Breaking the Build

Our SecDevOps Habits

1. Objective

The term SecDevOps has grown in popularity in recent years. However, webinars addressing this topic tend to only focus on its benefits, or possible use cases, ignoring people's main motivation to attend this kind of event.

It is fairly safe to assume that people want to also find out how this works and where to start. Many speakers demonstrate how to perform tests over an extremely simple environment, completely unrelatable to our everyday tasks, and, in this case, new questions emerge, such as: Does this work? Or, how can I apply this to my company?

Based on the above, in this talk, we seek to answer the posed questions by sharing the methodologies and work practices, or habits, that allow us to implement a SecDevOps culture in the execution of our projects; from the infrastructure management to the development of our orchestration platform for vulnerability remediation: our ARM.

These habits allow us not only to increase our productivity, and generate value for our customers on a daily basis, but also to increase the security of our production deployments. Thereby, we have been able to reach the following average rates:

Production deployment frequency
70/day
Deployment success
99.99%

2. Content

This seminar/workshop aims to implement the concepts and techniques covered in Burn the Datacenter. Everything is performed live over real infrastructure and applications, giving the audience a look into the backstage of the process: The tools used, the logs that allow us to identify issues, and even the source code that defines each step for the correct deployment of our applications, always focusing on how our infrastructure and products are updated in real time.

To help understand how everything happens and demonstrate how to take the first step to reach this configuration, we also explain all the work habits that have allowed us to reach this point and keep improving daily. These include topics such as:

  • Source code management inside repositories, following a monorepo structure (say goodbye to multirepo).

  • Keep a clean and small environment for the developers, including the changes to the master branch, avoiding code accumulation and reaching zero inventory (leaving gitflow behind).

  • Generate daily value to the customers through a micro changes methodology (instead of big changes every 3 weeks or more).

  • Migrate and manage all the infrastructure as versioned source code, turning it into immutable infrastructure (avoiding management consoles and unauthorized changes).

  • Define Continuous Integration environments as source code, pipeline as code, in a way that can easily be configured and modified for all kinds of tests (avoiding graphical interface limitations for pipeline configurations).

  • Avoid servers at any cost, migrating to cloud services and reaching a serverless infrastructure.

  • Safe password management when deploying an application, avoiding sensitive information disclosure in source code and keeping the secrets protected.

  • Deploy ephemeral environments that allow testing all the developed features before passing to production (reducing project complexity by avoiding development environments, testing, QA and others).

  • Breaking the build even before making a commit to the repository using pre-commit to check the source code.

  • Perform tests over the source code and over the deployment that break the build as a result of the smallest error (instead of only notifying and allowing the error to keep evolving/growing):

    • Multiplatform integration

    • Unit testing

    • Coverage

    • Strict Linters

    • Security gates (SAST y DAST)

  • Extreme reduction of build times by using the cache correctly.

  • Take advantage of the features presented in the version control client Git:

    • Peer review

    • Squashing

    • Rebasing

    • Rollback

    • Trigger builds

  • Telemetry accessible to developers (not logs, only available for infrastructure area).

Each above-mentioned point is explained while accessing Fluid Attacks' systems to look at its implementation and operation. According to the needs or interest of the participants, it is possible to focus on the topics they deem most important.

3. Experience

This workshop has been presented to professionals in technology and auditing areas for companies such as: Accenture, Arus, ATH, Avianca, B89, Bancolombia, Banitsmo, BIVA, Cadena, Cidenet, Colpatria, Cognox, Coordiutil, Corona, EAFIT, Evendi Digital, F2X, GCO, Grupo AVAL, Grupo Éxito, Interbank, Komet Sales, Nutresa, Payválida, Protección, RUNT, Seti and Tech and Solve.

4. Where?

The presentation can be hosted at your company's facilities or an external venue.

5. Duration

The workshop has a duration of 6 hours (it is not possible to reduce its duration). It comprises a live demonstration of our practices, a morning break, and a lunch break.

6. When?

The workshop is designed to be performed from 9 a.m. to 3 p.m., with a 30-minute break at 12 m. The event date must be scheduled in agreement between the participants and Fluid Attacks.

7. Details

  1. Investment: The space and food for this workshop are completely covered by Fluid Attacks. The attendees must commit their time and cover their transportation expenses including vehicles parking costs in case the facility exceeds its capacity.

  2. Material: As with all events offered by Fluid Attacks, the event material is sent to the attendees once they complete the online satisfaction survey.

8. Audience

The workshop is suitable for both technical and managerial personnel, and the satisfaction rate for both profiles is equally high. However, if you wish to promote new changes and experimentation within your company, it is important to include people with decision-making power.

The workshop is designed for an audience of between 12 and 14 people on the customer side, plus 4 additional participants on Fluid Attacks' side.

9. Speakers