Nowadays, Continuous Delivery is a must. Nobody starts a new application without asking: how can we make deployments as painless as possible? The only answer to it is Kubernetes. Full stop. Kubernetes is the solution to 99% of the problems on a software development/deployment pipeline because it was engineered for it.
The problem with CD pipelines is the security: there are no standards for securing a CD pipeline as it is something new and security takes time to catch up with the requirements.
Docker and orchestration platforms like Kubernetes, as well as your process, introduce new attack vectors that you haven’t even think of:
We need to reinvent how do we approach security in order to be successful in the big enterprise by ensuring that the standards are at the same level as in a traditional software company which can only be achieved by creating new tools (like I did with Gammaray) and improving your process staying on the safety but allowing your engineers to move as quickly as they can by providing them early feedback of potential threats as well as training.
In order to mitigate the attack vectors stated above we need to get very very creative as DevOps is the wild West of the 21st century. We need a combination intellect and common sense to reduce its risks:
On this talk, I will introduce the problematic with real examples on how to compromise CD pipelines as well as solutions to the attack vectors mentioned above. I will also demo the process of, creating a Docker image with very high security standards, with an application that has already been scanned using Gammaray looking for vulnerabilities on its dependencies and deploy it on a secured Kubernetes cluster without any obstruction to the engineering team ensuring that we have visibility through the full process..
David is a DevOps enthusiast coming from a software engineering background that loves speaking at events.
He is the author of three books, and planning a 4th one (DevSecOps pipelines):
He is also the only Google Developer Expert in Kubernetes on Europe. Nowadays, he is a consultant in nearForm that enjoys facing new challenges with customers that require help with Software, infrastructure or security helping them to achieve their goals on the best possible way.
David is an open source enthusiast who contributes to a number of projects and created few of them such as:
On his free time, he loves riding my bike and walking his dogs on the green Ireland.
David: I would say I’m a DevOps Engineer, but that’s not the really true… I do a lot of development, DevOps, security aswell so kind of DevSecOps! I come from a Java background but I like to mess around with a lot of technologies, so when I got an opportunity to write a book on microservices with NodeJS, I took it! That got me a job in nearForm, who I’m working for today. I started getting in to DevOps/DevSecOps… all these new technologies like Kubernetes. I’m lucky to be the only Google Developer Expert in Kubernetes in the world, which is fantastic!!
At nearForm, I mainly do consulting for companies, setting up delivery pipelines, security and orchestration with Docker. When I started working with these technologies, I had a lot of questions, and since I’ve noticed that every company working with Kubernetes has the same questions,my talk is about how to overcome these new challenges, especially around security.
David: Usually the problem with Security is that it’s very obstructive. If you are doing CI/CD, you can’t really hold the pipeline for 2 days for security reviews. What I’m going to be talking about is how to overcome the challenge of embedded security in the CI/CD pipeline and what are the biggest problems and pitfalls of doing so.
David: This will be a talk that everybody will be able to understand. It will help companies who are already using Kubernetes to become safer companies, but I also want to open people’s mind to be more curious about security around DevOps.
David: I’d like people to start worrying about security in DevOps! The first impression is that DevOps is secure because you’re in control of everything, but then once you see the potential of attack vectors… you won’t be able to sleep for a week!
David: It has completely exploded, it’s amazing! We have gone from simple bare-metal Kubernetes to now talking about Istio and service meshes.
Today I’m looking a lot into Istio, because it’s focusing in security… and it blew my mind because it’s a whole new world on how to deploy applications on Kubernetes. I always joke that it’s a great time to be a DevOps Engineer because you don’t get bored… so many things to explore.
David: The biggest challenge remains the people. Kubernetes is not a simple tool, so you can’t just put in production and pretend to be successful. One of the things I like about consulting is that I have crashed in the same wall many times, and I have seen people crashing in the same wall many time… so now I can see things coming, and help companies prevent bad things from happening.
David: I’ve spoken at a lot of conferences and up to now, RebelCon was the most amazing one! The vibe at the conference was amazing - Cork is one of the most alive tech city I’ve come across!
One cool thing is that the inspiration for my NodeJS microservices book was Sam Newman’s “Building microservices” book, and he’s going to be there this year, so I’m going to have to get my copy signed!