Sitecore deployments are traditionally relatively expensive due to the technological and architectural limitations. The introduction of a containerized hosting model is a game-changer in the Sitecore DevOps story. It allows DevOps teams to enable delivery security features, and reduce deployment cycles through automation, by activating DevSecOps strategies. This flexibility or cost-efficiency of containerized deployments allows DevOps and engineering teams to focus on and align around business value, rather than being handicapped by the legacy technology and systems. In this session we will walk the attendees through the benefits of a DevSecOps pipeline to IT, development teams, and their business leadership and show what it takes to migrate to the AKS-hosted infrastructure from an on-premise setup. We will present a reference design for an automated DevSecOps pipeline that focuses on security, quality, and speed. The session will cover the learnings from a major healthcare technology and research company that has gone through this shift and highlight the impact they experienced on the infrastructure, solution architecture, DevOps pipeline, processes and internal resources - Infrastructure: we will provide a feature overview of Azure vs AWS as it relates to a containerized Sitecore implementation, covering risks, cons, and pros associated with each and the cost estimation process for AKS. Sitecore Topology: we will cover the steps for changing Sitecore default AKS topology for maximum cost efficiency, and flexibility. DevOps pipeline: we will cover the automation that is required to move towards DevSecOps with environment creation via Infrastructure as Code, disaster recovery, and zero-downtime fully automated deployments to production. Processes and team changes: We will present how the new DevSecOps pipeline will affect internal processes and what internal support team changes are required to continue managing the new infrastructure and release pipeline.

1. The Agile Nirvana
of DevSecOps and
Containerization
Vasiliy Fomichev
#sugcon

2. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
1. Introduction to DevSecOps
2. Containerization hosting options for Sitecore
3. Creating a DevSecOps CI/CD pipeline
Agenda

3. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Introductions
 Sitecore MVP 2015 – 2022:
Technology, Commerce, Ambassador
 14 years of Sitecore delivery
 8 years of managing Sitecore practices
 MarTech enthusiast — Content, Azure, AI, Blockchain
Vasiliy Fomichev
Sr. Director, Solution Architecture, Altudo
vasiliy.fomichev@altudo.co
@vasiliyfomichev
www.altudo.co
www.cmsbestpractices.com

4. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Altudo is a Sitecore Leader for 15+ years
4

5. Introduction to
DevSecOps
The essential
fundamentals.

6. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
DevSecOps is gaining adoption speed
Published 12 July 2021 • ID G00747574

7. DevSecOps is a methodology that puts security
into every step of CI/CD

8. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Traditional way of security compliance

9. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
What is DevSecOps and why it’s important

10. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
The foundational layers of DevSecOps
Education & Knowledge Retention
Security by design
Automation

11. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Security is a cost / benefit exercise.

12. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
The three pillars of security
Confidentiality Integrity Availability
• System access control
• Data access control
• Information exposure limit
• System integrity
• Data integrity
• Behavioral integrity
• System SLA
• Data accessibility
• Application performance and
uptime

13. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
1. Cheap creation and deletion reduces
security risk by removing potentially
compromised environments
2. Immutable environments create
consistency, predictability, and
repeatability
3. Reduction of attack surface
4. Cost-efficiency of operations (scaling,
patching, updating, maintenance
updates) is conducive to security
Containers make DevSecOps cheaper

14. Azure vs AWS
The cons and pros behind
Sitecore container hosting
options.

15. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Managed cloud Kubernetes options
High skilled talent cost &
2-3 yr. deprecation schedule
https://steve-yegge.medium.com/dear-google-cloud-your-deprecation-policy-is-killing-you-ee7525dc05dc

16. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
• Fully supported by Sitecore Support
• Sitecore community alignment
• Lower cost of hosting
• Burst and other options for scaling
• Easier to get started and configure networking
• Fully managed control plane (lower maintenance)
• Allows image signing with Content Trust
• Integrated resource monitoring with Azure Monitor
• Provides official Government and Healthcare cloud options
Hosting Sitecore containers in Azure
350/420
ENTERPRISE SCORE

17. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
363/420
ENTERPRISE SCORE
Hosting Sitecore containers in AWS
• The most widely used Kubernetes service
• 99.95% uptime SLA included
• Provides a free image security scanning service
• Lack of automated node repair
• Includes additional charges per hour per cluster ($0.1)
• Liability concerns around limited support for EKS by Sitecore
• Harder to get started with
• Requires a third-party resource monitoring solution

18. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
• Sitecore fully supports AKS
• The Sitecore community is aligned with the AKS
• Additional security features on top of AWS
• Health and Government cloud availability
• Lower cost of hosting
• Lower cost of implementation maintenance by about 25%
Azure is the recommeded hosting provider
+

19. DevSecOps with
Sitecore
Putting it all together.

20. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
The foundational layers of DevSecOps
Education
Security by design
Automation
• People
• Systems
• Processes
• Best practices (OWASP 10, MITRE 25)
• Pair programming
• Lunch & learns
• Informal knowledge sharing
• Experiment
• Learn from incidents
• Create incidents yourself
• Use playgrounds
• Certification
• Self-paced
• Instructor-led
• Tutorials
• Gamification
• Peer reviews
• Threat modeling
• OWASP Security Knowledge
Framework (SKF)
• Unit testing
• Integration testing
• Code quality scanning
• SAST
• SCA dependency scanning
• Integration testing
• DTA container scanning
• Network scanning
• Performance testing
• IAST
• RASP
• DAST

21. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
• Inject sensitive variables at build time or pull at
runtime (example, key vault)
• Change the default admin user used to run a
container to avoid container escape attacks
• Disable all remote container access
• Use namespaces to limit access
• Enable image signing to avoid MITM attacks
• Use tagging and semantic versioning (avoid version
word labeling)
• Do not rely on external image sources (community)
• Scan base images for vulnerabilities
• Use hardened VM images (example, CIS)
Container security best practices
Docker CIS
Benchmark
Kubernetes CIS
Benchmark

22. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Team changes and upskilling
QA
Quality Assurance
and testing
Developer
Front and backend
development.
DevOps Engineer
Release processes
and automation
DevOps Security
Champion
Security automation
Monitoring
Notifications
Development Security
Champion
Code Scanning & Reviews
QA Security Champion
Dynamic application
testing
Security Bridge Team
Specialized Security
Personnel
Software, DevOps,
Forensic Analysis,
etc.
CISO
Security program
development.
Security Team
Development Team

23. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Resourcing your teams based on your strategy
Team
1
Team
2
Team
3
Upskilled Team
+ Agile
+ Cheaper
? Ability to Scale
? Commitment
Team
1
Team
2
Team
3
++ Center of
Excellence
? Customer Focused
? Prioritisation
? Resourcing
? Speed of Turnaround
Platform Team
- Security champions and evangelists
Team
1
Team
2
Team
3
+ Customer Focus
+ Resources secured
? Distributed Knowledge
? Communication
? Overlapping Experiences
Shared Resources

24. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Account for new measures & optimize
STG Deployment
(20 mins)
Page Speed Test
Review
(10 mins)
Load Test
(60 mins.)
Load Test Review
(20 mins)
Sitecore startup
and validation
(10 mins.)
DSAT
(3 days)
Page Speed Test
(10 mins.)
Dynamic Test
Review
(10 mins)
Publish
(5 mins)
Deployment: 1hr. 45mins
Manual LOE: 20mins.
Critical Path Parallel Optional
Legend:
• Create a flowchart diagram for each manual and
automated step
• Estimate the amount of time each step takes
• Optimize the pipeline to reduce the impact of
testing and scanning on deployment time
• Include a level of security risk acceptance to avoid
delays in releases
• Structure developer validation and review processes
around the optimized pipeline

25. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Infrastructure as Code (IaC) is the management of infrastructure (networks, virtual machines, load balancers, and
connection topology) in a descriptive model, using the same versioning as DevOps team uses for source code.
• Automates environment setup
• Allows repeatability and templatization
• Enables infrastructure versioning
• Promotes Site Reliability Engineering (SRE)
• Promotes standardization, security, consistency, and
stability
Infrastructure as code for automation

26. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
IAST/RA
SP
Performance
testing
Network Scanning
DTA Container
Scanning
Integration testing
SCA Dependency Scanning
SAST/Unit Testing
Design test automation based on cost
Cost
per
test
DAST
• No single test is sufficient
• Provide test coverage across units, technology, and
system layers
• Move the cheaper tests closer to the foundation to
reduce the feedback cycle
• Container tests should be done at three levels
o IDE by developers
o During the build process before deploying to the
registry
o Periodic scans for registry images
• Manual testing is good at finding outlier defects, while
automated delivers greater testing coverage to
identify common weaknesses.
Penetration testing,
bug bounties, peer
reviews

27. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
DevSecOps Sitecore pipeline
27
Pull Image
Developers
Image
Repository
Container
Registry
System
Admins
DevOps
Engineers
Commit
Listen
Manage
Manage
Store image
DEV SVT PRD
DEV Deployment SVT Deployment PRD Deployment
Container Image Pull
Gitlab CI
Gitlab CD
Gitlab DAST
Selenium UI
Tests
Unit Tests
Quality and SAST
Scans
Upload
Run
Run
Upload Run
Page Speed
Tests
Load Tests
Run Run

28. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
The biggest problem with security is lack of
specialized talent. Tools cannot replace people,
yet.

29. This list of sponsors is yet to be
finalized and will be added
when they are fully confirmed.
A new version of this slide
template will be delivered to you
later and a quick swap of this
slide is the only task left.
Thank you!
Get more
resources >

30. I am a proud community member!
Please contact me on the following handles:
sitecorechat.slack.com twitter
@vasiliy @vasiliyfomichev