1. Objective
The term DevSecOps has grown in popularity in recent years. However, webinars addressing this topic tend to only focus on its benefits, or possible use cases, ignoring people's main motivation to attend this kind of event.
It is fairly safe to assume that people want to also find out how this works and where to start. Many speakers demonstrate how to perform tests over an extremely simple environment, completely unrelatable to our everyday tasks, and, in this case, new questions emerge, such as: Does this work? Or, how can I apply this to my company?
Based on the above, in this talk, we seek to answer the posed questions by sharing the methodologies and work practices, or habits, that allow us to implement a DevSecOps culture in the execution of our projects; from the infrastructure management to the development of our orchestration platform for vulnerability remediation.
These habits allow us not only to increase our productivity, and generate value for our customers on a daily basis, but also to increase the security of our production deployments. Thereby, we have been able to reach the following average rates:
2. Content
This seminar/workshop aims to implement the concepts and techniques covered in Burn the Datacenter. Everything is performed live over real infrastructure and applications, giving the audience a look into the backstage of the process: The tools used, the logs that allow us to identify issues, and even the source code that defines each step for the correct deployment of our applications, always focusing on how our infrastructure and products are updated in real time.
To help understand how everything happens and demonstrate how to take the first step to reach this configuration, we also explain all the work habits that have allowed us to reach this point and keep improving daily. These include topics such as:
-
Continuous hacking the systems to guarantee the integration of the security part in the SDLC.
-
Source code management inside repositories, following a monorepo structure (say goodbye to multirepo).
-
Keep a clean and small environment for the developers, including the changes to the master branch, avoiding code accumulation and reaching zero inventory (leaving gitflow behind).
-
Generate daily value to the customers through a micro changes methodology (instead of big changes every 3 weeks or more).
-
Migrate and manage all the infrastructure as versioned source code, turning it into immutable infrastructure (avoiding management consoles and unauthorized changes).
-
Define Continuous Integration environments as source code, pipeline as code, in a way that can easily be configured and modified for all kinds of tests (avoiding graphical interface limitations for pipeline configurations).
-
Avoid servers at any cost, migrating to cloud services and reaching a serverless infrastructure.
-
Safe password management when deploying an application, avoiding sensitive information disclosure in source code and keeping the secrets protected.
-
Deploy ephemeral environments that allow testing all the developed features before passing to production (reducing project complexity by avoiding development environments, testing, QA and others).
-
Breaking the build even before making a commit to the repository using local reproducible integration tests to check the source code.
-
Perform tests over the source code and over the deployment that break the build as a result of the smallest error (instead of only notifying and allowing the error to keep evolving/growing):
-
Unit testing
-
Functional testing
-
Coverage
-
Strict Linters
-
Security gates (SAST y DAST)
-
E2E
-
-
Extreme reduction of build times by using the cache correctly.
-
Take advantage of the features presented in the version control client Git:
-
Peer review
-
Squashing
-
Rebasing
-
Rollback
-
Trigger builds
-
-
Telemetry accessible to developers (not logs, only available for infrastructure area).
Each above-mentioned point is explained while accessing Fluid Attacks' systems to look at its implementation and operation. According to the needs or interest of the participants, it is possible to focus on the topics they deem most important.
3. Experience
This workshop has been presented to professionals in technology and auditing areas for companies such as: Accenture, Arus, ATH, Avianca, B89, Bancolombia, Banitsmo, BIVA, Cadena, Cidenet, Colpatria, Cognox, Coordiutil, Corona, EAFIT, Evendi Digital, F2X, GCO, Grupo AVAL, Grupo Éxito, Interbank, Komet Sales, Nutresa, Payválida, Protección, RUNT, Seti, Banco Pichincha, Soy Yo, BTG Pactual, Caja Cusco, Banco Azul, Sistecrédito, Banco Agromercantil, Bantrab, Telered, Virtualsoft, Linea Directa, OxxO, Chubb, Banco Bolivariano, ACH, Sodexo, Mutualser, Niubiz, Nequi, La Haus, Banco General Panamá, Yappy, MFTech, Banco Industrial and Tech and Solve.
4. Where?
The presentation is hosted in an external venue.
5. Duration
The workshop has a duration of 6 hours (it is not possible to reduce its duration). It comprises a live demonstration of our practices, a morning break, and a lunch break.
6. When?
The workshop is designed to be performed from 9 a.m. to 3 p.m., with a 30-minute break at 12 m. The event date must be scheduled in agreement between the participants and Fluid Attacks.
7. Details
-
Investment: The space and food for this workshop are completely covered by Fluid Attacks. The attendees must commit their time and cover their transportation expenses, including vehicles parking costs, in case the facility exceeds its capacity.
-
Material: As with all events offered by Fluid Attacks, the event material is sent to the attendees once they complete the online satisfaction survey.
8. Audience
The workshop is suitable for both technical and managerial personnel, and the satisfaction rate for both profiles is equally high. However, if you wish to promote new changes and experimentation within your company, it is important to include people with decision-making power.
The workshop is designed for an audience of between 14 and 16 people on the customer side, plus 4 additional participants on Fluid Attacks' side.