Sitecore deployments are traditionally relatively expensive due to the technological and architectural limitations. The introduction of a containerized hosting model is a game-changer in the Sitecore DevOps story. It allows DevOps teams to enable delivery security features, and reduce deployment cycles through automation, by activating DevSecOps strategies. This flexibility or cost-efficiency of containerized deployments allows DevOps and engineering teams to focus on and align around business value, rather than being handicapped by the legacy technology and systems. In this session we will walk the attendees through the benefits of a DevSecOps pipeline to IT, development teams, and their business leadership and show what it takes to migrate to the AKS-hosted infrastructure from an on-premise setup. We will present a reference design for an automated DevSecOps pipeline that focuses on security, quality, and speed. The session will cover the learnings from a major healthcare technology and research company that has gone through this shift and highlight the impact they experienced on the infrastructure, solution architecture, DevOps pipeline, processes and internal resources - Infrastructure: we will provide a feature overview of Azure vs AWS as it relates to a containerized Sitecore implementation, covering risks, cons, and pros associated with each and the cost estimation process for AKS. Sitecore Topology: we will cover the steps for changing Sitecore default AKS topology for maximum cost efficiency, and flexibility. DevOps pipeline: we will cover the automation that is required to move towards DevSecOps with environment creation via Infrastructure as Code, disaster recovery, and zero-downtime fully automated deployments to production. Processes and team changes: We will present how the new DevSecOps pipeline will affect internal processes and what internal support team changes are required to continue managing the new infrastructure and release pipeline.
29. This list of sponsors is yet to be
finalized and will be added
when they are fully confirmed.
A new version of this slide
template will be delivered to you
later and a quick swap of this
slide is the only task left.
Thank you!
Get more
resources >
30. I am a proud community member!
Please contact me on the following handles:
sitecorechat.slack.com twitter
@vasiliy @vasiliyfomichev
Hinweis der Redaktion
https://www.plutora.com/blog/devsecops-guide
( Netflix and the chaos monkey)
Certification - (Isc)2, isaca, comptia
Playgrounds - - owasp - juice shop and webgoat
Today Vasiliy and I will discuss 3 core focus areas – team, data, and process -- for businesses that want to kickstart or improve their personalization programs.
https://jfrog.com/devops-tools/what-is-devsecops/
84 comparison items
: specialized node monitoring or repair, automatic control plane upgrades and maintenance, private networks for the Kubernetes clusters
; as a result, issues may take longer to resolve on average because we would be "pioneering" the space in some ways.
Because EKS is not on the Sitecore support roadmap, we may see limitations in Sitecore product and service support in the future.
( Netflix and the chaos monkey)
Certification - (Isc)2, isaca, comptia
Playgrounds - - owasp - juice shop and webgoat
Containers - designed to be ephemeral, lasting for as long as they are needed, vs servers are nurtured over time. Pets bd cattle - no need to make changes to containers, reducing access reduces the attack surface - no ssh . Scan containers at runtime , fix images and recreate
The most common container issues – escaping the container, secret exposure.
https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/
1 security specialist per 100-400 developers
Champions are conduits, they graduate to eavngelists
Use them to create champions
Three levels of code testing - unit, technology, system. 90% of issues are usually found in unit but they account for 10% of defects found in production and system and tech- 10-90%
RASP - runtime application self-protection. Checks whether data input changes application behavior.
IAST - watches the behaviors of data as an agent inside the runtime; ensures passwords are always encrypted etc.
Run DAST in a prep rod environment - the tests perform common fuzz testing, “fuzzing” or brute force attacks, fuzzing is submitting random strings of data to make the app break
Use software composition analysis (SCA) tools to check app dependencies against cve
Scan containers at runtime , fix images and recreate
Dynamic Threat Analysis (DTA) - aqua security has a tool, creates a sandbox runs the container and watches for suspicious behavior.