Learn how we established a service providing development teams with a continuous integration, build, test, source code management, and an issue tracking environment for building mobile apps for a large Federal Agency. Mobile phones are the world's greatest surveillance tool, containing all our private information that we willingly carry in our pocket everywhere we go. How do we develop and operationalize applications for mobile phones in a safe and secure way? Our system performs iterative tests on apps to provide insights on mobile app security and privacy, in compliance with several Federal Agencies standard operating procedures for deployments. Learn the history of the service, how it's currently working, and how you can build this service for your organization.
One of the more unique and complicated areas of devops is dealing with database updates, especially those for databases with pre-defined schemas like relational databases. Databases generally:
This talk will cover tools and strategies the speaker has identified in over 15 years of working with automated database migrations for making sure your persistence stores are smoothly integrated into your devops workflow. We will cover:
The cornerstone of bringing together "development" and "operations" is collaboration. Collaboration sounds great on paper, but when the scales tip, you may end up with anarchy, or a dictatorship. How do you balance all of that while still managing to get things done? Enter: improv. Learn from theatre artist Melanie Harker and artist/developer Sean Paul Ellis how to taking a more fluid and fun approach to your DevOps work will allow you to build empathy, a common language, and ultimately, an environment for innovation to cultivate.
This is a deeply personal talk where I share my experiences as a woman in tech. Even though I'd worked for NASA and co-founded my own successful company, rampant sexism in IT and bad experiences speaking in public nearly destroyed my career. That continued to have ripples in my life until I found the DevOps community and the safe spaces it creates. I will examine common constructs about diversity and propose ideas to bring productive change to continue to build upon the solid foundation of inclusion we have created.
Interviews and insights from participants of DevOpsDays DC 2017.
The standard approach for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today’s world of agile, DevOps, and CI/CD.
This talk will share practical lessons learned at Etsy on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to: 1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly
3) Measure maturity of your organizations security efforts in an attack-driven defense model
For the past two years my team and I worked with a large federal agency to deploy & migrate to a new container-as-a-service platform based on Docker. The migration has enabled development teams to isolate components of their code for faster, more reliable development. But, we also saw that the additional tooling - such as monitoring technology - supporting these services doesn’t yet map to the model that developers need to efficiently monitor their own services. In essence, the Develop->Test->Monitor loop is still broken for modern environments. So how do you fix it?
This presentation is based on my real-world experience with container platforms. Based on this work, I’ll address: How do you effectively instrument your systems, without pushing too much burden on to developers? How do you isolate data, dashboards, and alerts in a way that improves security while simplifying analysis? What can you do to give developers deep information when troubleshooting, without giving them the keys to the kingdom? How do you facilitate data-driven conversations among your developers and ops teams?
If you attend this talk, you’ll walk away with tested, practical ideas that will help your teams become more self-sufficient, improve data-driven conversations among your teams, and evolve your monitoring infrastructure to work more effectively with your CaaS platform.
In Greek Mythology, the Gods cursed Sisyphus to spend eternity rolling a large boulder to the top of a mountain, where it would fall back of its own weight. In DevOps, we're forever rolling boulders uphill. We're making deploys faster, cheaper, smoother, and quicker. And once the boulder reaches the mountain top, the engineers rearchitect the application and the the process begins again.
At Upside Travel, Slack is our central command hub. We run our full operations through Slack ChatOps. Engineers request code reviews, product managers examine tickets, and the Slack-integrated NOC works slack-alerted events. We also manage our full continuous integration and deployment process through a custom Slackbot named, aptly, for the DevOps Greek hero, Sisyphus.
Sisyphus's simple promote command hides a complex dance of builds, tests, promotion, deployment and management. Upside combines Github, CircleCI, Artifactory, Terraform, Docker, Kubernetes and AWS to deploy code from nothing to something in 3 minutes and it takes deployment/promotion 100% away from DevOps and Engineering to place the power into the hands of Product Managers.
In 1982, the city of Detroit saw 15,000 vehicles roll of its production lines every day. To achieve this goal, Detroit's line workers were being measured on velocity, often at the expense of quality. At the same time, auto workers in Japan -- applying lessons from W. Edwards Deming -- were implementing new supply chain management practices which enabled them to manufacture higher quality vehicles, for less cost, at higher velocity. As a result, from 1962 to 1982, the Detroit auto industry lost 20% of its domestic market to Japan.
The parallels between the auto industry of 35 years ago and software development practices in place today are remarkable. DevOps teams around the world are consuming billions of open source components and containerized applications to improve productivity at a massive scale. The good news: they are accelerating time to market. The bad news: many of the components and containers they are using are fraught with defects including critical security vulnerabilities.
This session aims to enlighten DevOps teams, security and development professionals by sharing results from the 2017 State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis. The presentation will also reveal findings from the 2017 DevSecOps Community survey where over 2,000 professionals shared their experiences blending DevOps and security practices together. Throughout the discussion, I will share lessons that Deming employed decades ago to help us accelerate adoption of the right DevSecOps culture, practices, and measures today.
Attendees in this session will learn:
What our analysis of 60,000 applications reveals about the quality and security of software built with open source components
How organizations like PayPal, Intuit, Fannie Mae and the Department of Defense are utilizing the DevOps principles of software supply chain automation
Why avoiding open source components and containers over 3 years old might be a really good idea
How to balance the need for speed with quality and security -- early in the development lifecycle
Attend this session and leverage the insights to understand how your organization's application DevOpsSec practices compare to others. We'll share the industry benchmarks to take back and discuss with your DevOps, development and security teams.