The first scientific survey I’ve seen of the benefits of Lean in software is an ACM-IEEE paper done in the Finnish software industry summarized in this presentation. Enjoy!
Category Archives: DevOps
November 28, 2016 · 9:31 pm
Three Upcoming DevOps Events You Should Attend
I wanted to mention a couple Austin area events folks should be aware of – and one international one! November is full of DevOps goodness, so come to some or all of these…
The international one is called All Day DevOps, Tuesday November 15 2016, and is a one long day, AMER and EMEA hours, 3-track, free online conference. It has all the heavy hitter presenters you’d expect from going to Velocity or a DevOpsDays or whatnot, but streaming free to all. Sign up and figure out what you want to watch in what slot now! James, Karthik, and I are curating and hosting the Infrastructure track so, you know, err on that side 🙂 There’s nearly 5000 people signed up already, so it should be lively!
Then there’s CD Summit Austin 2016. There’s a regional IT conference called Innotech, and devops.com came up with the great idea of running a DevOps event alongside it. It’s Wednesday November 16 (workshops) and Thursday November 17 (conference) in the Austin Convention Center. All four of the Agile Admins will be doing a panel on “The Evolution of Agility” at 11:20 on Thursday so come on out! It’s cheap, even both days together are like $179.
But before all that – the best little application security convention in Texas (or frankly anywhere for my money) – LASCON is next week! Tues and Wed Nov 1-2 are workshop days and then Thu-Fri Nov 3-4 are the conference days. I’m doing my Lean Security talk I did at RSA last fall on Friday, and James is speaking on Serverless on Thursday. $299 for the two conference days.
Loads of great stuff for all this month!
Filed under Conferences, DevOps
The DevOps Handbook
I haz it!
It, of course, is the new DevOps Handbook, in which luminaries Gene Kim, Patrick Debois, John Willis, John Allspaw, and Jez Humble put together a single coherent guide to understanding and implementing DevOps. Most of the “DevOps” books to date have really just nibbled around the edges of DevOps instead of addressing its entire scope head on. This book does so, and will become the standard reference in anyone’s DevOps library. Get it on Amazon or elsewhere!
AppSec in the Modern Era
I recently wrote an article for Signal Sciences discussing the top 5 application security defense needs in the modern era. It’s very DevOps in nature. You can see the full article in all of its original glory here > Top 5 AppSec Defense needs in the Modern Era
In the article, I covered what I thought was the most critical things needed for a plausible application security program in the modern era.
- OWASP Top Ten coverage is a must-have and is expected
- Have Defense against Bots and Scrapers
- Do Business Logic monitoring
- Achieve Operational Insight through Visualizations and Dashboards
- Distribute security information where people naturally are, a la ChatOps.
Thoughts, comments? Hit me up on twitter (@wickett) or in the comments on the original article > Top 5 AppSec Defense needs in the Modern Era
This is a sample of putting visualizations behind your application security defense. These images are provided from Signal Sciences
Filed under DevOps
Lean Security
James and I have been talking lately about the conjunction of Lean and Security. The InfoSec world is changing rapidly, and just as DevOps has incorporated Lean techniques into the systems world, we feel that security has a lot to gain from doing the same.
We did a 20 minute talk on the subject at RSA, you can check out the slides and/or watch the video:
While we were there we were interviewed by Derek Weeks. Read his blog post with a transcript of the interview, and/or watch the interview video!
Back here in Austin, I did an hour-long extended version of the talk for the local OWASP chapter. Here’s a blog writeup from Kate Brew, and the slides and video:
We’ll be writing more about it here, but we wanted to get a content dump out to those who want it!
Classy up your curl with curl-trace
Let’s say you are debugging some simple web requests and trying to discern where things are slowing down. Curl is perfect for that. Well, sort of perfect. I don’t know about you but I forget all the switches for curl to make it work like I want. Especially in a situation where you need to do something quickly.
Let me introduce you to curl-trace.
It’s not a new thing to install, its just an opinionated way to run curl. To give you a feel for what it does, lets start with the output from curl-trace.
As you can see, this breaks up the request details like response code, redirects and IP in the Request Details section and then breaks down the timing of the request in the Timing Analysis section. This uses curl’s --write-out option and was inspired by this post, this post, and my co-worker Marcus Barczak.
The goal of curl-trace is to quickly expose details for troubleshooting web performance.
How to setup curl-trace
Step 1
Download .curl-format from github (or copy from below)
\n Request Details:\n url: %{url_effective}\n num_redirects: %{num_redirects}\n content_type: %{content_type}\n response_code: %{response_code}\n remote_ip: %{remote_ip}\n \n Timing Analysis:\n time_namelookup: %{time_namelookup}\n time_connect: %{time_connect}\n time_appconnect: %{time_appconnect}\n time_pretransfer: %{time_pretransfer}\n time_redirect: %{time_redirect}\n time_starttransfer: %{time_starttransfer}\n ----------\n time_total: %{time_total}\n \n
And put that in your home directory as .curl-format or wherever you find convenient.
Step 2
Add an alias to your .bash_profile (and source .bash_profile) for curl-trace like this:
alias curl-trace='curl -w "@/path/to/.curl-format" -o /dev/null -s'
Be sure to change the /path/to/.curl-format to the location you saved .curl-format. Once you do that and source your .bash_profile you are ready to go.
Usage
Now you can run this:
$ curl-trace https://google.com
Or follow redirects with -L
$ curl-trace -L https://google.com
Thats it…
Now you are ready to use curl-trace. If you have anything to add to it, just send me an issue on github or a PR or ping me on twitter: https://twitter.com/wickett.
Enjoy!
UPDATE: 3/17/2016
There was a lot of good feedback on curl-trace so it has now been moved to its own repo: https://github.com/wickett/curl-trace
Filed under DevOps
RSAC gets down with the Rugged DevOps!
This year at RSAC—you know RSA, its the really big InfoSec conference that isn’t BlackHat/DefCon—there was a mini-conference on Rugged DevOps. For the last few years they have been featuring this mini-conference as a way to bring DevOps into the InfoSec community.
I did a writeup of the event over on Medium and I hope you find it interesting. One of my favorite parts of the event is summed up from that article:
To give you a feel for how well it went, I think it is easily summed up with what happened at the closing. To a mostly full room of about 500 people the question was asked, “How many of you have been here all day?” Over 80% of the hands went up. For being a conference within a conference that number is surprising, for doing that with the InfoSec crowd, it is proof that the industry culture is truly shifting.
Security is ready to join the DevOps tribe. It’s our duty as stewards of DevOps to do this right.
In the article on Medium I link to all the talks and speakers at the event. Check out the presos on SlideShare, follow the speakers on Twitter and most importantly be part of the joining of the tribes.
Filed under DevOps
Links on Bridging Security and DevOps
If you remember, I (@wickett) said I would be doing more blogging for Signal Sciences in the new year. We still are in January, but I am glad to say that so far so good. Here are a couple highlights from recent posts:
-
What security experts need to know about DevOps and continuous delivery < This post made it on DevOps Weekly (which of course you should subscribe to) which is awesome! The article takes a few topics and breaks them down for what they mean to InfoSec. Unfortunately to many security people, devops is still Ops 2.0 and is mainly about chef/puppet or that systemic madness called Continuous Delivery. This article attempts to show how security can fit in the new world of devops.
-
Security Visibility: If You Can’t See ’Em, You Won’t Stop ‘Em! by @txs breaks down the three questions that should keep you up at night if you care about security. This article lays the groundwork of bridging devops and security by focusing on three pragmatic questions. This is a must read.
- Rugged Software Engineering video with Nick Galbreath at GOTO London is a recording of Nick’s excellent talk at GOTO London. The GOTO London videos just got uploaded a few weeks back so they are fresh off the presses and ready for your viewing pleasure. I think this talk along with Dan North’s talk on the history of Agile were the highlights of the conference. I will be adding in more links and talks from the conference over the coming weeks and even the one yours truly did.
That’s all for now. Happy Friday everyone!
Filed under Conferences, DevOps, Security
In the New Year, resolve to bring Security to the DevOps party
Happy New Year! May this be your year of much successful DevOps.
Last year I wasn’t too vocal about my work over at Signal Sciences. Mostly because I was too busy helping to rapidly build a NextGen Web Application Firewall as a SaaS from the ground up. This year you will be hearing a bit more as I am regularly contributing to the Signal Sciences blog (Signal Sciences Labs) over at Medium (sorry WordPress!).
I will try and occasionally link into some of my posts over there to The Agile Admin, around topics like:
- The challenges we faced building a modern security product
- Bridging the gap with Security and DevOps
- Attack Driven Operations
- and other Rugged DevOps topics…
Which brings me to the point of this post…
Bring Security to the DevOps party!
I am making a personal goal this year to bring security engineers, auditors, penetration testers and even those forensics folks to the devops party. I have my sights mostly set on DevOps Days Austin as the event to physically bring people to (watch out Austin Security people!) but I am already crafting blog posts and many cunning tweets to also bring them over as well. This year can you join me in trying to bridge this gap?
Last month I had the opportunity to do Sec Casts panel with these fine folks (all of which you should follow) on topics around devops and security:
If you don’t want to hear us go on for about an hour, you can read the write-up here. I mention this panel specifically because I think the topics brought up in it are directly impactful to the goal of bridging security and devops. Maybe it will give you some ideas on how to bridge the gap in your own organization.
Happy New Year and lets make this the year that Security is finally brought into the DevOps fold.
Filed under DevOps
StackEngine Webinar – Docker and the Future of Configuration Management
I hope you’ve been enjoying our Docker and the Future of Configuration Management blog roundup! I’m joining Jon Reeve of StackEngine, who’s sponsoring the roundup with prizes and such, in a Webinar this week to discuss the various points of view we’ve seen covered.
The Webinar will be on Wednesday Dec 09, 2015 at 11:00 AM CST. Register now at: https://attendee.gotowebinar.com/register/5726672543793290498
In this webinar – we’ll explore how Docker and containers are impacting the future of configuration management. Is true “Golden Image” management now a reality? We’ll explore different points of view and the pros and cons of Docker’s impact.
We’ll also review StackEngine’s approach to Docker and container management and how it is benefiting DevOps and Operations teams.
Filed under DevOps
the agile admin 