SlideShare a Scribd company logo

SUGCON: The Agile Nirvana of DevSecOps and Containerization

Vasiliy Fomichev
Vasiliy Fomichev

Sitecore deployments are traditionally relatively expensive due to the technological and architectural limitations. The introduction of a containerized hosting model is a game-changer in the Sitecore DevOps story. It allows DevOps teams to enable delivery security features, and reduce deployment cycles through automation, by activating DevSecOps strategies. This flexibility or cost-efficiency of containerized deployments allows DevOps and engineering teams to focus on and align around business value, rather than being handicapped by the legacy technology and systems. In this session we will walk the attendees through the benefits of a DevSecOps pipeline to IT, development teams, and their business leadership and show what it takes to migrate to the AKS-hosted infrastructure from an on-premise setup. We will present a reference design for an automated DevSecOps pipeline that focuses on security, quality, and speed. The session will cover the learnings from a major healthcare technology and research company that has gone through this shift and highlight the impact they experienced on the infrastructure, solution architecture, DevOps pipeline, processes and internal resources - Infrastructure: we will provide a feature overview of Azure vs AWS as it relates to a containerized Sitecore implementation, covering risks, cons, and pros associated with each and the cost estimation process for AKS. Sitecore Topology: we will cover the steps for changing Sitecore default AKS topology for maximum cost efficiency, and flexibility. DevOps pipeline: we will cover the automation that is required to move towards DevSecOps with environment creation via Infrastructure as Code, disaster recovery, and zero-downtime fully automated deployments to production. Processes and team changes: We will present how the new DevSecOps pipeline will affect internal processes and what internal support team changes are required to continue managing the new infrastructure and release pipeline.

1 of 30
The Agile Nirvana of DevSecOps and Containerization Vasiliy Fomichev #sugcon
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ 1. Introduction to DevSecOps 2. Containerization hosting options for Sitecore 3. Creating a DevSecOps CI/CD pipeline Agenda
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Introductions  Sitecore MVP 2015 – 2022: Technology, Commerce, Ambassador  14 years of Sitecore delivery  8 years of managing Sitecore practices  MarTech enthusiast — Content, Azure, AI, Blockchain Vasiliy Fomichev Sr. Director, Solution Architecture, Altudo vasiliy.fomichev@altudo.co @vasiliyfomichev www.altudo.co www.cmsbestpractices.com
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Altudo is a Sitecore Leader for 15+ years 4
Introduction to DevSecOps The essential fundamentals.
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ DevSecOps is gaining adoption speed Published 12 July 2021 • ID G00747574
DevSecOps is a methodology that puts security into every step of CI/CD
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Traditional way of security compliance
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ What is DevSecOps and why it’s important
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ The foundational layers of DevSecOps Education & Knowledge Retention Security by design Automation
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Security is a cost / benefit exercise.
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ The three pillars of security Confidentiality Integrity Availability • System access control • Data access control • Information exposure limit • System integrity • Data integrity • Behavioral integrity • System SLA • Data accessibility • Application performance and uptime
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ 1. Cheap creation and deletion reduces security risk by removing potentially compromised environments 2. Immutable environments create consistency, predictability, and repeatability 3. Reduction of attack surface 4. Cost-efficiency of operations (scaling, patching, updating, maintenance updates) is conducive to security Containers make DevSecOps cheaper
Azure vs AWS The cons and pros behind Sitecore container hosting options.
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Managed cloud Kubernetes options High skilled talent cost & 2-3 yr. deprecation schedule https://steve-yegge.medium.com/dear-google-cloud-your-deprecation-policy-is-killing-you-ee7525dc05dc
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ • Fully supported by Sitecore Support • Sitecore community alignment • Lower cost of hosting • Burst and other options for scaling • Easier to get started and configure networking • Fully managed control plane (lower maintenance) • Allows image signing with Content Trust • Integrated resource monitoring with Azure Monitor • Provides official Government and Healthcare cloud options Hosting Sitecore containers in Azure 350/420 ENTERPRISE SCORE
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ 363/420 ENTERPRISE SCORE Hosting Sitecore containers in AWS • The most widely used Kubernetes service • 99.95% uptime SLA included • Provides a free image security scanning service • Lack of automated node repair • Includes additional charges per hour per cluster ($0.1) • Liability concerns around limited support for EKS by Sitecore • Harder to get started with • Requires a third-party resource monitoring solution
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ • Sitecore fully supports AKS • The Sitecore community is aligned with the AKS • Additional security features on top of AWS • Health and Government cloud availability • Lower cost of hosting • Lower cost of implementation maintenance by about 25% Azure is the recommeded hosting provider +
DevSecOps with Sitecore Putting it all together.
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ The foundational layers of DevSecOps Education Security by design Automation • People • Systems • Processes • Best practices (OWASP 10, MITRE 25) • Pair programming • Lunch & learns • Informal knowledge sharing • Experiment • Learn from incidents • Create incidents yourself • Use playgrounds • Certification • Self-paced • Instructor-led • Tutorials • Gamification • Peer reviews • Threat modeling • OWASP Security Knowledge Framework (SKF) • Unit testing • Integration testing • Code quality scanning • SAST • SCA dependency scanning • Integration testing • DTA container scanning • Network scanning • Performance testing • IAST • RASP • DAST
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ • Inject sensitive variables at build time or pull at runtime (example, key vault) • Change the default admin user used to run a container to avoid container escape attacks • Disable all remote container access • Use namespaces to limit access • Enable image signing to avoid MITM attacks • Use tagging and semantic versioning (avoid version word labeling) • Do not rely on external image sources (community) • Scan base images for vulnerabilities • Use hardened VM images (example, CIS) Container security best practices Docker CIS Benchmark Kubernetes CIS Benchmark
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Team changes and upskilling QA Quality Assurance and testing Developer Front and backend development. DevOps Engineer Release processes and automation DevOps Security Champion Security automation Monitoring Notifications Development Security Champion Code Scanning & Reviews QA Security Champion Dynamic application testing Security Bridge Team Specialized Security Personnel Software, DevOps, Forensic Analysis, etc. CISO Security program development. Security Team Development Team
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Resourcing your teams based on your strategy Team 1 Team 2 Team 3 Upskilled Team + Agile + Cheaper ? Ability to Scale ? Commitment Team 1 Team 2 Team 3 ++ Center of Excellence ? Customer Focused ? Prioritisation ? Resourcing ? Speed of Turnaround Platform Team - Security champions and evangelists Team 1 Team 2 Team 3 + Customer Focus + Resources secured ? Distributed Knowledge ? Communication ? Overlapping Experiences Shared Resources
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Account for new measures & optimize STG Deployment (20 mins) Page Speed Test Review (10 mins) Load Test (60 mins.) Load Test Review (20 mins) Sitecore startup and validation (10 mins.) DSAT (3 days) Page Speed Test (10 mins.) Dynamic Test Review (10 mins) Publish (5 mins) Deployment: 1hr. 45mins Manual LOE: 20mins. Critical Path Parallel Optional Legend: • Create a flowchart diagram for each manual and automated step • Estimate the amount of time each step takes • Optimize the pipeline to reduce the impact of testing and scanning on deployment time • Include a level of security risk acceptance to avoid delays in releases • Structure developer validation and review processes around the optimized pipeline
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Infrastructure as Code (IaC) is the management of infrastructure (networks, virtual machines, load balancers, and connection topology) in a descriptive model, using the same versioning as DevOps team uses for source code. • Automates environment setup • Allows repeatability and templatization • Enables infrastructure versioning • Promotes Site Reliability Engineering (SRE) • Promotes standardization, security, consistency, and stability Infrastructure as code for automation
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ IAST/RA SP Performance testing Network Scanning DTA Container Scanning Integration testing SCA Dependency Scanning SAST/Unit Testing Design test automation based on cost Cost per test DAST • No single test is sufficient • Provide test coverage across units, technology, and system layers • Move the cheaper tests closer to the foundation to reduce the feedback cycle • Container tests should be done at three levels o IDE by developers o During the build process before deploying to the registry o Periodic scans for registry images • Manual testing is good at finding outlier defects, while automated delivers greater testing coverage to identify common weaknesses. Penetration testing, bug bounties, peer reviews
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ DevSecOps Sitecore pipeline 27 Pull Image Developers Image Repository Container Registry System Admins DevOps Engineers Commit Listen Manage Manage Store image DEV SVT PRD DEV Deployment SVT Deployment PRD Deployment Container Image Pull Gitlab CI Gitlab CD Gitlab DAST Selenium UI Tests Unit Tests Quality and SAST Scans Upload Run Run Upload Run Page Speed Tests Load Tests Run Run
• Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ The biggest problem with security is lack of specialized talent. Tools cannot replace people, yet.
This list of sponsors is yet to be finalized and will be added when they are fully confirmed. A new version of this slide template will be delivered to you later and a quick swap of this slide is the only task left. Thank you! Get more resources >
I am a proud community member! Please contact me on the following handles: sitecorechat.slack.com twitter @vasiliy @vasiliyfomichev
Ad

Recommended

SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
 
Blazing fast web experience at your fingertips with Experience Edge, JSS for ...
Blazing fast web experience at your fingertips with Experience Edge, JSS for ...Blazing fast web experience at your fingertips with Experience Edge, JSS for ...
Blazing fast web experience at your fingertips with Experience Edge, JSS for ...
VarunNehra
 
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Peter Procházka
 
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Peter Procházka
 
[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...
[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...
[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...
Sanae BEKKAR
 
Experience Edge at Scale: Implementing the Sitecore Composable Stack
Experience Edge at Scale: Implementing the Sitecore Composable StackExperience Edge at Scale: Implementing the Sitecore Composable Stack
Experience Edge at Scale: Implementing the Sitecore Composable Stack
Jeffrey Rondeau
 
Are Frameworks Evil; Should you care about Sitecore SXA and JSS;.pdf
Are Frameworks Evil; Should you care about Sitecore SXA and JSS;.pdfAre Frameworks Evil; Should you care about Sitecore SXA and JSS;.pdf
Are Frameworks Evil; Should you care about Sitecore SXA and JSS;.pdf
Peter Procházka
 
Introducing the Oracle Cloud Infrastructure (OCI) Best Practices Framework
Introducing the Oracle Cloud Infrastructure (OCI) Best Practices FrameworkIntroducing the Oracle Cloud Infrastructure (OCI) Best Practices Framework
Introducing the Oracle Cloud Infrastructure (OCI) Best Practices Framework
Revelation Technologies
 
Improve Developer Experience with Developer Portal
Improve Developer Experience with Developer PortalImprove Developer Experience with Developer Portal
Improve Developer Experience with Developer Portal
Kumton Suttiraksiri
 
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Cisco DevNet
 
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Peter Procházka
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Accelerate Spring Apps to Cloud at Scale
Accelerate Spring Apps to Cloud at ScaleAccelerate Spring Apps to Cloud at Scale
Accelerate Spring Apps to Cloud at Scale
Asir Selvasingh
 
Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...
Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...
Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...
VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
VMware Tanzu
 
Azure DevOps Best Practices Webinar
Azure DevOps Best Practices WebinarAzure DevOps Best Practices Webinar
Azure DevOps Best Practices Webinar
Cambay Digital
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
Araf Karsh Hamid
 
VizEx View HTML5 Workshop
VizEx View HTML5 WorkshopVizEx View HTML5 Workshop
VizEx View HTML5 Workshop
David Manock
 
VizEx View HTML5 Workshop
VizEx View HTML5 WorkshopVizEx View HTML5 Workshop
VizEx View HTML5 Workshop
Larson Software Technology
 
Zure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayZure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training day
Okko Oulasvirta
 
Talking to a typical customer about the road to composable @ SUGCON 2023
Talking to a typical customer about the road to composable @ SUGCON 2023Talking to a typical customer about the road to composable @ SUGCON 2023
Talking to a typical customer about the road to composable @ SUGCON 2023
Gert Gullentops
 
Erik Baardse - Bringing Agility to Traditional application by docker
Erik Baardse - Bringing Agility to Traditional application by dockerErik Baardse - Bringing Agility to Traditional application by docker
Erik Baardse - Bringing Agility to Traditional application by docker
Agile Impact Conference
 
Containers and the Docker EE Difference and usecases
Containers and the Docker EE Difference and usecasesContainers and the Docker EE Difference and usecases
Containers and the Docker EE Difference and usecases
Ashnikbiz
 
Platform Engineering
Platform EngineeringPlatform Engineering
Platform Engineering
Opsta
 
Global Azure 2024 - On-Premises to Azure Cloud: .NET Web App Journey
Global Azure 2024 - On-Premises to Azure Cloud: .NET Web App JourneyGlobal Azure 2024 - On-Premises to Azure Cloud: .NET Web App Journey
Global Azure 2024 - On-Premises to Azure Cloud: .NET Web App Journey
Callon Campbell
 
[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure
Korkrid Akepanidtaworn
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?
Hank Preston
 
Best Practices for Cloud Native Applications using Hybrid Azure
Best Practices for Cloud Native Applications using Hybrid AzureBest Practices for Cloud Native Applications using Hybrid Azure
Best Practices for Cloud Native Applications using Hybrid Azure
Capgemini
 
SUGCON 2024 EU - Scaling Personalization in Digital
SUGCON 2024 EU - Scaling Personalization in DigitalSUGCON 2024 EU - Scaling Personalization in Digital
SUGCON 2024 EU - Scaling Personalization in Digital
Vasiliy Fomichev
 
Martech Evaluation: Decoding DXPs with TCO
Martech Evaluation: Decoding DXPs with TCOMartech Evaluation: Decoding DXPs with TCO
Martech Evaluation: Decoding DXPs with TCO
Vasiliy Fomichev
 
Ad

More Related Content

Similar to SUGCON: The Agile Nirvana of DevSecOps and Containerization (20)

Improve Developer Experience with Developer Portal
Improve Developer Experience with Developer PortalImprove Developer Experience with Developer Portal
Improve Developer Experience with Developer Portal
Kumton Suttiraksiri
 
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Cisco DevNet
 
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Peter Procházka
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Accelerate Spring Apps to Cloud at Scale
Accelerate Spring Apps to Cloud at ScaleAccelerate Spring Apps to Cloud at Scale
Accelerate Spring Apps to Cloud at Scale
Asir Selvasingh
 
Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...
Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...
Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...
VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
VMware Tanzu
 
Azure DevOps Best Practices Webinar
Azure DevOps Best Practices WebinarAzure DevOps Best Practices Webinar
Azure DevOps Best Practices Webinar
Cambay Digital
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
Araf Karsh Hamid
 
VizEx View HTML5 Workshop
VizEx View HTML5 WorkshopVizEx View HTML5 Workshop
VizEx View HTML5 Workshop
David Manock
 
VizEx View HTML5 Workshop
VizEx View HTML5 WorkshopVizEx View HTML5 Workshop
VizEx View HTML5 Workshop
Larson Software Technology
 
Zure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayZure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training day
Okko Oulasvirta
 
Talking to a typical customer about the road to composable @ SUGCON 2023
Talking to a typical customer about the road to composable @ SUGCON 2023Talking to a typical customer about the road to composable @ SUGCON 2023
Talking to a typical customer about the road to composable @ SUGCON 2023
Gert Gullentops
 
Erik Baardse - Bringing Agility to Traditional application by docker
Erik Baardse - Bringing Agility to Traditional application by dockerErik Baardse - Bringing Agility to Traditional application by docker
Erik Baardse - Bringing Agility to Traditional application by docker
Agile Impact Conference
 
Containers and the Docker EE Difference and usecases
Containers and the Docker EE Difference and usecasesContainers and the Docker EE Difference and usecases
Containers and the Docker EE Difference and usecases
Ashnikbiz
 
Platform Engineering
Platform EngineeringPlatform Engineering
Platform Engineering
Opsta
 
Global Azure 2024 - On-Premises to Azure Cloud: .NET Web App Journey
Global Azure 2024 - On-Premises to Azure Cloud: .NET Web App JourneyGlobal Azure 2024 - On-Premises to Azure Cloud: .NET Web App Journey
Global Azure 2024 - On-Premises to Azure Cloud: .NET Web App Journey
Callon Campbell
 
[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure
Korkrid Akepanidtaworn
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?
Hank Preston
 
Best Practices for Cloud Native Applications using Hybrid Azure
Best Practices for Cloud Native Applications using Hybrid AzureBest Practices for Cloud Native Applications using Hybrid Azure
Best Practices for Cloud Native Applications using Hybrid Azure
Capgemini
 
Improve Developer Experience with Developer Portal
Improve Developer Experience with Developer PortalImprove Developer Experience with Developer Portal
Improve Developer Experience with Developer Portal
Kumton Suttiraksiri
 
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Cisco DevNet
 
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Are Frameworks Evil? Should you care about Sitecore SXA and JSS?
Peter Procházka
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Accelerate Spring Apps to Cloud at Scale
Accelerate Spring Apps to Cloud at ScaleAccelerate Spring Apps to Cloud at Scale
Accelerate Spring Apps to Cloud at Scale
Asir Selvasingh
 
Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...
Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...
Accelerate Spring Apps to Cloud at Scale—Discussion with Azure Spring Cloud C...
VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
VMware Tanzu
 
Azure DevOps Best Practices Webinar
Azure DevOps Best Practices WebinarAzure DevOps Best Practices Webinar
Azure DevOps Best Practices Webinar
Cambay Digital
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
Araf Karsh Hamid
 
VizEx View HTML5 Workshop
VizEx View HTML5 WorkshopVizEx View HTML5 Workshop
VizEx View HTML5 Workshop
David Manock
 
VizEx View HTML5 Workshop
VizEx View HTML5 WorkshopVizEx View HTML5 Workshop
VizEx View HTML5 Workshop
Larson Software Technology
 
Zure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayZure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training day
Okko Oulasvirta
 
Talking to a typical customer about the road to composable @ SUGCON 2023
Talking to a typical customer about the road to composable @ SUGCON 2023Talking to a typical customer about the road to composable @ SUGCON 2023
Talking to a typical customer about the road to composable @ SUGCON 2023
Gert Gullentops
 
Erik Baardse - Bringing Agility to Traditional application by docker
Erik Baardse - Bringing Agility to Traditional application by dockerErik Baardse - Bringing Agility to Traditional application by docker
Erik Baardse - Bringing Agility to Traditional application by docker
Agile Impact Conference
 
Containers and the Docker EE Difference and usecases
Containers and the Docker EE Difference and usecasesContainers and the Docker EE Difference and usecases
Containers and the Docker EE Difference and usecases
Ashnikbiz
 
Platform Engineering
Platform EngineeringPlatform Engineering
Platform Engineering
Opsta
 
Global Azure 2024 - On-Premises to Azure Cloud: .NET Web App Journey
Global Azure 2024 - On-Premises to Azure Cloud: .NET Web App JourneyGlobal Azure 2024 - On-Premises to Azure Cloud: .NET Web App Journey
Global Azure 2024 - On-Premises to Azure Cloud: .NET Web App Journey
Callon Campbell
 
[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure[AI] ML Operationalization with Microsoft Azure
[AI] ML Operationalization with Microsoft Azure
Korkrid Akepanidtaworn
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?
Hank Preston
 
Best Practices for Cloud Native Applications using Hybrid Azure
Best Practices for Cloud Native Applications using Hybrid AzureBest Practices for Cloud Native Applications using Hybrid Azure
Best Practices for Cloud Native Applications using Hybrid Azure
Capgemini
 

More from Vasiliy Fomichev (13)

SUGCON 2024 EU - Scaling Personalization in Digital
SUGCON 2024 EU - Scaling Personalization in DigitalSUGCON 2024 EU - Scaling Personalization in Digital
SUGCON 2024 EU - Scaling Personalization in Digital
Vasiliy Fomichev
 
Martech Evaluation: Decoding DXPs with TCO
Martech Evaluation: Decoding DXPs with TCOMartech Evaluation: Decoding DXPs with TCO
Martech Evaluation: Decoding DXPs with TCO
Vasiliy Fomichev
 
The Sitecore Roadmap Updates - Sept 2024
The Sitecore Roadmap Updates - Sept 2024The Sitecore Roadmap Updates - Sept 2024
The Sitecore Roadmap Updates - Sept 2024
Vasiliy Fomichev
 
Selecting areas of investment in digital with AI
Selecting areas of investment in digital with AISelecting areas of investment in digital with AI
Selecting areas of investment in digital with AI
Vasiliy Fomichev
 
Composable CMO: Leading transformation in the DXP era
Composable CMO: Leading transformation in the DXP eraComposable CMO: Leading transformation in the DXP era
Composable CMO: Leading transformation in the DXP era
Vasiliy Fomichev
 
NYC MTC - Generative AI Solutions with Sitecore and Micrososft.pptx
NYC MTC - Generative AI Solutions with Sitecore and Micrososft.pptxNYC MTC - Generative AI Solutions with Sitecore and Micrososft.pptx
NYC MTC - Generative AI Solutions with Sitecore and Micrososft.pptx
Vasiliy Fomichev
 
Sitecore DX - MVP Summit - SUGCON Updates 10.2023.pptx
Sitecore DX - MVP Summit - SUGCON Updates 10.2023.pptxSitecore DX - MVP Summit - SUGCON Updates 10.2023.pptx
Sitecore DX - MVP Summit - SUGCON Updates 10.2023.pptx
Vasiliy Fomichev
 
SUGCON NA 2023 - Crafting Lightning Fast Composable Experiences.pptx
SUGCON NA 2023 - Crafting Lightning Fast Composable Experiences.pptxSUGCON NA 2023 - Crafting Lightning Fast Composable Experiences.pptx
SUGCON NA 2023 - Crafting Lightning Fast Composable Experiences.pptx
Vasiliy Fomichev
 
Activating massive omnichannel personalization
Activating massive omnichannel personalizationActivating massive omnichannel personalization
Activating massive omnichannel personalization
Vasiliy Fomichev
 
Blockchain in E-Commerce
Blockchain in E-CommerceBlockchain in E-Commerce
Blockchain in E-Commerce
Vasiliy Fomichev
 
The Road to Amazon and Beyond
The Road to Amazon and BeyondThe Road to Amazon and Beyond
The Road to Amazon and Beyond
Vasiliy Fomichev
 
LASUG Online: Introduction to Docker and Docker Tools
LASUG Online: Introduction to Docker and Docker ToolsLASUG Online: Introduction to Docker and Docker Tools
LASUG Online: Introduction to Docker and Docker Tools
Vasiliy Fomichev
 
SUGCON 2015: Docker Containers and Sitecore
SUGCON 2015: Docker Containers and Sitecore SUGCON 2015: Docker Containers and Sitecore
SUGCON 2015: Docker Containers and Sitecore
Vasiliy Fomichev
 
SUGCON 2024 EU - Scaling Personalization in Digital
SUGCON 2024 EU - Scaling Personalization in DigitalSUGCON 2024 EU - Scaling Personalization in Digital
SUGCON 2024 EU - Scaling Personalization in Digital
Vasiliy Fomichev
 
Martech Evaluation: Decoding DXPs with TCO
Martech Evaluation: Decoding DXPs with TCOMartech Evaluation: Decoding DXPs with TCO
Martech Evaluation: Decoding DXPs with TCO
Vasiliy Fomichev
 
The Sitecore Roadmap Updates - Sept 2024
The Sitecore Roadmap Updates - Sept 2024The Sitecore Roadmap Updates - Sept 2024
The Sitecore Roadmap Updates - Sept 2024
Vasiliy Fomichev
 
Selecting areas of investment in digital with AI
Selecting areas of investment in digital with AISelecting areas of investment in digital with AI
Selecting areas of investment in digital with AI
Vasiliy Fomichev
 
Composable CMO: Leading transformation in the DXP era
Composable CMO: Leading transformation in the DXP eraComposable CMO: Leading transformation in the DXP era
Composable CMO: Leading transformation in the DXP era
Vasiliy Fomichev
 
NYC MTC - Generative AI Solutions with Sitecore and Micrososft.pptx
NYC MTC - Generative AI Solutions with Sitecore and Micrososft.pptxNYC MTC - Generative AI Solutions with Sitecore and Micrososft.pptx
NYC MTC - Generative AI Solutions with Sitecore and Micrososft.pptx
Vasiliy Fomichev
 
Sitecore DX - MVP Summit - SUGCON Updates 10.2023.pptx
Sitecore DX - MVP Summit - SUGCON Updates 10.2023.pptxSitecore DX - MVP Summit - SUGCON Updates 10.2023.pptx
Sitecore DX - MVP Summit - SUGCON Updates 10.2023.pptx
Vasiliy Fomichev
 
SUGCON NA 2023 - Crafting Lightning Fast Composable Experiences.pptx
SUGCON NA 2023 - Crafting Lightning Fast Composable Experiences.pptxSUGCON NA 2023 - Crafting Lightning Fast Composable Experiences.pptx
SUGCON NA 2023 - Crafting Lightning Fast Composable Experiences.pptx
Vasiliy Fomichev
 
Activating massive omnichannel personalization
Activating massive omnichannel personalizationActivating massive omnichannel personalization
Activating massive omnichannel personalization
Vasiliy Fomichev
 
Blockchain in E-Commerce
Blockchain in E-CommerceBlockchain in E-Commerce
Blockchain in E-Commerce
Vasiliy Fomichev
 
The Road to Amazon and Beyond
The Road to Amazon and BeyondThe Road to Amazon and Beyond
The Road to Amazon and Beyond
Vasiliy Fomichev
 
LASUG Online: Introduction to Docker and Docker Tools
LASUG Online: Introduction to Docker and Docker ToolsLASUG Online: Introduction to Docker and Docker Tools
LASUG Online: Introduction to Docker and Docker Tools
Vasiliy Fomichev
 
SUGCON 2015: Docker Containers and Sitecore
SUGCON 2015: Docker Containers and Sitecore SUGCON 2015: Docker Containers and Sitecore
SUGCON 2015: Docker Containers and Sitecore
Vasiliy Fomichev
 
Ad

Recently uploaded (20)

Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Raffi Khatchadourian
 
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
João Esperancinha
 
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
AsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API DesignAsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API Design
leonid54
 
Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Everything You Need to Know About Agentforce? (Put AI Agents to Work)Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Cyntexa
 
Build With AI - In Person Session Slides.pdf
Build With AI - In Person Session Slides.pdfBuild With AI - In Person Session Slides.pdf
Build With AI - In Person Session Slides.pdf
Google Developer Group - Harare
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptxTop 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
mkubeusa
 
Agentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community MeetupAgentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community Meetup
Manoj Batra (1600 + Connections)
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
Kit-Works Team Study_팀스터디_김한솔_nuqs_20250509.pdf
Kit-Works Team Study_팀스터디_김한솔_nuqs_20250509.pdfKit-Works Team Study_팀스터디_김한솔_nuqs_20250509.pdf
Kit-Works Team Study_팀스터디_김한솔_nuqs_20250509.pdf
Wonjun Hwang
 
Cybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and MitigationCybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and Mitigation
VICTOR MAESTRE RAMIREZ
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
Q1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor PresentationQ1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor Presentation
Dropbox
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 
Slack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teamsSlack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teams
Nacho Cougil
 
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à GenèveUiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPathCommunity
 
How to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabberHow to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabber
eGrabber
 
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Raffi Khatchadourian
 
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
João Esperancinha
 
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
AsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API DesignAsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API Design
leonid54
 
Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Everything You Need to Know About Agentforce? (Put AI Agents to Work)Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Everything You Need to Know About Agentforce? (Put AI Agents to Work)
Cyntexa
 
Build With AI - In Person Session Slides.pdf
Build With AI - In Person Session Slides.pdfBuild With AI - In Person Session Slides.pdf
Build With AI - In Person Session Slides.pdf
Google Developer Group - Harare
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptxTop 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
mkubeusa
 
Agentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community MeetupAgentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community Meetup
Manoj Batra (1600 + Connections)
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
Kit-Works Team Study_팀스터디_김한솔_nuqs_20250509.pdf
Kit-Works Team Study_팀스터디_김한솔_nuqs_20250509.pdfKit-Works Team Study_팀스터디_김한솔_nuqs_20250509.pdf
Kit-Works Team Study_팀스터디_김한솔_nuqs_20250509.pdf
Wonjun Hwang
 
Cybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and MitigationCybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and Mitigation
VICTOR MAESTRE RAMIREZ
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
Q1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor PresentationQ1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor Presentation
Dropbox
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 
Slack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teamsSlack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teams
Nacho Cougil
 
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à GenèveUiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPathCommunity
 
How to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabberHow to Install & Activate ListGrabber - eGrabber
How to Install & Activate ListGrabber - eGrabber
eGrabber
 
Ad

SUGCON: The Agile Nirvana of DevSecOps and Containerization

  • 1. The Agile Nirvana of DevSecOps and Containerization Vasiliy Fomichev #sugcon
  • 2. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ 1. Introduction to DevSecOps 2. Containerization hosting options for Sitecore 3. Creating a DevSecOps CI/CD pipeline Agenda
  • 3. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Introductions  Sitecore MVP 2015 – 2022: Technology, Commerce, Ambassador  14 years of Sitecore delivery  8 years of managing Sitecore practices  MarTech enthusiast — Content, Azure, AI, Blockchain Vasiliy Fomichev Sr. Director, Solution Architecture, Altudo [email protected] @vasiliyfomichev www.altudo.co www.cmsbestpractices.com
  • 4. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Altudo is a Sitecore Leader for 15+ years 4
  • 6. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ DevSecOps is gaining adoption speed Published 12 July 2021 • ID G00747574
  • 7. DevSecOps is a methodology that puts security into every step of CI/CD
  • 8. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Traditional way of security compliance
  • 9. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ What is DevSecOps and why it’s important
  • 10. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ The foundational layers of DevSecOps Education & Knowledge Retention Security by design Automation
  • 11. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Security is a cost / benefit exercise.
  • 12. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ The three pillars of security Confidentiality Integrity Availability • System access control • Data access control • Information exposure limit • System integrity • Data integrity • Behavioral integrity • System SLA • Data accessibility • Application performance and uptime
  • 13. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ 1. Cheap creation and deletion reduces security risk by removing potentially compromised environments 2. Immutable environments create consistency, predictability, and repeatability 3. Reduction of attack surface 4. Cost-efficiency of operations (scaling, patching, updating, maintenance updates) is conducive to security Containers make DevSecOps cheaper
  • 14. Azure vs AWS The cons and pros behind Sitecore container hosting options.
  • 15. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Managed cloud Kubernetes options High skilled talent cost & 2-3 yr. deprecation schedule https://steve-yegge.medium.com/dear-google-cloud-your-deprecation-policy-is-killing-you-ee7525dc05dc
  • 16. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ • Fully supported by Sitecore Support • Sitecore community alignment • Lower cost of hosting • Burst and other options for scaling • Easier to get started and configure networking • Fully managed control plane (lower maintenance) • Allows image signing with Content Trust • Integrated resource monitoring with Azure Monitor • Provides official Government and Healthcare cloud options Hosting Sitecore containers in Azure 350/420 ENTERPRISE SCORE
  • 17. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ 363/420 ENTERPRISE SCORE Hosting Sitecore containers in AWS • The most widely used Kubernetes service • 99.95% uptime SLA included • Provides a free image security scanning service • Lack of automated node repair • Includes additional charges per hour per cluster ($0.1) • Liability concerns around limited support for EKS by Sitecore • Harder to get started with • Requires a third-party resource monitoring solution
  • 18. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ • Sitecore fully supports AKS • The Sitecore community is aligned with the AKS • Additional security features on top of AWS • Health and Government cloud availability • Lower cost of hosting • Lower cost of implementation maintenance by about 25% Azure is the recommeded hosting provider +
  • 20. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ The foundational layers of DevSecOps Education Security by design Automation • People • Systems • Processes • Best practices (OWASP 10, MITRE 25) • Pair programming • Lunch & learns • Informal knowledge sharing • Experiment • Learn from incidents • Create incidents yourself • Use playgrounds • Certification • Self-paced • Instructor-led • Tutorials • Gamification • Peer reviews • Threat modeling • OWASP Security Knowledge Framework (SKF) • Unit testing • Integration testing • Code quality scanning • SAST • SCA dependency scanning • Integration testing • DTA container scanning • Network scanning • Performance testing • IAST • RASP • DAST
  • 21. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ • Inject sensitive variables at build time or pull at runtime (example, key vault) • Change the default admin user used to run a container to avoid container escape attacks • Disable all remote container access • Use namespaces to limit access • Enable image signing to avoid MITM attacks • Use tagging and semantic versioning (avoid version word labeling) • Do not rely on external image sources (community) • Scan base images for vulnerabilities • Use hardened VM images (example, CIS) Container security best practices Docker CIS Benchmark Kubernetes CIS Benchmark
  • 22. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Team changes and upskilling QA Quality Assurance and testing Developer Front and backend development. DevOps Engineer Release processes and automation DevOps Security Champion Security automation Monitoring Notifications Development Security Champion Code Scanning & Reviews QA Security Champion Dynamic application testing Security Bridge Team Specialized Security Personnel Software, DevOps, Forensic Analysis, etc. CISO Security program development. Security Team Development Team
  • 23. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Resourcing your teams based on your strategy Team 1 Team 2 Team 3 Upskilled Team + Agile + Cheaper ? Ability to Scale ? Commitment Team 1 Team 2 Team 3 ++ Center of Excellence ? Customer Focused ? Prioritisation ? Resourcing ? Speed of Turnaround Platform Team - Security champions and evangelists Team 1 Team 2 Team 3 + Customer Focus + Resources secured ? Distributed Knowledge ? Communication ? Overlapping Experiences Shared Resources
  • 24. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Account for new measures & optimize STG Deployment (20 mins) Page Speed Test Review (10 mins) Load Test (60 mins.) Load Test Review (20 mins) Sitecore startup and validation (10 mins.) DSAT (3 days) Page Speed Test (10 mins.) Dynamic Test Review (10 mins) Publish (5 mins) Deployment: 1hr. 45mins Manual LOE: 20mins. Critical Path Parallel Optional Legend: • Create a flowchart diagram for each manual and automated step • Estimate the amount of time each step takes • Optimize the pipeline to reduce the impact of testing and scanning on deployment time • Include a level of security risk acceptance to avoid delays in releases • Structure developer validation and review processes around the optimized pipeline
  • 25. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ Infrastructure as Code (IaC) is the management of infrastructure (networks, virtual machines, load balancers, and connection topology) in a descriptive model, using the same versioning as DevOps team uses for source code. • Automates environment setup • Allows repeatability and templatization • Enables infrastructure versioning • Promotes Site Reliability Engineering (SRE) • Promotes standardization, security, consistency, and stability Infrastructure as code for automation
  • 26. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ IAST/RA SP Performance testing Network Scanning DTA Container Scanning Integration testing SCA Dependency Scanning SAST/Unit Testing Design test automation based on cost Cost per test DAST • No single test is sufficient • Provide test coverage across units, technology, and system layers • Move the cheaper tests closer to the foundation to reduce the feedback cycle • Container tests should be done at three levels o IDE by developers o During the build process before deploying to the registry o Periodic scans for registry images • Manual testing is good at finding outlier defects, while automated delivers greater testing coverage to identify common weaknesses. Penetration testing, bug bounties, peer reviews
  • 27. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ DevSecOps Sitecore pipeline 27 Pull Image Developers Image Repository Container Registry System Admins DevOps Engineers Commit Listen Manage Manage Store image DEV SVT PRD DEV Deployment SVT Deployment PRD Deployment Container Image Pull Gitlab CI Gitlab CD Gitlab DAST Selenium UI Tests Unit Tests Quality and SAST Scans Upload Run Run Upload Run Page Speed Tests Load Tests Run Run
  • 28. • Please insert a background image that suits your presentation, or leave it empty. © 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/ The biggest problem with security is lack of specialized talent. Tools cannot replace people, yet.
  • 29. This list of sponsors is yet to be finalized and will be added when they are fully confirmed. A new version of this slide template will be delivered to you later and a quick swap of this slide is the only task left. Thank you! Get more resources >
  • 30. I am a proud community member! Please contact me on the following handles: sitecorechat.slack.com twitter @vasiliy @vasiliyfomichev

Editor's Notes

  • #10: https://www.plutora.com/blog/devsecops-guide
  • #11: ( Netflix and the chaos monkey)  Certification - (Isc)2, isaca, comptia   Playgrounds - - owasp - juice shop and webgoat  
  • #13: Today Vasiliy and I will discuss 3 core focus areas – team, data, and process -- for businesses that want to kickstart or improve their personalization programs.
  • #14: https://jfrog.com/devops-tools/what-is-devsecops/
  • #17: 84 comparison items
  • #19: : specialized node monitoring or repair, automatic control plane upgrades and maintenance, private networks for the Kubernetes clusters ; as a result, issues may take longer to resolve on average because we would be "pioneering" the space in some ways. Because EKS is not on the Sitecore support roadmap, we may see limitations in Sitecore product and service support in the future.
  • #21: ( Netflix and the chaos monkey)  Certification - (Isc)2, isaca, comptia   Playgrounds - - owasp - juice shop and webgoat  
  • #22: Containers - designed to be ephemeral, lasting for as long as they are needed, vs servers are nurtured over time. Pets bd cattle - no need to make changes to containers, reducing access reduces the attack surface - no ssh . Scan containers at runtime , fix images and recreate The most common container issues – escaping the container, secret exposure. https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/
  • #23: 1 security specialist per 100-400 developers    Champions are conduits, they graduate to eavngelists   Use them to create champions 
  • #26: https://docs.microsoft.com/en-us/devops/deliver/what-is-infrastructure-as-code
  • #27: Three levels of code testing - unit, technology, system. 90% of issues are usually found in unit but they account for 10% of defects found in production and system and tech- 10-90%  RASP - runtime application self-protection. Checks whether data input changes application behavior.   IAST - watches the behaviors of data as an agent inside the runtime; ensures passwords are always encrypted etc.  Run DAST in a prep rod environment - the tests perform common fuzz testing, “fuzzing” or brute force attacks, fuzzing is submitting random strings of data to make the app break  Use software composition analysis (SCA) tools to check app dependencies against cve   Scan containers at runtime , fix images and recreate  Dynamic Threat Analysis (DTA) - aqua security has a tool, creates a sandbox runs the container and watches for suspicious behavior.