Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed

R E L E A S E E N G I N E E R I N G & R U G G E D D E V O P S :

A N I N T E R S E C T I O N ?

J . PA U L R E E D R E L E A S E E N G I N E E R I N G A P P R O A C H E S

Wait, this looks familiar…

@jpaulreed #RuggedDevOps

R E L E A S E E N G I N E E R I N G & R U G G E D D E V O P S :

A N I N T E R S E C T I O N !

J . PA U L R E E D R E L E A S E E N G I N E E R I N G A P P R O A C H E S

D E V O P S C O N N E C T AT

R S A C O N F E R E N C E

( 2 . 0 )

J . PA U L R E E D

• @jpaulreed on

• Managing Partner, Release Engineering Approaches

• 15+ years build/release engineering experience

• Alum of The Ship Show podcast

• Today: “A DevOps Consultant™”

• Master of Science candidate in Human Factors and Systems Safety



https://www.twitter.com/jpaulreed

H O W D O T H E Y I N T E R S E C T ?

R E L E A S E E N G I N E E R I N G A N D R U G G E D D E V O P S :


R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T

• We look… “a little off” to developers & the business™.

• We both can often be found shoveling DevOps Unicorn poop.


@petecheslock

DevOps

Sec

@hijinksensue(via @petecheslock)@jpaulreed #RuggedDevOps

R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T

• We look… “a little off” to developers & the business™.

• We both can often be found shoveling DevOps Unicorn poop.

• Including our work in project plans/scoping/requirements: maybe?

• But when “it” breaks, suddenly: all eyes on us. Really angry eyes.

• We have a reputation for “No.”

• The nature of our roles is undergoing a fundamental shift.

• The industry is starting to “get it.”@jpaulreed #RuggedDevOps

How does Release

Engineering impact/

relate to/ converge with

Security?@jpaulreed #RuggedDevOps

R E L E A S E E N G I N E E R I N G ’ S I M PA C T T O / R E L AT I O N W I T H S E C U R I T Y O P S

• Software Supply Chains


One vulnerable library in your product

is a security problem.

Multiple versions of a vulnerable library in your product

is a release engineering problem. — @jpaulreed


R E L E A S E E N G I N E E R I N G ’ S I M PA C T T O / R E L AT I O N W I T H S E C U R I T Y O P S

• Software Supply Chains

• “Old-fashioned” software delivery mechanisms

• Artifact management

• The bold new world of containers

• Every versioning bikeshed ever@jpaulreed #RuggedDevOps

What Did We Find Out?


1. The ways in which we consume software continue to be problematic.


1. The ways in which we consume software continue to be problematic.

2. The ways in which we produce software continue to be problematic.


1. The ways in which we consume software continue to be problematic

2. The ways in which we produce software continue to be problematic

3. In many cases, we ignoring heuristics that can help us


Problematic Consumption


We are stitching our software together

from more places than ever!

Your software supply chain may have more actors involved than you think!


Knowing exactly what you’re getting can be difficult…


Making sense of what you have

can be difficult.


The good news: this problem has been solved for about 20 years


https://github.com/preed/git-vendor-mirror@jpaulreed #RuggedDevOps

https://github.com/preed/git-vendor-mirror

C V S V E N D O R B R A N C H E S , G I T S T Y L E

• Creates a copy of artifacts, so they’re under your control

• Supports a standardized version format (but you can use your own because bike shedding!)

• Custom-patch to your heart’s content (and be able to track them!)

• Supports developer interaction with “standard forks.”@jpaulreed #RuggedDevOps

Much easier to just understand what’s going on


Records information you care about, automatically


Problematic Production


A L L A B O A R D T H E S S D O C K E R !


S O W H AT ’ S I N A C O N TA I N E R , A N Y W AY ?

You don’t know.@jpaulreed #RuggedDevOps

“The majority of people using Docker are using images containing an entire operating system filesystem.”

Presentation:

https://speakerdeck.com/garethr/whats-inside-that-container


https://speakerdeck.com/garethr/whats-inside-that-container

Vine’s source code, leaked via Docker images.@jpaulreed #RuggedDevOps

More continuous integration, continuous delivery, and

orchestration tools than ever!

More attack surface

than ever!

We’re all applying speed and scale

to our CD pipelines.

And they may need to have a little more security…

and a little less speed and scale. — Security researcher


Missed Heuristics


U S E F U L H E U R I S T I C S W E C A N M I S S

Build Processes Taking A Lot of Time@jpaulreed #RuggedDevOps


Build Processes You Can’t Do On a Train@jpaulreed #RuggedDevOps


Build Artifacts You Shipped, But Can’t Find Later@jpaulreed #RuggedDevOps

Think of it as housecleaning.

Software bugs are like cockroaches: they hide in the darkest, messiest parts of your code.

To get rid of cockroaches, you wouldn’t hunt them down one-by-one. Instead, you’d clean up the house and get rid of their hiding places.

Do the same in your code.

— My undergrad CS professor


Where to Go

Now?@jpaulreed #RuggedDevOps

Introduce Your Release &

Security Engineers


Task the Two Groups to Research

Your Software Supply Chain


Start a project that engages other

teams with these practices


H O W D O T H E Y I N T E R S E C T ?



H O W C A N W E E N G A G E A N D H E L P E A C H O T H E R M O R E ?



Let’s Find Out!


Finally, Remember: Who Owns Your Software Supply

Chain?@jpaulreed #RuggedDevOps

For a handy reminder: http://WhoOwnsMySoftwareSupplyChain.com@jpaulreed #RuggedDevOps

http://WhoOwnsMySoftwareSupplyChain.com

J . PA U L R E E D

W W W. J PA U L R E E D . C O M @ J PA U L R E E D

W W W. R E L E A S E - A P P R O A C H E S . C O M S I M P LY S H I P. E V E R Y T I M E .

Get my slides immediately

[email protected]

Our sponsors speak your language… DevOps.

Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed

Technology

Transcript of Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed