The 5-minute conference — #1

A summary of DevSecOps Days Singapore ‘18

TL;DR:

DevSecOps is a very fast-moving field. New learnings and insights are shared on a continuous basis. Only a few people have the luxury of attending DevSecOps events though. If there aren’t any recordings of the talk, then the knowledge is not spreading. Even if there are, rarely anyone has the chance to go through a whole day of talks.

For that reason, I am experimenting with a format called “the 5-minute conference”. It consists of an intro about the event, a short summary of each talk and a picture of my favorite slide.

Let me know what you think about this format in the comments.


Singapore is the hub of Asia and is the main region where DevSecOps conversations happen. I was fortunate to help build up the DevOps and DevSecOps community in Singapore and am very happy to see it grow.

For the second year in a row, there was a dedicated DevSecOps track at the RSAC conference. It is a free event that everyone can join and took place in a very intimate setting. The organizers did a great job and the speakers were fantastic.

Learning from other experts in the field of DevSecOps is great. However, the best part of any conference is always socializing. It is great hanging out with old friends and making new ones from all over the world.

DevSecOps Days - Speakers and Organizers

Talks Summary

DJ Schleen: Automating Secure Software Development with DevSecOps

Full disclosure, I, unfortunately, missed DJs opening keynote talk. I did get a chance to hang out with him quite a bit over the next couple of days.** **And it has been a real pleasure. What struck me is the unique blend of offensive, defensive skills he brings to the table. Not only on a theoretical level, but he gets down to it and gets his hands dirty. I have rarely seen security folks like him.

This knowledge is reflected in his talk, that I’ve reviewed myself afterward.

See below for my favorite slide. It shows the complexity of a modern DevOps environment. The steps involved to bring an idea to a feature deployed in production. And the opportunities for security to support this workflow.

AppSec Pipeline Overview

Mark Miller: We are all Equifax

Mark is a successful serial community builder. He is the brain behind All Day DevOps, a massive online conference. In his talk, he shared an interesting analysis of the Equifax breach and its implications.

The software supply chain is more relevant than ever. The downloads of open source components are exploding. From 1 billion in 2008 to 87 billion in 2017 — and that’s for the maven central repository alone. 80–90% of modern applications and operations consist of assembled components and containers.

Some of these components and containers have known security vulnerabilities. About 1 in 10 to be specific.

Vulnerability disclosure has a limited short-term impact on downloaded components.

Vulnerable Spring Download Stats

Edwin Kwan: An Iterative Approach to Smashing Security Bugs

I’ve met Edwin a couple of times already and am always very interested to hear about his DevSecOps progress. His session started with an overview of the Tyro history. Tyro has 400 employees out of which 150 are engineers. This is an excellent ratio and shows the foresight of the Tyro management.

The main point of the talk is that the only way to find solutions is through experimentation. Nobody has all the answers, and what works for some, will not work for others. Edwin has gone through three iterations and shares his lessons and success stories.

We all heard the slogan “Security is Everyone’s Responsibility” before. Edwin complements it, by adding the notion of accountability.

Tech Lead is Accountable

Hunter Neil: Kubernetes Security

Hunter started with a quick Kubernetes and containers overview. Then he dove right into container security and attack profiles. Attack profiles are divided into vertical and horizontal attack profiles. Both can be used to help answer the fundamental question: “Are VMs more secure than containers?”.

Spoiler alert, containers can provide roughly as much security as hypervisors.

Hunter continued to provide a good summary on Kubernetes and Container security.

My favorite slide of his talk:

Kubernetes Unicorn

Stefan Streichsbier: Securing a great Developer Experience

The gist of my talk is that the security industry has neglected developers. Security tools are sold to the few elite organizations that can afford them. The tools are also sold to security departments, not to the developers, who should actually use it.

The talk starts by exploring how the technology landscape has changed. It continues by reviewing how application security has failed to keep up. The talk ends with suggestions for improvement so that security tools become effective. It’s all about providing a great developer experience. This is the reason for existence of GuardRails.

My suggestion for a prosperous and secure future:

The Future of Security

Fabian Lim: The Diary of a DevSecOps Kid

I always enjoy Fabian’s talks. He is one of the first of the DevSecOps native generation. He started out at Intuit under the great Shannon Lietz and has since come back to Singapore. Currently, he is helping to bring DevSecOps to the Singaporean government. Fabian has collected interesting experiences, because of his exposure to very different environments.

That’s what his talk was about as well, a diary from the trenches. The key take away is that DevSecOps is not a technology problem. If anything the culture, people, and mindset challenges are the ones that need solving.

Security is Everyone's Responsibility

Alan Shimmel: DevOps Tools

Alan, who is the founder of DevOps.com, did an entertaining session on current DevOps tools. Alan covered a range of different DevOps tool categories and made recommendations.

Besides giving the tools overview, he shared two interesting insights:

  1. The DevOps market sees consolidation happening, which is reflected in mergers and acquisitions.

  2. The DevOps landscape is rapidly evolving. In the evolution of DevOps it’s either distinction or extinction. Some tools that were the cornerstone of DevOps a few years ago are now becoming irrelevant.

No matter what happens though, the market is growing.

DevOps Tool Market Growth

Conclusion

Do you like the 5-minute conference format? Should we cover more conferences this way? Have you been to any DevSecOps events recently? What were your favorite talks and takeaways?

Let me know in the comments!