER

TREEPTIK

Flux is incubating + the road ahead

LibbySchulze

Automate Workflows With The Open-source Cloud-native Tool Boomerang Flow

Konveyor Community

In the cloud-native workflow automation world, there are many great open-source projects such as Argo, Airflow, and Brigade. These tools require technical expertise to be used by business users, or they are aligned with a specific use case such as CI/CD. Boomerang Flow is an alternative tool that is usable by a business user but also provides an extensible framework developers can use for new use cases. It aims to replace Robotic Process Automation flows, which don’t necessarily need to be full-blown bots. And it doesn’t try to tackle use cases such as screen-scraping legacy green text applications. Instead, it tries to solve the problem where enterprises are using bots to perform tasks such as receiving a service now ticket and automatically moving it to a special status or workflow queue. These types of scenarios can be automated using Boomerang Flow. And the cost of running these workflows in Kubernetes is fractions of the cost of running an RPA bot for licensing. Presenters: Tyson W Lawrie, head of engineering - IBM, Marcus D Roy, Senior Lead Software engineer - IBM, and Benjamin Ruby, Analytics Consultant - IBM Recording link: https://youtu.be/-lOninwMoz4

Migrating a Large Fortune 100 Healthcare Company to Kubernetes in 7 months

Konveyor Community

Watch the presentation: https://youtu.be/E3LeAmH6Ems At the beginning of 2019, Chris Nuland and team were tasked with migrating a large mesosphere DC/OS cluster with hundreds of running containers to Kubernetes for a large fortune 100 healthcare company. One of the key challenges with this migration was the need to finish it within a 7 month timeframe to allow the sunsetting of DC/OS before the cluster’s end of life. In conjunction with this migration, there was also the need to containerize a couple hundred applications and deploy them into the newly built cluster. These tasks were completed in the desired time frame using a variety of migration and onboarding techniques, including the use of a few migration tools, like pathfinder, that would eventually be part of the Konveyor suite of applications. This presentation will go over many of the challenges of that migration, how certain tooling aided in the process, and how the process would look differently now given many of the migration tooling advantages found in the Konveyor suite of applications. Presenter: Christopher Nuland, Architect at Red Hat

How to Modernize Virtualized Workloads

Konveyor Community

Watch the presentation: https://youtu.be/s-0dXfjfPkA The eternal struggle of application development is choosing to pay down technical debt or adding new features. Why not both! This meetup will explore modernization strategies enabled by open-source project KubeVirt that will help you do just that. Legacy applications are usually monolithic and run on one or more virtual machines. Some applications are easier to modernize if they have well established counterparts in the containerized world (EAP, Spring Boot, etc). Large classic .Net applications running on IIS in Windows server are a lot harder to modernize in one shot. KubeVirt allows you to import your existing VM workloads into Kubernetes and modernize your application in stages. With KubeVirt, Virtual Machines are first-class citizens in Kubernetes and have access to all the artifacts that pods do, including being able to access and be accessed using service endpoints. Once you have the VM running in your Kubernetes project, you can start to modernize and extend the functionality of your application. We will import a .Net application running on IIS on a Windows Server VM into KubeVirt. Then we will go through the stages of containerizing each of the logical layers of the application. Note that this strategy can be used with other OS and Middleware combinations. Presenter: Arvin Amirian, Principal Consultant for Container Infrastructure @ Red Hat

Cost Control and Rapid Innovation in Kubernetes with OpenRewrite

Konveyor Community

Presentation recording: https://youtu.be/6wZhwAZWs84 There's no good way currently to make consistent, structural changes to Kubernetes manifests but still ensure YAML correctness and repeatability. OpenRewrite is somewhat unique in this space. OpenRewrite is an OSS project which can be leveraged to make large and significant changes to a Kubernetes cluster in a concise and repeatable way. Integrating Rewrite into workflows is easy, making adoption straightforward. Jon Brisbin, software engineer at OpenRewrite, will give a demonstration of this tool at this meetup. If you want to try the getting started or any of the tutorials: https://github.com/openrewrite

Exploring Kubeflow on Kubernetes for AI/ML | DevNation Tech Talk

Red Hat Developers

The Kubeflow project is dedicated to making deployments of machine learning (ML) workflows on Kubernetes simple, portable, and scalable by leveraging best-of-breed open source projects. These include Jupyter Notebooks, TensorFlow, and Pytorch for Training; Seldon and KFServing for Serving; and Kubeflow Pipelines. These are all wrapped up neatly in an easy-to-use portal so developers and data scientists can easily collaborate and deliver production-ready AI/ML workloads.

Designing a complete ci cd pipeline using argo events, workflow and cd products

Julian Mazzitelli

https://www.youtube.com/watch?v=YmIAatr3Who Presented at Cloud and AI DevFest GDG Montreal on September 27, 2019. Are you looking to get more flexibility out of your CICD platform? Interested how GitOps fits into the mix? Learn how Argo CD, Workflows, and Events can be combined to craft custom CICD flows. All while staying Kubernetes native, enabling you to leverage existing observability tooling.

Automate The Creation/Transformation of Infrastructure as Code Artifacts with...

Konveyor Community

Watch the demo: https://youtu.be/tmGSqK3BahU Konveyor Move2Kube helps automate your migration from various platforms such as cloud foundry, docker swarm, VM based applications, or from your custom framework to Kubernetes. With the latest release of Move2Kube, v0.3.0, it has acquired extensive customization capabilities to help create the target artifacts as per your organization requirements. In this session, the Move2Kube team will demonstrate the migration of a typical application to run on Kubernetes. It will be followed by a demonstration of customization capabilities of Move2Kube, such as customizing the generated Dockerfile, the directory structure, the helm chart and custom artifacts. Website: https://move2kube.konveyor.io/ GitHub repo: https://github.com/konveyor/move2kube/

Deploying Spring Boot apps on Kubernetes

VMware Tanzu

SpringOne Platform 2017 Thomas Risberg, Pivotal In this talk we will give an overview of the challenges involved in deploying a Spring Boot app on Kubernetes. How do you deploy the web app and a database together? How do you configure your app with the database password? We will take a look at what's needed to deploy Spring Cloud Data Flow server on Kubernetes, both for testing and for a real production deployment. We'll also discuss using Helm for app deployments.

WKP Team Workspaces Webinar

Weaveworks

Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...

Henning Jacobs

While the adoption of DevOps makes teams move faster with reduced dependency on central operations, it can constrain teams who lack the skills to self-manage the full application and infrastructure stack. The way to overcome this challenge is creating an internal platform and treating it as a world-class product offering. “Applying product management to internal platforms means establishing empathy with internal consumers (read: developers) and collaborating with them on the design. Platform product managers establish roadmaps and ensure the platform delivers value to the business and enhances the developer experience”, via ThoughtWorks Technology Radar. In this talk, we will walk you through how Zalando adopted a customer-first mindset with regards to its developer tooling. We will show the effect on developer satisfaction when internal platforms are given the same respect as external product offerings. We will tell our story on how we moved from a classical infrastructure team to a product mindset with strong focus on building a world-class developer experience. We will share both our learnings and challenges going through this transition, and the impact it has on the daily life of our customers (developers).

Continuous Delivery in the Enterprise - with IBM UrbanCode

IBM UrbanCode Products

Continuous Delivery seeks to deliver increased Business Agility by releasing smaller releases more frequently. To truly leverage Continuous Delivery, enterprises must consider impacts that span functional silos. Enterprises also struggle to apply continuous delivery principals to applications that touch older, slower moving components. When applications are a composite of numerous services, databases, and other components, managing dependencies can result in slowdown. Join Eric Minick, DevOps Evangelist & Product Management Lead, at IBM. In this presentation, he will discuss: - “Standard” continuous delivery - Challenges larger organizations have with CD - Techniques for applying continuous delivery to the largest applications Learn more about Continuous Delivery, and Deployment Automation today!

What's hot

A Better Way for Applications to Communicate With Your Mesh

OlyaSurits

Automating the API Product Lifecycle

OlyaSurits

Crossing the Streams! Rollout Strategies to Keep Your Users Happy!

VMware Tanzu

Meetup 23 - 03 - Application Delivery on K8S with GitOps

Vietnam Open Infrastructure User Group

Building successful business Java apps: How to deliver more, code less, and c...

Red Hat Developers

The journey to GitOps

Nicola Baldi

GitOps with ArgoCD

CloudOps2005

Connectivity Is the Future

OlyaSurits

[Konveyor] adding security to dev ops for your kubernetes native applications

Konveyor Community

12 FACTOR APP WITH DOCKER

TREEPTIK

Flux is incubating + the road ahead

LibbySchulze

Automate Workflows With The Open-source Cloud-native Tool Boomerang Flow

Konveyor Community

Migrating a Large Fortune 100 Healthcare Company to Kubernetes in 7 months

Konveyor Community

How to Modernize Virtualized Workloads

Konveyor Community

Cost Control and Rapid Innovation in Kubernetes with OpenRewrite

Konveyor Community

Exploring Kubeflow on Kubernetes for AI/ML | DevNation Tech Talk

Red Hat Developers

Designing a complete ci cd pipeline using argo events, workflow and cd products

Julian Mazzitelli

Automate The Creation/Transformation of Infrastructure as Code Artifacts with...

Konveyor Community

Deploying Spring Boot apps on Kubernetes

VMware Tanzu

WKP Team Workspaces Webinar

Weaveworks

What's hot (20)

A Better Way for Applications to Communicate With Your Mesh

Automating the API Product Lifecycle

Crossing the Streams! Rollout Strategies to Keep Your Users Happy!

Meetup 23 - 03 - Application Delivery on K8S with GitOps

Building successful business Java apps: How to deliver more, code less, and c...

The journey to GitOps

GitOps with ArgoCD

Connectivity Is the Future

[Konveyor] adding security to dev ops for your kubernetes native applications

12 FACTOR APP WITH DOCKER

Flux is incubating + the road ahead

Automate Workflows With The Open-source Cloud-native Tool Boomerang Flow

Migrating a Large Fortune 100 Healthcare Company to Kubernetes in 7 months

How to Modernize Virtualized Workloads

Cost Control and Rapid Innovation in Kubernetes with OpenRewrite

Exploring Kubeflow on Kubernetes for AI/ML | DevNation Tech Talk

Designing a complete ci cd pipeline using argo events, workflow and cd products

Automate The Creation/Transformation of Infrastructure as Code Artifacts with...

Deploying Spring Boot apps on Kubernetes

WKP Team Workspaces Webinar

Similar to Security, Automation and the Software Supply Chain

Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...

Henning Jacobs

Continuous Delivery in the Enterprise - with IBM UrbanCode

IBM UrbanCode Products

Agile Bodensee - Testautomation & Continuous Delivery Workshop

Michael Palotas

Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow

Acquia

Modern web development should be seamless. Unfortunately, assembling, testing, and deploying production level code on time and with confidence is a challenge that many organizations face. Developers and IT leaders, join this webinar to learn how Acquia’s end-to-end web platform will enable you to get your applications to market faster, improve code quality, and reduce security risk. With Acquia’s 100% cloud-based development tools optimized specifically for Drupal, building, testing, and deploying will all take place on our platform and your feet never need to touch the ground. We’ll cover: - How to manage the entire developer lifecycle from our platform - How to enable continuous testing and deployment - Why cloud based IDEs are the future of development - How to get started with a working app on day one - Which tools are available and how to get the most out of them

Dockerizing react app

Malang QA Community

Synthetic Monitoring Deep Dive - AppSphere16

AppDynamics

Learn how to monitor end-to-end workflows from every corner of the world. Hear the basics of AppDynamics Synthetic Monitoring and its integration in the AppDynamics Unified Monitoring Platform. Dive into scripting and how it allows monitoring of complex end-to-end workflows via a set of real-world examples describing best practices and tips to write better scripts and avoid common pitfalls. Key takeaways: o What AppDynamics Synthetic Monitoring can do today, and where the technology is going o See how Synthetic Monitoring complements Real User Monitoring and APM o Overview of the best tools available to help you build scripts quickly and reliably o Tips for handling complex websites, avoiding common pitfalls, and leveraging synthetic monitoring to run WebDriver scripts For more information, go to: www.appdynamics.com

Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps

ZNetLive

Kubernetes Deployments: A "Hands-off" Approach

Rodrigo Reis

Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...

Flink Forward

Within fintech catching fraudsters is one of the primary opportunities for us to use streaming applications to apply ML models in real-time. This talk will be a review of our journey to bring fraud decisioning to our tellers at Capital One using Kafka, Flink and AWS Lambda. We will share our learnings and experiences to common problems such as custom windowing, breaking down a monolith app to small queryable state apps, feature engineering with Jython, dealing with back pressure from combining two disparate streams, model/feature validation in a regulatory environment, and running Flink jobs on Kubernetes.

AppSphere 2016 - Automate performance testing with AppDynamics using continuo...

Brad Stoner

As release velocity increases, teams are finding innovative ways to detect and resolve performance issues earlier in the development cycle. This session will explore how to integrate performance testing into a development lifecycle and why the practice is gaining popularity. Learn how to create a balanced test strategy that matches test type, coverage, environment, and defect target. Scale to deliver high-performing applications. Through continuous integration platforms, performance testing tools, and AppDynamics, see how automated performance testing can reduce time-to-market while increasing overall quality. Key takeaways: o How to get started with performance test automation o How to detect and resolve performance issues earlier in the development lifecycle with AppDynamics o How to maximize the quality and value of your performance test strategy Brad Stoner Senior Sales Engineer, AppDynamics Resources: KonaKart - http://www.konakart.com/ Adminer - https://www.adminer.org/ Jenkins - https://jenkins.io/ NeoLoad - http://www.neotys.com/neoload/overview AppDynamics - https://www.appdynamics.com/free-trial/ GitHub - https://github.com/ Docker Hub - https://hub.docker.com/

#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...

Agile Testing Alliance

Docker and Jenkins [as code]

Mark Waite

15-ways-to-optimize-spring-boot-for-the-cloud

Billy Korando

CI/CD with Jenkins and Docker - DevOps Meetup Day Thailand

Troublemaker Khunpech

Gitops Hands On

Brice Fernandes

AzureDay Kyiv 2016 Release Management

Sergii Kryshtop

15 ways-to-optimize-spring-boot-for-the-cloud

PolyglotMeetups

Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023

VMware Tanzu

apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...

apidays

CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...

sparkfabrik

In this talk I’ll explain what is the Software Supply Chain, common threats and mitigations and how they apply to IAC ecosystem too. I’ll show off security threats using Terraform and its ecosystem and finally i’ll talk about OCI images talking about digital signatures and SBOM using Sigstore and Syft. I’ll do a live coding session showing off how to deploy secure OCI images on K8S cluster with security policies built with Kyverno, the session includes also security scanning using the generated SBOM.

Similar to Security, Automation and the Software Supply Chain (20)

Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...

Continuous Delivery in the Enterprise - with IBM UrbanCode

Agile Bodensee - Testautomation & Continuous Delivery Workshop

Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow

Dockerizing react app

Synthetic Monitoring Deep Dive - AppSphere16

Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps

Kubernetes Deployments: A "Hands-off" Approach

Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...

AppSphere 2016 - Automate performance testing with AppDynamics using continuo...

#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...

Docker and Jenkins [as code]

15-ways-to-optimize-spring-boot-for-the-cloud

CI/CD with Jenkins and Docker - DevOps Meetup Day Thailand

Gitops Hands On

AzureDay Kyiv 2016 Release Management

15 ways-to-optimize-spring-boot-for-the-cloud

Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023

apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...

CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...

Recently uploaded

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.

2024 RoOUG Security model for the cloud.pptx

Georgi Kodinov

Enhancing Research Orchestration Capabilities at ORNL.pdf

Globus

Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.

Developing Distributed High-performance Computing Capabilities of an Open Sci...

Globus

COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.

Globus Compute Introduction - GlobusWorld 2024

Globus

Globus Compute wth IRI Workflows - GlobusWorld 2024

Globus

As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.

Enterprise Resource Planning System in Telangana

NYGGS Automation Suite

Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics. To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf

AMB-Review

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos https://www.amb-review.com/tubetrivia-ai Exclusive Features: AI-Powered Questions, Wide Range of Categories, Adaptive Difficulty, User-Friendly Interface, Multiplayer Mode, Regular Updates. #TubeTriviaAI #QuizVideoMagic #ViralQuizVideos #AIQuizGenerator #EngageExciteExplode #MarketingRevolution #BoostYourTraffic #SocialMediaSuccess #AIContentCreation #UnlimitedTraffic

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better

XfilesPro

Providing Globus Services to Users of JASMIN for Environmental Data Analysis

Globus

JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.

Prosigns: Transforming Business with Tailored Technology Solutions

Prosigns

Unlocking Business Potential: Tailored Technology Solutions by Prosigns Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support. Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth. Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices. AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making. Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency. DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration. Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly. Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business. Join us on a journey of innovation and growth. Let's partner for success with Prosigns.

Navigating the Metaverse: A Journey into Virtual Evolution"

Donna Lenk

Accelerate Enterprise Software Engineering with Platformless

WSO2

Key takeaways: Challenges of building platforms and the benefits of platformless. Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience. How Choreo enables the platformless experience. How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo. Demo of an end-to-end app built and deployed on Choreo.

BoxLang: Review our Visionary Licenses of 2024

Ortus Solutions, Corp

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Shahin Sheidaei

Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Natan Silnitsky

In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey. Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience. Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system. Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.

Large Language Models and the End of Programming

Matt Welsh

RISE with SAP and Journey to the Intelligent Enterprise

Srikant77

SOCRadar Research Team: Latest Activities of IntelBroker

SOCRadar

The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month. The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies. However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News. Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

Google

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite 👉👉 Click Here To Get More Info 👇👇 https://sumonreview.com/ai-pilot-review/ AI Pilot Review: Key Features ✅Deploy AI expert bots in Any Niche With Just A Click ✅With one keyword, generate complete funnels, websites, landing pages, and more. ✅More than 85 AI features are included in the AI pilot. ✅No setup or configuration; use your voice (like Siri) to do whatever you want. ✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It… ✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again. ✅ZERO Limits On Features Or Usages ✅Use Our AI-powered Traffic To Get Hundreds Of Customers ✅No Complicated Setup: Get Up And Running In 2 Minutes ✅99.99% Up-Time Guaranteed ✅30 Days Money-Back Guarantee ✅ZERO Upfront Cost See My Other Reviews Article: (1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review (2) SocioWave Review: https://sumonreview.com/sociowave-review (3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review (4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review

Recently uploaded (20)

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

2024 RoOUG Security model for the cloud.pptx

Enhancing Research Orchestration Capabilities at ORNL.pdf

Developing Distributed High-performance Computing Capabilities of an Open Sci...

Globus Compute Introduction - GlobusWorld 2024

Globus Compute wth IRI Workflows - GlobusWorld 2024

Enterprise Resource Planning System in Telangana

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better

Providing Globus Services to Users of JASMIN for Environmental Data Analysis

Prosigns: Transforming Business with Tailored Technology Solutions

Navigating the Metaverse: A Journey into Virtual Evolution"

Accelerate Enterprise Software Engineering with Platformless

BoxLang: Review our Visionary Licenses of 2024

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Large Language Models and the End of Programming

RISE with SAP and Journey to the Intelligent Enterprise

SOCRadar Research Team: Latest Activities of IntelBroker

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

Security, Automation and the Software Supply Chain

1. THE CLOUD CONNECTIVITY COMPANY CLOUD CONNECTIVITY 1

2. THE CLOUD CONNECTIVITY COMPANY 2

3. THE CLOUD CONNECTIVITY COMPANY 3

4. THE CLOUD CONNECTIVITY COMPANY ■ The Software Supply Chain ■ Finding Vulnerabilities ■ Additional Concerns 4

5. THE CLOUD CONNECTIVITY COMPANY 5

6. THE CLOUD CONNECTIVITY COMPANY 1. Make change 2. See change in production 6

7. THE CLOUD CONNECTIVITY COMPANY 1. Make change 2. See change in development environment 3. See change in production 7

8. THE CLOUD CONNECTIVITY COMPANY 1. Make change 2. Unit testing 3. See change in development environment 4. Integration testing 5. See change in production 8

9. THE CLOUD CONNECTIVITY COMPANY 1. Make change 2. Push to git 3. Jenkins/CI builds the app 4. Unit testing 5. See change in development environment 6. Integration testing 7. See change in production 9

10. THE CLOUD CONNECTIVITY COMPANY 1. Make change 2. Push to git 3. Jenkins/CI builds the app 4. Push to container registry 5. Unit testing 6. See change in development environment 7. Integration testing 8. See change in production 10

11. THE CLOUD CONNECTIVITY COMPANY 1. Make change 2. Push to git 3. Jenkins/CI builds the app 4. Push to container registry 5. Unit testing 6. See change in development environment 7. Integration testing 8. Deployed to production 11

12. THE CLOUD CONNECTIVITY COMPANY ■ Start with small portion of audience ■ Check results ■ Roll out to the rest of the audience Canary deployment ■ Create new environment ■ Shift traﬃc to new environment ■ Test ■ Shift back or repurpose old environment Blue/Green deployment 12

13. THE CLOUD CONNECTIVITY COMPANY 13

14. THE CLOUD CONNECTIVITY COMPANY 1. Make change 2. Push to git 3. Jenkins/CI builds the app 4. Push to container registry 5. Unit testing 6. See change in development environment 7. Integration testing 8. Deployed to production 14

15. THE CLOUD CONNECTIVITY COMPANY ■ The whole image every time ■ Catches vulnerabilities even if library names change Full image scanning ■ Just changes since the last scan Layer analysis and differentiation 15

16. THE CLOUD CONNECTIVITY COMPANY ■ Black Duck/Synopsys ■ JFrog/Xray ■ FOSSA ■ Literally hundreds more Commercial tools ■ Anchore Engine ■ CoreOS/Clair ■ Vuls.io ■ OpenScap Open source tools 16

17. THE CLOUD CONNECTIVITY COMPANY ■ Get the Common Vulnerabilities and Exposures (CVE) number ■ Note the layer the CVE is in ■ Possible to override speciﬁc CVEs 17

18. THE CLOUD CONNECTIVITY COMPANY ■ Using base images ■ Using private registries 18

19. THE CLOUD CONNECTIVITY COMPANY 19

20. THE CLOUD CONNECTIVITY COMPANY ■ Public key cryptography ■ Works by tag 20

21. THE CLOUD CONNECTIVITY COMPANY docker tag myimage nickchase/imageswecansign:1 docker trust key generate mykey docker trust signer add --key mykey.pub mysignerkeys nickchase/imageswecansign docker trust sign nickchase/imageswecansign:1 Signing an image DOCKER_CONTENT_TRUST=1 docker pull nickchase/imageswecansign:1 { "content-trust": { "mode": "enforced" } } Using a signed image 21

22. THE CLOUD CONNECTIVITY COMPANY ■ Each step adds a new signature ■ All signatures must be present 22

23. THE CLOUD CONNECTIVITY COMPANY ■ Runs as server ■ Data ■ Query ■ Policy ■ Returns true/false 23

24. THE CLOUD CONNECTIVITY COMPANY { "joe": [ "read" ], "anika": [ "read", "write" ] } Data 24

25. THE CLOUD CONNECTIVITY COMPANY { "input": { "user": "anika", "operation": "write" } } Query input 25

26. THE CLOUD CONNECTIVITY COMPANY package myapi.policy import data.myapi.acl import input default allow = false allow { access = acl[input.user] access[_] == input.access } Policy whocan[user] { access = acl[user] access[_] == input.access } 26

27. THE CLOUD CONNECTIVITY COMPANY $ curl -X POST http://localhost:8181/v1/data/myapi/policy/allow --data-binary '{ "input": { "user": "joe", "access": "write" } }' | jq { "result": false } 27

28. THE CLOUD CONNECTIVITY COMPANY 28

29. THE CLOUD CONNECTIVITY COMPANY ■ Prevent changes to tags ○ Tags send the code down the pipeline 29

30. THE CLOUD CONNECTIVITY COMPANY ■ Dev/staging ■ Production 30

31. THE CLOUD CONNECTIVITY COMPANY ■ Make sure it supports cloud ■ Static deﬁnitions don't work well with dynamic pod scheduling ■ Accessible when necessary for audit 31

32. THE CLOUD CONNECTIVITY COMPANY ■ Both global and per application ■ Alert if tampered with ■ Audit log of changes ■ Flow logs and evidence reports for audit 32

33. THE CLOUD CONNECTIVITY COMPANY 33 Image RegistrySecurity scan & sign Traditional Third Party Microservices docker store DEVELOPERS IT OPERATIONS Control Plane

34. THE CLOUD CONNECTIVITY COMPANY ■ Integrate security scanners for containers ■ Centralize user identity and access control capabilities ■ Isolate containers running microservices from each other and the network ■ Encrypt data between apps and services 34

35. THE CLOUD CONNECTIVITY COMPANY 35

Security, Automation and the Software Supply Chain

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Security, Automation and the Software Supply Chain

Similar to Security, Automation and the Software Supply Chain (20)

Recently uploaded

Recently uploaded (20)

Security, Automation and the Software Supply Chain