SlideShare a Scribd company logo

Continuous security improvements in the DevOps process

Aarno Aukia
Aarno Aukia

This document discusses continuous security improvement in the DevOps process. It describes how a DevOps company called VSHN integrates security practices like application security, DevSecOps, and security operations into the software development lifecycle. These include implementing security best practices and tools for activities like code analysis, dependency management, container scanning, testing, deployment, operations, identity and access management, logging, and metrics collection. The goal is to automate security across build, test, deploy, and operations phases to deliver secure software through a DevSecOps approach.

1 of 27
Downloaded 10 times
VSHN - The DevOps Company Continuous Security improvement in the DevOps process Aarno Aukia, CTO @ VSHN - The DevOps Company
VSHN - The DevOps Company ● About Aarno & VSHN.ch ● From Ops to DevOps ● DevOps/DevSecOps/SecOps? ● Automating Operations to include security ○ Build ○ Test ○ Deployment ○ Ops 22 Agenda
VSHN - The DevOps Company @aarnoaukia http://about.me/aarno aarno.aukia@vshn.ch ETH → Google → Atrila → VSHN VSHN - The DevOps Company Since 2014, currently 30 VSHNeers in Zürich, Switzerland We help developers run web applications 24/7 in any cloud making both visitors happy with stability and developers happy with agility 33 About Aarno & VSHN.ch
VSHN - The DevOps Company 4 OPS = Firefighting-as-a-Service ? 4
VSHN - The DevOps Company DevOps: People, Processes & Tools 55
VSHN - The DevOps Company Memberships 77
VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 88 Areas of security improvement
VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 99 Areas of security improvement
VSHN - The DevOps Company DevSecOps principles 1010
VSHN - The DevOps Company ● static code analysis automatically for each commit ● Dependency Management ● (base) container image scanning 1111 Build
VSHN - The DevOps Company Code analysis: sonarqube 1212
VSHN - The DevOps Company 1313 Dependency updates: https://dependabot.com
VSHN - The DevOps Company Container scanning: aquasec 1414
VSHN - The DevOps Company ● smoke tests ● test envs “à discretion” 1515 Test
VSHN - The DevOps Company ● atomic container deployment ● every deployment (and rollback) is a “normal deployment” ● deployment automation removes need for (all) devs root prod access and/or waiting for ops to deploy new dev version 1616 Deployment
VSHN - The DevOps Company ● standardization on (minimal, hardened) OS and container orchestrator ● immutable (application) infrastructure using containers ● process/storage/network separation of applications/environments ● detect/prevent configuration drift between dev/test/stage/prod envs ● documentation & automatic backup of all volumes ● documentation & monitoring of routes/loadbalancers/ingresspoints with enforcing SSL/TLS ● AAI for admin & application ● key & secrets management ● audit logging of control & application planes 1717 Ops
VSHN - The DevOps Company Container isolation 1818 ● Kernel namespacing (process & network) ● Control groups (resource quota to prevent DoS) ● SELinux (additional syscall filter) ● prevent running as root inside container, no user-provided privileged containers (enforce best practice) ● readonly container filesystem (harder to persist exploit at runtime)
VSHN - The DevOps Company AAI: Keycloak 1919 ● Identity & Access Management ● Single sign in/out ● Identity brokering: ○ OpenID Connect (OAuth2, FB/Twitter/Github etc.) ○ SAML2.0 ○ Kerberos ● User federation: LDAP, AD, etc ● 2FA: TOTP/HOTP ● Managing the Authorization groups
VSHN - The DevOps Company Logs: ELK/EFK/Greylog 2020 ● Logging all access and changes through the control plane ● Logging all access to the application and correlate with application logs ● Index, view, filter, aggregate KPI → monitoring ● Store outside of application scope
VSHN - The DevOps Company ● Prometheus ○ time series database ○ open source / CNCF-project ○ well-integrated in docker/kubernetes stats ● NewRelic APM ○ application-level profiling ○ performance tracking ○ exception tracking (backend & frontend) ○ available as SaaS 2121 Metrics: Prometheus / NewRelic
VSHN - The DevOps Company Kubernetes Distribution Architecture 2222
VSHN - The DevOps Company ● OpenShift, Kubernetes, Docker ● Logging: EFK ● Metrics: Prometheus ● SSL-Certificates: letsencrypt.org ● Source-to-image builder, Dockerfile builder, Docker-Image-Registry: OpenShift ● Load-balancing, horizontal (auto) scaling, rolling deployments: Kubernetes ● MySQL/MariaDB, PostgreSQL, Redis, Solr, Elasticsearch, RabbitMQ, MongoDB: either single-container for dev or DBaaS for prod ● 24/7 Support and SLA, cloud or on-premises 2323 Auxiliary Services we use at APPUiO.ch
VSHN - The DevOps Company 2424 APPUiO.ch in 14 countries & on-premises
VSHN - The DevOps Company ● Please do get in touch with feedback ● Twitter: @aarnoaukia ● Linkedin: https://www.linkedin.com/in/aukia/ ● Email: aarno.aukia@vshn.ch 2525 Thank you
Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 26
VSHN - The DevOps Company The CNCF Landscape 2727
VSHN - The DevOps Company Next Event February 21, 2019 from 6.30pm https://www.meetup.com/Cloud-Native-Computing-Switzerland Please volunteer for Sponsoring & Talks https://cnc-meetup.ch 2828 Cloud Native Computing
Ad

Recommended

RDO and Ceph meetup BCN - Testing in RDO
RDO and Ceph meetup BCN - Testing in RDORDO and Ceph meetup BCN - Testing in RDO
RDO and Ceph meetup BCN - Testing in RDO
Alfredo Moralejo
 
XP Days Ukraine 2016 Building CD Pipeline in Azure
XP Days Ukraine 2016 Building CD Pipeline in AzureXP Days Ukraine 2016 Building CD Pipeline in Azure
XP Days Ukraine 2016 Building CD Pipeline in Azure
Sergii Kryshtop
 
Architecting the Future: Abstractions and Metadata - GlueCon
Architecting the Future: Abstractions and Metadata - GlueConArchitecting the Future: Abstractions and Metadata - GlueCon
Architecting the Future: Abstractions and Metadata - GlueCon
Daniel Barker
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release Management
Sergii Kryshtop
 
Application Portability using Cloud Native Technology: Docker, Kubernetes
Application Portability using Cloud Native Technology: Docker, KubernetesApplication Portability using Cloud Native Technology: Docker, Kubernetes
Application Portability using Cloud Native Technology: Docker, Kubernetes
Aarno Aukia
 
Kubecon 2019 Recap
Kubecon 2019 RecapKubecon 2019 Recap
Kubecon 2019 Recap
Aarno Aukia
 
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
Robert Bohne
 
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
ManageIQ
 
Streamlining Agile Linux Development with Docker and RHEL Atomic
Streamlining Agile Linux Development with Docker and RHEL AtomicStreamlining Agile Linux Development with Docker and RHEL Atomic
Streamlining Agile Linux Development with Docker and RHEL Atomic
Michael Solberg
 
OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...
OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...
OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...
mfrancis
 
Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10
MagaliDavidCruz
 
CI/CD for everyone else
CI/CD for everyone elseCI/CD for everyone else
CI/CD for everyone else
Victor Morales
 
An OpenShift Migration: From 3.9 to 4.5
An OpenShift Migration: From 3.9 to 4.5An OpenShift Migration: From 3.9 to 4.5
An OpenShift Migration: From 3.9 to 4.5
Everett Toews
 
Opnfv testing + opnfv pharos + opnfv xci
Opnfv testing + opnfv pharos + opnfv xciOpnfv testing + opnfv pharos + opnfv xci
Opnfv testing + opnfv pharos + opnfv xci
OPNFV
 
IPv6 on Container Plattforms
IPv6 on Container PlattformsIPv6 on Container Plattforms
IPv6 on Container Plattforms
Aarno Aukia
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Kris Buytaert
 
OPNFV Developer Tools and Release Process
OPNFV Developer Tools and Release ProcessOPNFV Developer Tools and Release Process
OPNFV Developer Tools and Release Process
OPNFV
 
Introducing Deployit 3.9
Introducing Deployit 3.9Introducing Deployit 3.9
Introducing Deployit 3.9
XebiaLabs
 
Opnfv vision, community and projects
Opnfv vision, community and projectsOpnfv vision, community and projects
Opnfv vision, community and projects
OPNFV
 
Architecting The Future - WeRise Women in Technology
Architecting The Future - WeRise Women in TechnologyArchitecting The Future - WeRise Women in Technology
Architecting The Future - WeRise Women in Technology
Daniel Barker
 
OpenShift pour le developpement cloud native - 20171214
OpenShift pour le developpement cloud native - 20171214OpenShift pour le developpement cloud native - 20171214
OpenShift pour le developpement cloud native - 20171214
Laurent Broudoux
 
UGent Django Infrastructure
UGent Django InfrastructureUGent Django Infrastructure
UGent Django Infrastructure
kevinvw
 
OpenShift meetup Bangalore
OpenShift meetup BangaloreOpenShift meetup Bangalore
OpenShift meetup Bangalore
Suraj Deshmukh
 
Neutron upgrades strategy
Neutron upgrades strategyNeutron upgrades strategy
Neutron upgrades strategy
Victor Morales
 
11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup
Philipp Grossenbacher
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
OpenShift Origin
 
Open Platform for NFV: Arno and Beyond
Open Platform for NFV: Arno and BeyondOpen Platform for NFV: Arno and Beyond
Open Platform for NFV: Arno and Beyond
OPNFV
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
Aarno Aukia
 
Ad

More Related Content

What's hot (20)

DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
ManageIQ
 
Streamlining Agile Linux Development with Docker and RHEL Atomic
Streamlining Agile Linux Development with Docker and RHEL AtomicStreamlining Agile Linux Development with Docker and RHEL Atomic
Streamlining Agile Linux Development with Docker and RHEL Atomic
Michael Solberg
 
OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...
OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...
OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...
mfrancis
 
Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10
MagaliDavidCruz
 
CI/CD for everyone else
CI/CD for everyone elseCI/CD for everyone else
CI/CD for everyone else
Victor Morales
 
An OpenShift Migration: From 3.9 to 4.5
An OpenShift Migration: From 3.9 to 4.5An OpenShift Migration: From 3.9 to 4.5
An OpenShift Migration: From 3.9 to 4.5
Everett Toews
 
Opnfv testing + opnfv pharos + opnfv xci
Opnfv testing + opnfv pharos + opnfv xciOpnfv testing + opnfv pharos + opnfv xci
Opnfv testing + opnfv pharos + opnfv xci
OPNFV
 
IPv6 on Container Plattforms
IPv6 on Container PlattformsIPv6 on Container Plattforms
IPv6 on Container Plattforms
Aarno Aukia
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Kris Buytaert
 
OPNFV Developer Tools and Release Process
OPNFV Developer Tools and Release ProcessOPNFV Developer Tools and Release Process
OPNFV Developer Tools and Release Process
OPNFV
 
Introducing Deployit 3.9
Introducing Deployit 3.9Introducing Deployit 3.9
Introducing Deployit 3.9
XebiaLabs
 
Opnfv vision, community and projects
Opnfv vision, community and projectsOpnfv vision, community and projects
Opnfv vision, community and projects
OPNFV
 
Architecting The Future - WeRise Women in Technology
Architecting The Future - WeRise Women in TechnologyArchitecting The Future - WeRise Women in Technology
Architecting The Future - WeRise Women in Technology
Daniel Barker
 
OpenShift pour le developpement cloud native - 20171214
OpenShift pour le developpement cloud native - 20171214OpenShift pour le developpement cloud native - 20171214
OpenShift pour le developpement cloud native - 20171214
Laurent Broudoux
 
UGent Django Infrastructure
UGent Django InfrastructureUGent Django Infrastructure
UGent Django Infrastructure
kevinvw
 
OpenShift meetup Bangalore
OpenShift meetup BangaloreOpenShift meetup Bangalore
OpenShift meetup Bangalore
Suraj Deshmukh
 
Neutron upgrades strategy
Neutron upgrades strategyNeutron upgrades strategy
Neutron upgrades strategy
Victor Morales
 
11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup
Philipp Grossenbacher
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
OpenShift Origin
 
Open Platform for NFV: Arno and Beyond
Open Platform for NFV: Arno and BeyondOpen Platform for NFV: Arno and Beyond
Open Platform for NFV: Arno and Beyond
OPNFV
 
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
ManageIQ
 
Streamlining Agile Linux Development with Docker and RHEL Atomic
Streamlining Agile Linux Development with Docker and RHEL AtomicStreamlining Agile Linux Development with Docker and RHEL Atomic
Streamlining Agile Linux Development with Docker and RHEL Atomic
Michael Solberg
 
OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...
OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...
OSGi from the Trenches- Painless Server Side Development - Magnus Jungsbluth ...
mfrancis
 
Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10
MagaliDavidCruz
 
CI/CD for everyone else
CI/CD for everyone elseCI/CD for everyone else
CI/CD for everyone else
Victor Morales
 
An OpenShift Migration: From 3.9 to 4.5
An OpenShift Migration: From 3.9 to 4.5An OpenShift Migration: From 3.9 to 4.5
An OpenShift Migration: From 3.9 to 4.5
Everett Toews
 
Opnfv testing + opnfv pharos + opnfv xci
Opnfv testing + opnfv pharos + opnfv xciOpnfv testing + opnfv pharos + opnfv xci
Opnfv testing + opnfv pharos + opnfv xci
OPNFV
 
IPv6 on Container Plattforms
IPv6 on Container PlattformsIPv6 on Container Plattforms
IPv6 on Container Plattforms
Aarno Aukia
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Kris Buytaert
 
OPNFV Developer Tools and Release Process
OPNFV Developer Tools and Release ProcessOPNFV Developer Tools and Release Process
OPNFV Developer Tools and Release Process
OPNFV
 
Introducing Deployit 3.9
Introducing Deployit 3.9Introducing Deployit 3.9
Introducing Deployit 3.9
XebiaLabs
 
Opnfv vision, community and projects
Opnfv vision, community and projectsOpnfv vision, community and projects
Opnfv vision, community and projects
OPNFV
 
Architecting The Future - WeRise Women in Technology
Architecting The Future - WeRise Women in TechnologyArchitecting The Future - WeRise Women in Technology
Architecting The Future - WeRise Women in Technology
Daniel Barker
 
OpenShift pour le developpement cloud native - 20171214
OpenShift pour le developpement cloud native - 20171214OpenShift pour le developpement cloud native - 20171214
OpenShift pour le developpement cloud native - 20171214
Laurent Broudoux
 
UGent Django Infrastructure
UGent Django InfrastructureUGent Django Infrastructure
UGent Django Infrastructure
kevinvw
 
OpenShift meetup Bangalore
OpenShift meetup BangaloreOpenShift meetup Bangalore
OpenShift meetup Bangalore
Suraj Deshmukh
 
Neutron upgrades strategy
Neutron upgrades strategyNeutron upgrades strategy
Neutron upgrades strategy
Victor Morales
 
11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup
Philipp Grossenbacher
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
OpenShift Origin
 
Open Platform for NFV: Arno and Beyond
Open Platform for NFV: Arno and BeyondOpen Platform for NFV: Arno and Beyond
Open Platform for NFV: Arno and Beyond
OPNFV
 

Similar to Continuous security improvements in the DevOps process (20)

DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
Aarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
IT Governance and Security Architecture in Docker, Kubernetes, OpenShiftIT Governance and Security Architecture in Docker, Kubernetes, OpenShift
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
Aarno Aukia
 
Next gen software operations models in the cloud
Next gen software operations models in the cloudNext gen software operations models in the cloud
Next gen software operations models in the cloud
Aarno Aukia
 
A guide to modern software development 2018
A guide to modern software development 2018A guide to modern software development 2018
A guide to modern software development 2018
Peter Bittner
 
Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)
Peter Bittner
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
William Caban
 
Dev ops
Dev opsDev ops
Dev ops
farzanehvar
 
Full stack development best practice and toolset
Full stack development best practice and toolsetFull stack development best practice and toolset
Full stack development best practice and toolset
Reid Lai
 
Wie macht man aus Software einen Online-Service in der Cloud
Wie macht man aus Software einen Online-Service in der CloudWie macht man aus Software einen Online-Service in der Cloud
Wie macht man aus Software einen Online-Service in der Cloud
Aarno Aukia
 
DevOps Foundations
DevOps FoundationsDevOps Foundations
DevOps Foundations
Amr Fawzy
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh
 
Open shift 4-update
Open shift 4-updateOpen shift 4-update
Open shift 4-update
SaeidVarmazyar
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Building stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with RookBuilding stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with Rook
Roberto Hashioka
 
Why observability matters - now and in the future (w/guest Grafana)
Why observability matters - now and in the future (w/guest Grafana)Why observability matters - now and in the future (w/guest Grafana)
Why observability matters - now and in the future (w/guest Grafana)
Weaveworks
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
DevOps.com
 
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Digicomp Academy AG
 
Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...
Aarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
Aarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
IT Governance and Security Architecture in Docker, Kubernetes, OpenShiftIT Governance and Security Architecture in Docker, Kubernetes, OpenShift
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
Aarno Aukia
 
Next gen software operations models in the cloud
Next gen software operations models in the cloudNext gen software operations models in the cloud
Next gen software operations models in the cloud
Aarno Aukia
 
A guide to modern software development 2018
A guide to modern software development 2018A guide to modern software development 2018
A guide to modern software development 2018
Peter Bittner
 
Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)
Peter Bittner
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
William Caban
 
Dev ops
Dev opsDev ops
Dev ops
farzanehvar
 
Full stack development best practice and toolset
Full stack development best practice and toolsetFull stack development best practice and toolset
Full stack development best practice and toolset
Reid Lai
 
Wie macht man aus Software einen Online-Service in der Cloud
Wie macht man aus Software einen Online-Service in der CloudWie macht man aus Software einen Online-Service in der Cloud
Wie macht man aus Software einen Online-Service in der Cloud
Aarno Aukia
 
DevOps Foundations
DevOps FoundationsDevOps Foundations
DevOps Foundations
Amr Fawzy
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh
 
Open shift 4-update
Open shift 4-updateOpen shift 4-update
Open shift 4-update
SaeidVarmazyar
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Building stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with RookBuilding stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with Rook
Roberto Hashioka
 
Why observability matters - now and in the future (w/guest Grafana)
Why observability matters - now and in the future (w/guest Grafana)Why observability matters - now and in the future (w/guest Grafana)
Why observability matters - now and in the future (w/guest Grafana)
Weaveworks
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
DevOps.com
 
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Digicomp Academy AG
 
Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...
Aarno Aukia
 
Ad

More from Aarno Aukia (18)

The printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookThe printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN Handbook
Aarno Aukia
 
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Applikationsmodernisierung: Der Weg von Legacy in die CloudApplikationsmodernisierung: Der Weg von Legacy in die Cloud
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Aarno Aukia
 
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Aarno Aukia
 
My broken container is gone - how to debug containers on container platforms
My broken container is gone - how to debug containers on container platformsMy broken container is gone - how to debug containers on container platforms
My broken container is gone - how to debug containers on container platforms
Aarno Aukia
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOps
Aarno Aukia
 
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Aarno Aukia
 
Moving Applications to the cloud
Moving Applications to the cloudMoving Applications to the cloud
Moving Applications to the cloud
Aarno Aukia
 
Migration von Applikationen in die Cloud
Migration von Applikationen in die CloudMigration von Applikationen in die Cloud
Migration von Applikationen in die Cloud
Aarno Aukia
 
Cloud Native Computing & DevOps
Cloud Native Computing & DevOpsCloud Native Computing & DevOps
Cloud Native Computing & DevOps
Aarno Aukia
 
Cloud Native Computing
Cloud Native ComputingCloud Native Computing
Cloud Native Computing
Aarno Aukia
 
Cloud Native Computing Meetup Zürich Jan 11 2018
Cloud Native Computing Meetup Zürich Jan 11 2018Cloud Native Computing Meetup Zürich Jan 11 2018
Cloud Native Computing Meetup Zürich Jan 11 2018
Aarno Aukia
 
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Wie nutzen wir Cloud-Infrastruktur @ VSHN.chWie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Aarno Aukia
 
Scalable Web Applications with 100% open source
Scalable Web Applications with 100% open sourceScalable Web Applications with 100% open source
Scalable Web Applications with 100% open source
Aarno Aukia
 
SecDevOps 2017
SecDevOps 2017SecDevOps 2017
SecDevOps 2017
Aarno Aukia
 
Cloud Native Computing Meetup Zürich
Cloud Native Computing Meetup ZürichCloud Native Computing Meetup Zürich
Cloud Native Computing Meetup Zürich
Aarno Aukia
 
DevOps for E-Commerce
DevOps for E-CommerceDevOps for E-Commerce
DevOps for E-Commerce
Aarno Aukia
 
Scalable Python with Docker, Kubernetes, OpenShift
Scalable Python with Docker, Kubernetes, OpenShiftScalable Python with Docker, Kubernetes, OpenShift
Scalable Python with Docker, Kubernetes, OpenShift
Aarno Aukia
 
Docker Containers in Azure
Docker Containers in AzureDocker Containers in Azure
Docker Containers in Azure
Aarno Aukia
 
The printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookThe printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN Handbook
Aarno Aukia
 
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Applikationsmodernisierung: Der Weg von Legacy in die CloudApplikationsmodernisierung: Der Weg von Legacy in die Cloud
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Aarno Aukia
 
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Aarno Aukia
 
My broken container is gone - how to debug containers on container platforms
My broken container is gone - how to debug containers on container platformsMy broken container is gone - how to debug containers on container platforms
My broken container is gone - how to debug containers on container platforms
Aarno Aukia
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOps
Aarno Aukia
 
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Aarno Aukia
 
Moving Applications to the cloud
Moving Applications to the cloudMoving Applications to the cloud
Moving Applications to the cloud
Aarno Aukia
 
Migration von Applikationen in die Cloud
Migration von Applikationen in die CloudMigration von Applikationen in die Cloud
Migration von Applikationen in die Cloud
Aarno Aukia
 
Cloud Native Computing & DevOps
Cloud Native Computing & DevOpsCloud Native Computing & DevOps
Cloud Native Computing & DevOps
Aarno Aukia
 
Cloud Native Computing
Cloud Native ComputingCloud Native Computing
Cloud Native Computing
Aarno Aukia
 
Cloud Native Computing Meetup Zürich Jan 11 2018
Cloud Native Computing Meetup Zürich Jan 11 2018Cloud Native Computing Meetup Zürich Jan 11 2018
Cloud Native Computing Meetup Zürich Jan 11 2018
Aarno Aukia
 
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Wie nutzen wir Cloud-Infrastruktur @ VSHN.chWie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Aarno Aukia
 
Scalable Web Applications with 100% open source
Scalable Web Applications with 100% open sourceScalable Web Applications with 100% open source
Scalable Web Applications with 100% open source
Aarno Aukia
 
SecDevOps 2017
SecDevOps 2017SecDevOps 2017
SecDevOps 2017
Aarno Aukia
 
Cloud Native Computing Meetup Zürich
Cloud Native Computing Meetup ZürichCloud Native Computing Meetup Zürich
Cloud Native Computing Meetup Zürich
Aarno Aukia
 
DevOps for E-Commerce
DevOps for E-CommerceDevOps for E-Commerce
DevOps for E-Commerce
Aarno Aukia
 
Scalable Python with Docker, Kubernetes, OpenShift
Scalable Python with Docker, Kubernetes, OpenShiftScalable Python with Docker, Kubernetes, OpenShift
Scalable Python with Docker, Kubernetes, OpenShift
Aarno Aukia
 
Docker Containers in Azure
Docker Containers in AzureDocker Containers in Azure
Docker Containers in Azure
Aarno Aukia
 
Ad

Recently uploaded (20)

A Comprehensive Guide to CRM Software Benefits for Every Business Stage
A Comprehensive Guide to CRM Software Benefits for Every Business StageA Comprehensive Guide to CRM Software Benefits for Every Business Stage
A Comprehensive Guide to CRM Software Benefits for Every Business Stage
SynapseIndia
 
Why Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card ProvidersWhy Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card Providers
Tapitag
 
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb ClarkDeploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Peter Caitens
 
AEM User Group DACH - 2025 Inaugural Meeting
AEM User Group DACH - 2025 Inaugural MeetingAEM User Group DACH - 2025 Inaugural Meeting
AEM User Group DACH - 2025 Inaugural Meeting
jennaf3
 
[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts
Dimitrios Platis
 
Autodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) LatestAutodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) Latest
Google
 
Wilcom Embroidery Studio Crack 2025 For Windows
Wilcom Embroidery Studio Crack 2025 For WindowsWilcom Embroidery Studio Crack 2025 For Windows
Wilcom Embroidery Studio Crack 2025 For Windows
Google
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
OnePlan Solutions
 
Do not let staffing shortages and limited fiscal view hamper your cause
Do not let staffing shortages and limited fiscal view hamper your causeDo not let staffing shortages and limited fiscal view hamper your cause
Do not let staffing shortages and limited fiscal view hamper your cause
Fexle Services Pvt. Ltd.
 
Orion Context Broker introduction 20250509
Orion Context Broker introduction 20250509Orion Context Broker introduction 20250509
Orion Context Broker introduction 20250509
Fermin Galan
 
The Elixir Developer - All Things Open
The Elixir Developer - All Things OpenThe Elixir Developer - All Things Open
The Elixir Developer - All Things Open
Carlo Gilmar Padilla Santana
 
GC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance EngineeringGC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance Engineering
Tier1 app
 
Memory Management and Leaks in Postgres from pgext.day 2025
Memory Management and Leaks in Postgres from pgext.day 2025Memory Management and Leaks in Postgres from pgext.day 2025
Memory Management and Leaks in Postgres from pgext.day 2025
Phil Eaton
 
Adobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREEAdobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREE
zafranwaqar90
 
Reinventing Microservices Efficiency and Innovation with Single-Runtime
Reinventing Microservices Efficiency and Innovation with Single-RuntimeReinventing Microservices Efficiency and Innovation with Single-Runtime
Reinventing Microservices Efficiency and Innovation with Single-Runtime
Natan Silnitsky
 
Sequence Diagrams With Pictures (1).pptx
Sequence Diagrams With Pictures (1).pptxSequence Diagrams With Pictures (1).pptx
Sequence Diagrams With Pictures (1).pptx
aashrithakondapalli8
 
Download MathType Crack Version 2025???
Download MathType Crack Version 2025???Download MathType Crack Version 2025???
Download MathType Crack Version 2025???
Google
 
Mobile Application Developer Dubai | Custom App Solutions by Ajath
Mobile Application Developer Dubai | Custom App Solutions by AjathMobile Application Developer Dubai | Custom App Solutions by Ajath
Mobile Application Developer Dubai | Custom App Solutions by Ajath
Ajath Infotech Technologies LLC
 
How to Install and Activate ListGrabber Plugin
How to Install and Activate ListGrabber PluginHow to Install and Activate ListGrabber Plugin
How to Install and Activate ListGrabber Plugin
eGrabber
 
A Comprehensive Guide to CRM Software Benefits for Every Business Stage
A Comprehensive Guide to CRM Software Benefits for Every Business StageA Comprehensive Guide to CRM Software Benefits for Every Business Stage
A Comprehensive Guide to CRM Software Benefits for Every Business Stage
SynapseIndia
 
Why Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card ProvidersWhy Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card Providers
Tapitag
 
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb ClarkDeploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Peter Caitens
 
AEM User Group DACH - 2025 Inaugural Meeting
AEM User Group DACH - 2025 Inaugural MeetingAEM User Group DACH - 2025 Inaugural Meeting
AEM User Group DACH - 2025 Inaugural Meeting
jennaf3
 
[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts
Dimitrios Platis
 
Autodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) LatestAutodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) Latest
Google
 
Wilcom Embroidery Studio Crack 2025 For Windows
Wilcom Embroidery Studio Crack 2025 For WindowsWilcom Embroidery Studio Crack 2025 For Windows
Wilcom Embroidery Studio Crack 2025 For Windows
Google
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
OnePlan Solutions
 
Do not let staffing shortages and limited fiscal view hamper your cause
Do not let staffing shortages and limited fiscal view hamper your causeDo not let staffing shortages and limited fiscal view hamper your cause
Do not let staffing shortages and limited fiscal view hamper your cause
Fexle Services Pvt. Ltd.
 
Orion Context Broker introduction 20250509
Orion Context Broker introduction 20250509Orion Context Broker introduction 20250509
Orion Context Broker introduction 20250509
Fermin Galan
 
The Elixir Developer - All Things Open
The Elixir Developer - All Things OpenThe Elixir Developer - All Things Open
The Elixir Developer - All Things Open
Carlo Gilmar Padilla Santana
 
GC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance EngineeringGC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance Engineering
Tier1 app
 
Memory Management and Leaks in Postgres from pgext.day 2025
Memory Management and Leaks in Postgres from pgext.day 2025Memory Management and Leaks in Postgres from pgext.day 2025
Memory Management and Leaks in Postgres from pgext.day 2025
Phil Eaton
 
Adobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREEAdobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREE
zafranwaqar90
 
Reinventing Microservices Efficiency and Innovation with Single-Runtime
Reinventing Microservices Efficiency and Innovation with Single-RuntimeReinventing Microservices Efficiency and Innovation with Single-Runtime
Reinventing Microservices Efficiency and Innovation with Single-Runtime
Natan Silnitsky
 
Sequence Diagrams With Pictures (1).pptx
Sequence Diagrams With Pictures (1).pptxSequence Diagrams With Pictures (1).pptx
Sequence Diagrams With Pictures (1).pptx
aashrithakondapalli8
 
Download MathType Crack Version 2025???
Download MathType Crack Version 2025???Download MathType Crack Version 2025???
Download MathType Crack Version 2025???
Google
 
Mobile Application Developer Dubai | Custom App Solutions by Ajath
Mobile Application Developer Dubai | Custom App Solutions by AjathMobile Application Developer Dubai | Custom App Solutions by Ajath
Mobile Application Developer Dubai | Custom App Solutions by Ajath
Ajath Infotech Technologies LLC
 
How to Install and Activate ListGrabber Plugin
How to Install and Activate ListGrabber PluginHow to Install and Activate ListGrabber Plugin
How to Install and Activate ListGrabber Plugin
eGrabber
 

Continuous security improvements in the DevOps process

  • 1. VSHN - The DevOps Company Continuous Security improvement in the DevOps process Aarno Aukia, CTO @ VSHN - The DevOps Company
  • 2. VSHN - The DevOps Company ● About Aarno & VSHN.ch ● From Ops to DevOps ● DevOps/DevSecOps/SecOps? ● Automating Operations to include security ○ Build ○ Test ○ Deployment ○ Ops 22 Agenda
  • 3. VSHN - The DevOps Company @aarnoaukia http://about.me/aarno [email protected] ETH → Google → Atrila → VSHN VSHN - The DevOps Company Since 2014, currently 30 VSHNeers in Zürich, Switzerland We help developers run web applications 24/7 in any cloud making both visitors happy with stability and developers happy with agility 33 About Aarno & VSHN.ch
  • 4. VSHN - The DevOps Company 4 OPS = Firefighting-as-a-Service ? 4
  • 5. VSHN - The DevOps Company DevOps: People, Processes & Tools 55
  • 6. VSHN - The DevOps Company Memberships 77
  • 7. VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 88 Areas of security improvement
  • 8. VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 99 Areas of security improvement
  • 9. VSHN - The DevOps Company DevSecOps principles 1010
  • 10. VSHN - The DevOps Company ● static code analysis automatically for each commit ● Dependency Management ● (base) container image scanning 1111 Build
  • 11. VSHN - The DevOps Company Code analysis: sonarqube 1212
  • 12. VSHN - The DevOps Company 1313 Dependency updates: https://dependabot.com
  • 13. VSHN - The DevOps Company Container scanning: aquasec 1414
  • 14. VSHN - The DevOps Company ● smoke tests ● test envs “à discretion” 1515 Test
  • 15. VSHN - The DevOps Company ● atomic container deployment ● every deployment (and rollback) is a “normal deployment” ● deployment automation removes need for (all) devs root prod access and/or waiting for ops to deploy new dev version 1616 Deployment
  • 16. VSHN - The DevOps Company ● standardization on (minimal, hardened) OS and container orchestrator ● immutable (application) infrastructure using containers ● process/storage/network separation of applications/environments ● detect/prevent configuration drift between dev/test/stage/prod envs ● documentation & automatic backup of all volumes ● documentation & monitoring of routes/loadbalancers/ingresspoints with enforcing SSL/TLS ● AAI for admin & application ● key & secrets management ● audit logging of control & application planes 1717 Ops
  • 17. VSHN - The DevOps Company Container isolation 1818 ● Kernel namespacing (process & network) ● Control groups (resource quota to prevent DoS) ● SELinux (additional syscall filter) ● prevent running as root inside container, no user-provided privileged containers (enforce best practice) ● readonly container filesystem (harder to persist exploit at runtime)
  • 18. VSHN - The DevOps Company AAI: Keycloak 1919 ● Identity & Access Management ● Single sign in/out ● Identity brokering: ○ OpenID Connect (OAuth2, FB/Twitter/Github etc.) ○ SAML2.0 ○ Kerberos ● User federation: LDAP, AD, etc ● 2FA: TOTP/HOTP ● Managing the Authorization groups
  • 19. VSHN - The DevOps Company Logs: ELK/EFK/Greylog 2020 ● Logging all access and changes through the control plane ● Logging all access to the application and correlate with application logs ● Index, view, filter, aggregate KPI → monitoring ● Store outside of application scope
  • 20. VSHN - The DevOps Company ● Prometheus ○ time series database ○ open source / CNCF-project ○ well-integrated in docker/kubernetes stats ● NewRelic APM ○ application-level profiling ○ performance tracking ○ exception tracking (backend & frontend) ○ available as SaaS 2121 Metrics: Prometheus / NewRelic
  • 21. VSHN - The DevOps Company Kubernetes Distribution Architecture 2222
  • 22. VSHN - The DevOps Company ● OpenShift, Kubernetes, Docker ● Logging: EFK ● Metrics: Prometheus ● SSL-Certificates: letsencrypt.org ● Source-to-image builder, Dockerfile builder, Docker-Image-Registry: OpenShift ● Load-balancing, horizontal (auto) scaling, rolling deployments: Kubernetes ● MySQL/MariaDB, PostgreSQL, Redis, Solr, Elasticsearch, RabbitMQ, MongoDB: either single-container for dev or DBaaS for prod ● 24/7 Support and SLA, cloud or on-premises 2323 Auxiliary Services we use at APPUiO.ch
  • 23. VSHN - The DevOps Company 2424 APPUiO.ch in 14 countries & on-premises
  • 24. VSHN - The DevOps Company ● Please do get in touch with feedback ● Twitter: @aarnoaukia ● Linkedin: https://www.linkedin.com/in/aukia/ ● Email: [email protected] 2525 Thank you
  • 25. Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - [email protected] https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 26
  • 26. VSHN - The DevOps Company The CNCF Landscape 2727
  • 27. VSHN - The DevOps Company Next Event February 21, 2019 from 6.30pm https://www.meetup.com/Cloud-Native-Computing-Switzerland Please volunteer for Sponsoring & Talks https://cnc-meetup.ch 2828 Cloud Native Computing