Best Practices for securing CI/CD Pipelines or how to get Security right | Victoria Almazova
HTML-код
- Опубликовано: 10 сен 2019
- Speaker: Victoria Almazova (Microsoft) | devopsconference.de/speaker/v...
DevOps practices are in a place, containers are everywhere, pipelines are flying. We do Agile. We do DevOps. Now we should focus on following security practices for protecting the deployed resources, too. This is a reason why DevSecOps is not a hype anymore and is gaining more prominence. There is a lot of information about DevSecOps, but how to do it properly? Where to start? What are the best practices?
In this session, we will walk through an end-to-end scenario where we will deploy infrastructure components and solutions securely to the cloud. We will build a pipeline with security in mind to protect and detect potential security flaws during the build. We will focus on main the principles that you can apply to the most popular and used solutions and tools.
You will learn essential concepts:
- how to build an end-to-end CI/CD pipeline that builds the application and deploys infrastructure with security checks for the application, containers, and infrastructure;
- what security tools are available for CI/CD pipelines and the best way to implement them into different Git workflows;
- best practices and patterns of building security pipelines.
🤗 Join us at the next DevOpsCon: devopsconference.de/ | The Conference for Continuous Delivery, Microservices, Containers, Cloud & Lean Business
👉 Follow us on Twitter: / devops_con
👍 Like us on Facebook: / devopscon 
Наука
Just cracked an interview of Devops with just your explanation and keywords. Victoria you are great
Don't ever loose your fantastic sense of humor!
even though it was about security, somehow i didnt fall asleep watching it. very nicely done. thank you!
Just watched the way through, great presentation. Will go back an take more notes soon. This info was very helpful. Thanks again.
lovely chart and movement of tasks around pipeline. thanks for being openminded to share and educate. regards from Singapore!
OMG as a cloud security person this is the story of my life!!
Peace to the god.
very informative
"How many of you have SUCCESSFULLY implemented DevOps?" @ 3:56. ....hilarious. Good vid.
What's interesting is there is an emphasis on a safe product. This would require a 'DevSafeSecOps' process to be implemented to consider safety properties of a system and safety analysis to be carefully considered as part of an agile process, especially for a safety related product or service.
While this talk places a lot of emphasis on the security to go shift-left in the software development cycle, there's no major mention of protection/security of data within those applications. PII data, for example. What're the best practices to ensure security of something as sensitive as the customer's addresses, phone numbers etc?
I'm a bit confused as to why we should not stop continuous integration on security issues. I thought DevSecOps was about involving everyone in security. Isnt breaking the build the best way to involve devs? If the tools cause too much noise, isn't the problem with the tools?
I guess it all depends on the team size.
I can see in a 100:10:1 organization, you wouldn't want to stop CI on security checks.
But in a 10:2:2 organization, it seems reasonable to fail builds.
Every time she said "DevOps" I heard the "Devils" which are not that far apart really
Reaching 30% of the talk and I hear her speaking about quite basic and obvious security things. And now I m reflecting on her special number 100:10:1 sort of complaining that 1 security is not enough and a daunting role to work alone with the other 10 and 100 devs. I find it a little bit pretentious, if not insulting, to assume that only her, as a security role, would only be concerned let alone be able to apply the best practices of security. Isn't it what a good developer should and probably taking into considerations in his/her everyday work?