Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed

transcript

R E L E A S E E N G I N E E R I N G & R U G G E D D E V O P S :

A N I N T E R S E C T I O N ?

J . PA U L R E E D R E L E A S E E N G I N E E R I N G A P P R O A C H E S

Wait, this looks familiar…

@jpaulreed #RuggedDevOps

R E L E A S E E N G I N E E R I N G & R U G G E D D E V O P S :

A N I N T E R S E C T I O N !

J . PA U L R E E D R E L E A S E E N G I N E E R I N G A P P R O A C H E S

D E V O P S C O N N E C T AT

R S A C O N F E R E N C E

( 2 . 0 )

J . PA U L R E E D

• @jpaulreed on

• Managing Partner, Release Engineering Approaches

• 15+ years build/release engineering experience

• Alum of The Ship Show podcast

• Today: “A DevOps Consultant™”

• Master of Science candidate in Human Factors and Systems Safety

H O W D O T H E Y I N T E R S E C T ?

R E L E A S E E N G I N E E R I N G A N D R U G G E D D E V O P S :

R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T

• We look… “a little off” to developers & the business™.

• We both can often be found shoveling DevOps Unicorn poop.

@petecheslock

DevOps

@hijinksensue(via @petecheslock)@jpaulreed #RuggedDevOps

R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T

• We look… “a little off” to developers & the business™.

• We both can often be found shoveling DevOps Unicorn poop.

• Including our work in project plans/scoping/requirements: maybe?

• But when “it” breaks, suddenly: all eyes on us. Really angry eyes.

• We have a reputation for “No.”

• The nature of our roles is undergoing a fundamental shift.

• The industry is starting to “get it.”@jpaulreed #RuggedDevOps

How does Release

Engineering impact/

relate to/ converge with

Security?@jpaulreed #RuggedDevOps

R E L E A S E E N G I N E E R I N G ’ S I M PA C T T O / R E L AT I O N W I T H S E C U R I T Y O P S

• Software Supply Chains

One vulnerable library in your product

is a security problem.

Multiple versions of a vulnerable library in your product

is a release engineering problem. — @jpaulreed

R E L E A S E E N G I N E E R I N G ’ S I M PA C T T O / R E L AT I O N W I T H S E C U R I T Y O P S

• Software Supply Chains

• “Old-fashioned” software delivery mechanisms

• Artifact management

• The bold new world of containers

• Every versioning bikeshed ever@jpaulreed #RuggedDevOps

What Did We Find Out?

1. The ways in which we consume software continue to be problematic.

2. The ways in which we produce software continue to be problematic.

1. The ways in which we consume software continue to be problematic

2. The ways in which we produce software continue to be problematic

3. In many cases, we ignoring heuristics that can help us

Problematic Consumption

We are stitching our software together

from more places than ever!

Your software supply chain may have more actors involved than you think!

Knowing exactly what you’re getting can be difficult…

Making sense of what you have

can be difficult.

The good news: this problem has been solved for about 20 years

https://github.com/preed/git-vendor-mirror@jpaulreed #RuggedDevOps

C V S V E N D O R B R A N C H E S , G I T S T Y L E

• Creates a copy of artifacts, so they’re under your control

• Supports a standardized version format (but you can use your own because bike shedding!)

• Custom-patch to your heart’s content (and be able to track them!)

• Supports developer interaction with “standard forks.”@jpaulreed #RuggedDevOps

Much easier to just understand what’s going on

Records information you care about, automatically

Problematic Production

A L L A B O A R D T H E S S D O C K E R !

S O W H AT ’ S I N A C O N TA I N E R , A N Y W AY ?

You don’t know.@jpaulreed #RuggedDevOps

“The majority of people using Docker are using images containing an entire operating system filesystem.”

Presentation:

https://speakerdeck.com/garethr/whats-inside-that-container

Vine’s source code, leaked via Docker images.@jpaulreed #RuggedDevOps

More continuous integration, continuous delivery, and

orchestration tools than ever!

More attack surface

than ever!

We’re all applying speed and scale

to our CD pipelines.

And they may need to have a little more security…

and a little less speed and scale. — Security researcher

Missed Heuristics

U S E F U L H E U R I S T I C S W E C A N M I S S

Build Processes Taking A Lot of Time@jpaulreed #RuggedDevOps

Build Processes You Can’t Do On a Train@jpaulreed #RuggedDevOps

Build Artifacts You Shipped, But Can’t Find Later@jpaulreed #RuggedDevOps

Think of it as housecleaning.

Software bugs are like cockroaches: they hide in the darkest, messiest parts of your code.

To get rid of cockroaches, you wouldn’t hunt them down one-by-one. Instead, you’d clean up the house and get rid of their hiding places.

Do the same in your code.

— My undergrad CS professor

Where to Go

Now?@jpaulreed #RuggedDevOps

Introduce Your Release &

Security Engineers

Task the Two Groups to Research

Your Software Supply Chain

Start a project that engages other

teams with these practices

H O W D O T H E Y I N T E R S E C T ?

H O W C A N W E E N G A G E A N D H E L P E A C H O T H E R M O R E ?

Let’s Find Out!

Finally, Remember: Who Owns Your Software Supply

Chain?@jpaulreed #RuggedDevOps

For a handy reminder: http://WhoOwnsMySoftwareSupplyChain.com@jpaulreed #RuggedDevOps

J . PA U L R E E D

W W W. J PA U L R E E D . C O M @ J PA U L R E E D

W W W. R E L E A S E - A P P R O A C H E S . C O M S I M P LY S H I P. E V E R Y T I M E .

Get my slides immediately

community@alldaydevops.com

Our sponsors speak your language… DevOps.

Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed

Technology