6. “DevOps is those set of cultural
norms and technology practices that
enable the fast flow of planned work
from, among others, development,
through tests into operations while
preserving world-class reliability,
operation and security. DevOps is
not about what you do, but what
your outcomes are.” (Gene Kim)
9. So … DevSecOps? Guardrails!
Leaning in over Always Saying “No”
Data & Security Science
Open Contribution & Collaboration
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
26. Sign Your Container Images
Content Trust
Only release candidates
export DOCKER_CONTENT_TRUST=1
docker build --disable-content-trust=false -t myacr.azurecr.io/myimage:v1 .
27. Run Scanners
https://github.com/quay/clair
Azure Security Centerhttps://github.com/docker/docker-bench-security
And many more: https://techbeacon.com/security/10-top-open-source-tools-docker-security
https://github.com/cilium/cilium
45. Networking Policies
Services
Pods
Why? Tell Me More!
DenyAll traffic within the mesh
Block access to Instance Metadata service
https://ahmet.im/blog/kubernetes-network-policy/