Devops Days Podcast

Full title: Confessions of a social engineer: Why developers are my favorite target Social engineers use a dangerous combination of technology and old fashioned con artistry to infiltrate organizations every day. In this talk we'll walk through the social engineering process including research, target selection, attack selection, and attack execution. Learn to see the world through the eyes of a social engineer and prevent yourself from being a victim.

In this talk, Sam will discuss some common and some not-so-common tools for debugging code, systems, and anything in between. He will take strace, valgrind, gdb to the next level.

All organizations face challenges in changing their culture and adopting DevOps philosophies. This is especially true in many federal government agencies. Through well-intentioned policies and procedures many agencies have created extremely silo’d environments where change is slow and difficult. Finishing the last leg of large scale software development project acquisitions can be particularly challenging and expensive. Barriers often impede getting hardware and software systems system fully tested, transitioned, and up and running in production on schedule. Through our experience as a passionately DevOps focused software development group within Carnegie University's Software Engineering Institute, a federally funded research and development center, creating, delivering and transitioning cutting edge software solutions to government organizations, we have struggled with and overcame challenges in helping government to adopt DevOps principles. Learn how we have conquered these challenges in shifting our gover

Several attendees give spontaneous talks...having never seen the slides and the slides have almost nothing to do with each other. A hilarious exercise in non-sequitur and impromptu absurdity. We all need a little ridiculousity in our lives!

• Jason Hand (VictorOps) - ChatOps• Leon Frayer - What is devops NOT?• Lewis (Delphic) - Data as a service• Chris Corriere

How to take an app from your laptop to production utilizing the future of container orchestration. It’s difficult to say with confidence that your app will work in production without testing it, many people today have very complex scripts which out outline deployment, testing and validation, and often rely on late night pager calls and very brittle rollback scenarios. Additionally, developers struggle with developing software on different platforms and SDK versions that are hard to make consistent which results in different builds and exceptions which are hard to resolve. We can finally stop saying, 'it works on my machine' phrase since it will work the same on every machine. Other processes in the past have attempted to solve the problem but are brittle and take time to build out environments. This talk will outline the process of how to deploy an app locally in docker-compose, then scale it out to multiple servers running Kubernetes. From there, the audience will see how to scale the app to achieve performa

There are many stakeholders involved when you are creating or assembling a security toolchain. How do you satisfy the different, and sometimes conflicting, needs of these stakeholders in a responsive way? We can use some of the concepts developed in the user experience domain to create better security tooling. User personas allow us to map out different roles that must interact with security to get their work done. These personas are living and provide a fast feedback loop when paired with user interviews. Giving direction while allowing freedom is a key tenet to integrating security into different parts of your organization.

Operating Systems. Where did they come from? Did your customer ask for one? Why do you bother with them at all? Operating systems have traditionally played an enormous part in software development and operations. Most of us would find it difficult to imagine computing without one. They are certainly a source of religious contention. Operating systems represent a maintenance and security burden; they have long been viewed by many as a necessary evil. They often bring more bulk and complexity than the systems we are producing; particularly in the case of microservices. They complicate security, greatly increasing the attack surface, and they require a significant expense and effort to maintain. But generally, operating systems are assumed to be required and we seldom consider a service environment without them. How well do you really even know what you're deploying when an OS is involved? Operating systems introduce variation into a development workflow that can be difficult to manage. On a dev team, each indiv

Is your performance monitoring using real-time analytics in a way that will produce results or noise and frustration? Real-time analytics can improve the value of performance monitoring by enabling operations teams to pinpoint problems faster and proactively manage applications, but it’s notoriously difficult to harness its value. In this presentation, we will show you how to avoid the pitfalls of partial analytics implementation, and explain the value of a comprehensive monitoring analytics platform.

  Once infrastructure becomes code it becomes testable as code (testing is generally considered a pretty good idea). It also becomes reviewable as code. Code review is a powerful complement to testing (and might just be the more effective of the two for finding bugs), spreading knowledge, and improving at the craft of programming In this talk: Be convinced reviewing code review is also a pretty good idea. Cover pre and post commit workflows and example tooling to make your day better. Lessons from the messy growing pains of growing an organization from virtually no formal code review to reviewing every commit. Best practices for being an effective reviewer and reviewee.

Government agencies are often hesitant to use open source tools out of concerns of security and compliance issues. This hesitancy to use open source deprives many government agencies from closely collaborating with others to create software that is finely tuned and widely available to scratch its own itch. The five-year old OpenSCAP community is helping to change that and re-imagining the US Governments role in open source through its NIST-Certified SCAP 1.2 scanning software and growing body of open source licensed SCAP content. By the OpenSCAP suite scanning and configuration management tools, government agencies looking to become high velocity organizations can automate the cumbersome process certifying a server has been properly hardened for production and begin to develop community resources for hardening of other popular open source tools. The OpenSCAP community is actively developing suite of software tools to make continuous monitoring in agile environments easier, especially for developers, who often

In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure. Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.

Or, "Automation is hard and the enterprise is large." Fewer steps, decreased time-to-production, faster iteration cycles... Devops practically sells itself - except when it doesn't. You can do all the right things but if you don't make it matter for Mission(tm), nobody will listen. We're very good at the first step toward excellence (doing great things) but we often forget about the follow-up - talk about it. But how? Where? Changing culture isn't easy, especially when you're a single person inside a huge government organization. We'll show a few tips we've learned along our journey toward making government work a little less painful. Speed of government? Red tape? Legions of bureaucrats with nothing better to do than slow you down? We know your pain. We're here to help.

We pursue increasingly rapid delivery cycles while acheiving previously unimaginable degrees of scalability, reliability, and raw performance. But there is obviously a growing and serious mismatch between our develoment and operations performance in securing our applications compared to our performance in other areas. I work at a company extensively involved in Drupal and other open source projects that concentrate on both DevOps and security, but continue to be plagued by serious security vulnerabilities. Organizations and individuals negatively affected by Heartbleed and other security flaws probably would have readily traded some delay in accessing new features or temporary access problems for better security. So, how can we better focus DevOps culture and practices on the concept of Continous Security to deliver this? Perhaps we need to look at ongoing advances in automated security testing, more rigorous and frequent manual code review, and paired/team programming practices, and work better on more fully

Right-sizing your environment is one of the most stressful decisions to make when moving to the cloud. If you under-provision resources, systems are at risk of going down and you lose money. If you over-provision, you’re wasting money that could be used elsewhere. In this presentation, we’ll share with you 3 ways we’ve learned how to get capacity utilization wrong and how we eventually got it right. CPU measurement alone won’t give you the full view of your infrastructure utilization You can’t measure the utilization for a metric if you don’t know how high it can go If you only rely on request count and don’t include queue length, you will miss an early warning

The story of USPTO’s journey and struggles with implementing DevOps.

W. Edwards Deming offered 14 key principles for management to follow for significantly improving the effectiveness of a business or organization. Many of the principles are philosophical. Others are more programmatic. All are transformative in nature. The points were first presented in his book Out of the Crisis.