release engineering & rugged devops: an intersection - j. paul reed
TRANSCRIPT
R E L E A S E E N G I N E E R I N G & R U G G E D D E V O P S :
A N I N T E R S E C T I O N ?
J . PA U L R E E D R E L E A S E E N G I N E E R I N G A P P R O A C H E S
Wait, this looks familiar…
@jpaulreed #RuggedDevOps
@jpaulreed #RuggedDevOps
R E L E A S E E N G I N E E R I N G & R U G G E D D E V O P S :
A N I N T E R S E C T I O N !
J . PA U L R E E D R E L E A S E E N G I N E E R I N G A P P R O A C H E S
D E V O P S C O N N E C T AT
R S A C O N F E R E N C E
( 2 . 0 )
J . PA U L R E E D
• @jpaulreed on
• Managing Partner, Release Engineering Approaches
• 15+ years build/release engineering experience
• Alum of The Ship Show podcast
• Today: “A DevOps Consultant™”
• Master of Science candidate in Human Factors and Systems Safety
@jpaulreed #RuggedDevOps
@jpaulreed #RuggedDevOps
H O W D O T H E Y I N T E R S E C T ?
R E L E A S E E N G I N E E R I N G A N D R U G G E D D E V O P S :
@jpaulreed #RuggedDevOps
R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T
• We look… “a little off” to developers & the business™.
• We both can often be found shoveling DevOps Unicorn poop.
@jpaulreed #RuggedDevOps
@petecheslock
DevOps
Sec
@hijinksensue(via @petecheslock)@jpaulreed #RuggedDevOps
R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T
• We look… “a little off” to developers & the business™.
• We both can often be found shoveling DevOps Unicorn poop.
• Including our work in project plans/scoping/requirements: maybe?
• But when “it” breaks, suddenly: all eyes on us. Really angry eyes.
• We have a reputation for “No.”
• The nature of our roles is undergoing a fundamental shift.
• The industry is starting to “get it.”@jpaulreed #RuggedDevOps
How does Release
Engineering impact/
relate to/ converge with
Security?@jpaulreed #RuggedDevOps
R E L E A S E E N G I N E E R I N G ’ S I M PA C T T O / R E L AT I O N W I T H S E C U R I T Y O P S
• Software Supply Chains
@jpaulreed #RuggedDevOps
One vulnerable library in your product
is a security problem.
Multiple versions of a vulnerable library in your product
is a release engineering problem. — @jpaulreed
@jpaulreed #RuggedDevOps
R E L E A S E E N G I N E E R I N G ’ S I M PA C T T O / R E L AT I O N W I T H S E C U R I T Y O P S
• Software Supply Chains
• “Old-fashioned” software delivery mechanisms
• Artifact management
• The bold new world of containers
• Every versioning bikeshed ever@jpaulreed #RuggedDevOps
What Did We Find Out?
@jpaulreed #RuggedDevOps
1. The ways in which we consume software continue to be problematic.
@jpaulreed #RuggedDevOps
1. The ways in which we consume software continue to be problematic.
2. The ways in which we produce software continue to be problematic.
@jpaulreed #RuggedDevOps
1. The ways in which we consume software continue to be problematic
2. The ways in which we produce software continue to be problematic
3. In many cases, we ignoring heuristics that can help us
@jpaulreed #RuggedDevOps
Problematic Consumption
@jpaulreed #RuggedDevOps
We are stitching our software together
from more places than ever!
Your software supply chain may have more actors involved than you think!
@jpaulreed #RuggedDevOps
Knowing exactly what you’re getting can be difficult…
@jpaulreed #RuggedDevOps
Making sense of what you have
can be difficult.
@jpaulreed #RuggedDevOps
The good news: this problem has been solved for about 20 years
@jpaulreed #RuggedDevOps
https://github.com/preed/git-vendor-mirror@jpaulreed #RuggedDevOps
C V S V E N D O R B R A N C H E S , G I T S T Y L E
• Creates a copy of artifacts, so they’re under your control
• Supports a standardized version format (but you can use your own because bike shedding!)
• Custom-patch to your heart’s content (and be able to track them!)
• Supports developer interaction with “standard forks.”@jpaulreed #RuggedDevOps
@jpaulreed #RuggedDevOps
Much easier to just understand what’s going on
@jpaulreed #RuggedDevOps
Records information you care about, automatically
@jpaulreed #RuggedDevOps
Problematic Production
@jpaulreed #RuggedDevOps
A L L A B O A R D T H E S S D O C K E R !
@jpaulreed #RuggedDevOps
S O W H AT ’ S I N A C O N TA I N E R , A N Y W AY ?
You don’t know.@jpaulreed #RuggedDevOps
“The majority of people using Docker are using images containing an entire operating system filesystem.”
Presentation:
https://speakerdeck.com/garethr/whats-inside-that-container
@jpaulreed #RuggedDevOps
Vine’s source code, leaked via Docker images.@jpaulreed #RuggedDevOps
@jpaulreed #RuggedDevOps
More continuous integration, continuous delivery, and
orchestration tools than ever!
More attack surface
than ever!
We’re all applying speed and scale
to our CD pipelines.
And they may need to have a little more security…
and a little less speed and scale. — Security researcher
@jpaulreed #RuggedDevOps
Missed Heuristics
@jpaulreed #RuggedDevOps
U S E F U L H E U R I S T I C S W E C A N M I S S
Build Processes Taking A Lot of Time@jpaulreed #RuggedDevOps
U S E F U L H E U R I S T I C S W E C A N M I S S
Build Processes You Can’t Do On a Train@jpaulreed #RuggedDevOps
U S E F U L H E U R I S T I C S W E C A N M I S S
Build Artifacts You Shipped, But Can’t Find Later@jpaulreed #RuggedDevOps
Think of it as housecleaning.
Software bugs are like cockroaches: they hide in the darkest, messiest parts of your code.
To get rid of cockroaches, you wouldn’t hunt them down one-by-one. Instead, you’d clean up the house and get rid of their hiding places.
Do the same in your code.
— My undergrad CS professor
@jpaulreed #RuggedDevOps
Where to Go
Now?@jpaulreed #RuggedDevOps
Introduce Your Release &
Security Engineers
@jpaulreed #RuggedDevOps
Task the Two Groups to Research
Your Software Supply Chain
@jpaulreed #RuggedDevOps
Start a project that engages other
teams with these practices
@jpaulreed #RuggedDevOps
H O W D O T H E Y I N T E R S E C T ?
R E L E A S E E N G I N E E R I N G A N D R U G G E D D E V O P S :
@jpaulreed #RuggedDevOps
H O W C A N W E E N G A G E A N D H E L P E A C H O T H E R M O R E ?
R E L E A S E E N G I N E E R I N G A N D R U G G E D D E V O P S :
@jpaulreed #RuggedDevOps
Let’s Find Out!
@jpaulreed #RuggedDevOps
Finally, Remember: Who Owns Your Software Supply
Chain?@jpaulreed #RuggedDevOps
For a handy reminder: http://WhoOwnsMySoftwareSupplyChain.com@jpaulreed #RuggedDevOps
J . PA U L R E E D
W W W. J PA U L R E E D . C O M @ J PA U L R E E D
W W W. R E L E A S E - A P P R O A C H E S . C O M S I M P LY S H I P. E V E R Y T I M E .
Get my slides immediately
Our sponsors speak your language… DevOps.