Breaking the build
SecDevOps has grown in popularity in recent years;
however, every Webinar that addresses the topic
only focuses on its benefits, or possibles use cases,
ignoring the people’s main reason to assist in this kind of events.
It can be deduced that people want to know at least how does this work? and where to start?. The speaker may show us how to perform tests over an extremely simple environment, completely unrelatable to our everyday tasks, and in this case, new questions emerge, such as does this work? Alternatively, how can I apply it to my company?
Based on the above,
in this talk, we seek to answer the posed questions,
through the socialization of our methodologies and work practices
or habits that allow us to implement a
in the execution of our projects;
from the infrastructure management
to the development of our orchestration platform
for vulnerabilities remediation:
These habits allow us not only to increase our productivity, and daily generate value to our customers, but to increase the security of our production deployments. Thereby, we could reach, in the last six months, an average of:
Average of all systems 2018/01/01 - 2019/04/24
Systems with higher average 2018/01/01 - 2019/04/24
This seminar/workshop aims to implement the concepts and techniques saw in. Everything is performed live over real infrastructure and applications, taking a look into the backstage of the process: The tools used, the logs that allow us to identify issues, and even the source code that defines each step for the correct deployment of our applications, always focusing on how our infrastructure and products are updated in real time.
To understand how everything happens and demonstrate how to take the first step to reach this configuration, we also explain all the work habits that have allowed us to reach this point and keep improving daily. These habits address topics such as:
Source code management inside repositories, following a monorepo structure (say goodbye to multirepo)
Keep a clean and small environment for the developers, including the changes to the master branch, avoiding code accumulation and reaching zero inventory (leaving
Generate daily value to the customers through a micro changes methodology (instead of big changes every
3weeks or more).
Migrate and manage all the infrastructure as versioned source code, turning it into immutable infrastructure (avoiding management consoles and unauthorized changes).
Define Continuous Integration environments as source code,
pipeline as code, in a way that can easily be configured and modified for all kind of tests (avoiding graphical interface limitations for pipeline configurations).
Avoid servers at any cost, migrating to cloud services and reaching a serverless infrastructure.
Safe password management when deploying an application avoiding sensitive information disclosure in source code and keeping the secrets protected.
Deploy ephemeral environments that allow testing all the developed features before passing to production (reducing project complexity by avoiding development environments, testing,
QA, and others)
Breaking the build even before making a
committo the repository using
pre-commitfor checking the source code.
Perform tests over the source code and over the deployment that break the build as a result for the smallest error (not only notify and allow the error to keep evolving/growing):
Security Gates (SAST y DAST).
Extreme reduction of
buildtimes by using the cache correctly.
Take advantage of the features presented in the version control client
Telemetry accessible to developers (not logs, only available for infrastructure area)
Each point previously described is explained
Fluid Attacks systems
to look at its implementation and operation.
According to the needs or interest of the assistants,
it is possible to focus on the topics they deem most important.
This workshop has been presented to professionals
in technology and auditing areas, for companies such as:
Tech and Solve.
The presentation can be hosted at your company’s facilities or an external venue.
The workshop has a duration of 6 hours (it is not possible to reduce its duration). It comprises a live demonstration of our practices, a morning break, and a lunch break.
The workshop is designed to be performed from 9 A.M. to 3 P.M.,
with a 30 minutes break at 12 m
The event date must be scheduled by agreement
between the attendants and
Investment: The space and food for this workshop are completely covered by
Fluid Attacks. The attendance must commit themselves with their time and their transportation expenses including vehicles parking costs in case the facility exceeds its capacity.
Material: As well as the other events offered by
Fluid Attacksthe event material is sent to the attendance once all the assistants have completed the before leaving the auditorium.
The workshop is suitable for both technical and managerial personnel, and the satisfaction rate for both profiles is equally high. However, if you wish to promote new changes and experimentation inside your company, considering people that can make decisions is important.
The workshop is designed for an audience
between 12 and 14 persons on the customer side,
4 additional assistants on
Fluid Attacks side.