All you need is Zap - Omer Levi Hevroni &amp; Yshay Yaacobi - DevOpsDays Tel Aviv 2017

DevOps promises to make better software faster and more safely and many organizations begin by practicing Continuous Integration and moving on to Continuous Delivery and sometimes even extending as far as Continuous Deployment - but this is only the tip of the iceberg. DevOps demands a fundamental shift in the way we work and requires all participants in an organization to live its principles. It’s much more than a tool chain. When you are delivering software in an Agile manner in fortnightly sprints, are you still funding in an annual manner? Are you adhering to The Third Way? I.e. are you practicing Continuous Experimentation? Continuous Learning? How are you doing Continuous Testing? Are you including security in that? Have you have Continuous Improvement in your organization for years? When does Continuous Everything turn into Continuous Apathy?

DevOpsDays Tel Aviv 2017

Technologie

Dynamic Security Testing
November 2017
@omerlh
@yshayy

http://www.align.com/wp-
content/uploads/2017/09/Equifax_Infographic.png

And it affects the stock price...
disclosed

http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-
failed-to-patch-was-to-blame-for-data-breach/

https://nvd.nist.gov/vuln/detail/CVE-2017-5638

What can we do?
● Threat Modeling
● Design/Code review
● Bug bounties
● Security tests
● And many more…

Let’s try to change the design a bit to
increase engagement
Demo e-commerce app
Example 1 - A/B Testing

GitHub Flow
Source: GitHub
Checks - Quality Feedback

The best defense is a good offense
Source: http://community-sitcom.wikia.com/wiki/File:Dual_wielding_Chang.jpg

And run it in CI
Let’s take a hacking tool

OWASP Zaproxy
https://www.openhub.net/p/zaproxy
Free and Open Source hacking tool

What Zap does?
● Inspecting request and response
● Run passive scan rules:
○ Cookies misconfiguration
○ Security HTTP Headers
○ Mixed Content
○ And many more

Zap does not only find the issues
It will also help you fix them!

What Zap does?
● Find all URLS/Paths
● Run active scan rules:
○ SQL injections
○ XSS
○ Directory browsing
○ Remote file inclusion
○ And many more

Tweek’s Security Testing
Tweek
API
Tweek
Editor
Integration
Tests
REST
UI
Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
REST
Selenium

Let’s use Docker
● Tweek is designed as a multi-container app
● Every microservice has an offical Docker image
● Tweek uses Docker-native CI (Codefresh)
● Test suites also run as docker containers
● Zap has an official docker image

Containerized them all!
Tweek
API
Tweek
Editor
Smoke
Tests
REST
UI
Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
REST
Selenium

OWASP Glue
Security Tool Filtering Reporting
Free and Open Source CI tool

Using Glue
ruby /usr/bin/glue/bin/glue
-t zap
--zap-host http://zap-e2e --zap-port 8090 --zap-passive-mode
-f text
--exit-on-warn 0
http://editor
--finding-file-path /usr/src/wrk/glue.json

Zap’s findings for the API
● Insecure cookies
● Missing security headers
● Insecure hash
FIXED
FIXED
IGNORE

Simply docker
docker run
-t --net=host
-v $(pwd):/zap/wrk
owasp/zap2docker-weekly
zap-api-scan.py
-t http://localhost:4003/api/swagger.json
-f openapi
-r report.html
Find out more on Zap’s wiki...

Source: https://giphy.com/gifs/thisisgiphy-reaction-audience-l4HodBpDmoMA5p9bG

Security Testing Options
Passive (Proxy) Active (OpenAPI)
Simple to integrate Simple to integrate
Wide coverage Wide Coverage
Fast Slow
Mixing tests types Dedicated tests types

Useful links
● Pull Request – adding security tests to Tweek
● Malicious Pull Request
● Demo repo – Adding security tests to vulnerable app - Juice Shop
● Blog Post – how I added security tests to Tweek
@omerlh
@yshayy

Weitere ähnliche Inhalte

Was ist angesagt?

Api First Design

Klaus Peter Laube

Continuous delivery in Qbon

Jaric Kuo

Continuous integration for Ruby on Rails

David Paluy

Simple Unit Testing in Appcelerator Titanium Alloy

Aaron Saunders

Integration Testing with Docker Containers with DockerCompose

Mike Holdsworth

Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...

OdessaJS Conf

Docker hands on

arpith pathange

DevOps and All the Continuouses w/ Helen Beal

Sonatype

At Findly we know test automation is key for continuous delivery. However, in the context of a microservices architecture, our monolithic end-to-end test suites have still been limiting our ability to achieve a truly "continuous" pace of delivery. This talk will explain the principles, processes and techniques we are now using to build test suites for microservices and enable continuous delivery at Findly. Presented at Auckland Continuous Delivery meetup, May 2016 (http://www.meetup.com/Auckland-Continuous-Delivery/events/230864194/).

Testing Microservices

Nathan Jones

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin

Matt Tesauro

How Azure DevOps can boost your organization's productivity

Ivan Porta

Slides from a talk I gave at Nashville CocoaHeads on 7/29/15. For more information on Nashville CocoaHeads check out this website: http://cocoaheads.org:8106/us/NashvilleTennessee/index.html Here is the list of compiler flags I use in my projects and reference in the talk. You can easily copy the whole list, paste them into Xcode since the spaces are separators for the flags. -Wall -Wextra -Werror -Wconversion -Wundef -Wdeprecated-implementations -Wno-unused-parameter -Wfloat-equal -Wimplicit-retain-self -Wnewline-eof -Wshadow -Wsign-compare

Optimize and maintain your project in Xcode.

Bryn Bodayle

Mastering spring 5.0 - By SADIK SAID

Said Sadik

Watch the full webinar here: https://bit.ly/2NsNSVb 83% of organizations use vulnerable dependencies. By bringing Snyk into the CI/CD process we can scan Docker images as they are created and reveal vulnerabilities and fixes to developers as they work. Don’t wait for production to catch vulnerabilities! In this presentation, we use Codefresh to integrate with Snyk for a secure continuous delivery pipeline. Ready to try Codefresh? Sign up for FREE (120 builds/month) at Codefresh.io/codefresh-signup

Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...

Codefresh

OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images. This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.

OWASP WTE - Now in the Cloud!

Matt Tesauro

SAST_QSDL

Ivan Elkin

Delivery pipelines at Symphony Talent - Present and Future

Nathan Jones

To Protect & To Serve

Jorge Ortiz

Mobile automation using selenium cucumber & appium

Selenium Cucumber

Continuous Integration for Titanium

Denver Sessink

Was ist angesagt? (20)

Api First Design

Continuous delivery in Qbon

Continuous integration for Ruby on Rails

Simple Unit Testing in Appcelerator Titanium Alloy

Integration Testing with Docker Containers with DockerCompose

Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...

Docker hands on

DevOps and All the Continuouses w/ Helen Beal

Testing Microservices

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin

How Azure DevOps can boost your organization's productivity

Optimize and maintain your project in Xcode.

Mastering spring 5.0 - By SADIK SAID

Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...

OWASP WTE - Now in the Cloud!

SAST_QSDL

Delivery pipelines at Symphony Talent - Present and Future

To Protect & To Serve

Mobile automation using selenium cucumber & appium

Continuous Integration for Titanium

Ähnlich wie All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv 2017

Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing. It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.

Making Security Agile

Oleg Gryb

All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler. This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence. From DeliveryConf 2020

Pragmatic Pipeline Security

Talk given at ISC2 Secure SDLC event in Austin, TX The release velocity for our applications is increasing, often leaving security testing behind. In some cases, the security team ends up being the bottleneck. That's bad. In an idyllic world, security testing would happen earlier in the development lifecycle, but lets do one better. Lets do security testing on every code change. Using automation tooling and DevOps practices, this talk will help you tune security testing to your release cadence and more importantly help you deliver more rugged software.

Attacking Pipelines--Security meets Continuous Delivery

Learn how to use AWS services to automate manual tasks, help teams manage complex environments at scale, and keep engineers in control of the high velocity that is enabled by DevOps. In this session, we will provide an overview of the various AWS development and deployment services and when best to use them. We will show how to build a fully automated infrastructure and software delivery pipeline with AWS CodePipeline, AWS CodeBuild, AWS CloudFormation and AWS CodeDeploy. At the end of the session, a GitHub repository of AWS CloudFormation templates will be provided so you can quickly deploy the same pipeline to your AWS account(s).

DevOps Tooling - Pop-up Loft TLV 2017

AWS Lambda has changed the way we deploy and run software, but this new serverless paradigm has created new challenges to old problems - how do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures? In this talk Yan and Scott will discuss solutions to these challenges by drawing from real-world experience running Lambda in production and migrating from an existing monolithic architecture.

Security as Code

Ed Bellis

Serverless in Production, an experience report (cloudXchange)

All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table. Presented at OWASP NoVA, Sept 25th, 2018

DevSecOps and the CI/CD Pipeline

Expo - Zero to App.pptx

😎 Anthony Kariuki

The Emergent Cloud Security Toolchain for CI/CD

The DevSecOps Builder’s Guide to the CI/CD Pipeline

Today’s cutting-edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share the processes that Amazon’s engineers use to practice DevOps and discuss how you can bring these processes to your company by using a new set of AWS tools (AWS CodePipeline and AWS CodeDeploy). These services were inspired by Amazon's own internal developer tools and DevOps culture.

Dev ops on aws deep dive on continuous delivery - Toronto

DevOps On AWS - Deep Dive on Continuous Delivery

Mikhail Prudnikov

Serverless in production, an experience report

Slides of a session that I have given/will give at various developer conferences in H1 2018. Niklas Heidloff http://twitter.com/nheidloff http://heidloff.net Summary Article http://heidloff.net/article/when-to-use-serverless-kubernetes OpenWhisk https://openwhisk.apache.org https://github.com/ibm-functions/composer https://github.com/nheidloff/openwhisk-debug-nodejs Kubernetes https://kubernetes.io https://istio.io IBM Cloud http://ibm.biz/nheidloff Abstract There is a lot of debate whether to use Serverless or Kubernetes to build cloud-native apps. Both have their advantages and unique capabilities which developers should take into consideration when planning new projects. We will throw some light on the topics ease of use, maturity, types of scenarios, developer productivity and debugging, supported languages, DevOps and monitoring, performance, community and pricing. Cloud-native architectures shift the complexity from within an application to orchestrations of Microservices. Both Kubernetes and Serverless have their strengths which we will discuss. Besides the core development topics, developers should also understand operational aspects how complicated it is to maintain your own systems versus using managed platforms.

When to use Serverless? When to use Kubernetes?

Niklas Heidloff

Serverless in production, an experience report (Going Serverless)

Today’s cutting edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share best practices (including ones followed internally at Amazon) and how you can bring them to your company by using open source and AWS services. Speaker: Raghuraman Balachandran, Solutions Architect, Amazon India

Continuous Delivery, Continuous Integration

Serverless in Production, an experience report (AWS UG South Wales)

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Serverless in production, an experience report (LNUG)

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

From idea to execution, the challenges of publishing an open source project are very similar to initializing a startup when it comes to creating a successful product that people will love and use. Most open source projects are not “taking-off”, although they are really good! This is because developers (which are usually the creators of open source projects) think that writing the code is the hard part and “neglect” the other parts of publishing a good open source project. In this talk, I will use my experience as a contributor to open source and product head of a startup, to go beyond writing the code itself and cover the other central aspects of creating an open source project, like MVP, product/market fit, marketing and more.

Ähnlich wie All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv 2017 (20)

Making Security Agile

Pragmatic Pipeline Security

Attacking Pipelines--Security meets Continuous Delivery

DevOps Tooling - Pop-up Loft TLV 2017

Security as Code

Serverless in Production, an experience report (cloudXchange)

DevSecOps and the CI/CD Pipeline

Expo - Zero to App.pptx

The Emergent Cloud Security Toolchain for CI/CD

The DevSecOps Builder’s Guide to the CI/CD Pipeline

Dev ops on aws deep dive on continuous delivery - Toronto

DevOps On AWS - Deep Dive on Continuous Delivery

Serverless in production, an experience report

When to use Serverless? When to use Kubernetes?

Serverless in production, an experience report (Going Serverless)

Continuous Delivery, Continuous Integration

Serverless in Production, an experience report (AWS UG South Wales)

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Serverless in production, an experience report (LNUG)

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Mehr von DevOpsDays Tel Aviv

YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...

If you have never used GraphQL before, you probably think that it is just another buzzword that will be forgotten in a few years. You might think: “Why do I need to learn a new way to write APIs when REST already answers all my needs?”. Or, you are excited to learn something new but don’t believe GraphQL is mature enough for production. In this talk, I will remind you of some of the pain points you have probably experienced when using REST. I will then explain what GraphQL is and demonstrate how it solves these pain points. Next, I will discuss the disadvantages of GraphQL. Finally, I will provide some guidelines for choosing between REST and GraphQL. By the end of this talk, you will understand what GraphQL is and when to use it.

GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto

“The International Space Station has been orbiting the Earth for over 20 years. It was not launched fully formed, as a monolith in space. Instead, it is built out of dozens of individual modules, each with a dedicated role - life support, engineering, science, commercial applications and more. Each module (or container) functions as a microservice, adding additional capabilities to the whole. Not only do the modules need to function together, delivering both functional and non-functional capabilities, they were designed, developed and built by different countries on Earth and once launched into space (deployed in multiple different ways), had to work together - perfectly. Despite the many (minor) reliability issues which have occurred over the decades, the ISS remains a highly reliable platform for cutting edge scientific and engineering research. In this session I will describe the way the space station was developed and the lessons Site Reliability and DevOps Engineers can learn from it.

MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...

Have you ever felt you took every wrong turn possible in the process of mitigating a production incident? Did you go through a 3-hour hell during incident response and felt the incident wasn’t complex enough to justify the horrors you’ve experienced? Did it cause you to question your engineering or problem-solving skills? Well, it’s only partially you. Our brain is wired to make decision-making simpler. In doing so, it exposes itself to biases, heuristics, and other quirks that may seem like “bad decisions” in hindsight. In this talk, through real-life outages, we’ll project those psychological principles onto the world of production monitor, and incident management. As a responder, you’ll learn why those behavioral patterns emerge during production incidents and what can be done to limit their effect, and as a manager, you’ll learn how to enable and encourage a healthy environment to better support those patterns.

THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...

The word observable entered the English language roughly 400 years ago, but the concepts of what it means to see, comprehend, and understand something have been debated since time immemorial. Starting in the 19th century, a series of postulates and criteria coalesced into control theory, and it is from this body of knowledge that we gained the word “observability”. Today, with the advent of complex, interconnected computer systems, that word has taken on new meanings and connotations—some useful, some detrimental, and some just plain confusing. In this talk, we’ll mix a little history, a touch of philosophy, and a healthy dose of reality, to demystify what observability means to us as professional computer people. We’ll tear through the marketing material and unearth foundational principles that will help us to build better infrastructure, write better software, and promote healthier business practices. Finally, we’ll explore some potential new avenues for discussion and understanding.

PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog

Security people say users are the weakest link. But are they? When complying with security becomes too burdensome, users take shortcuts, find workarounds, and end up jeopardizing security. Blaming users is lazy and easy. Making security usable is time consuming and challenging. How does design research help us understand our customers? What patterns and principles drive secure behavior? How can we build empathy with customers and make the right thing to do the easiest thing to do? This session explores these questions, and provides examples of how design thinking and research can help us be more secure. We will walk through our creation of core user personas, design principles, and how these inform and direct our design choices and intent. Don’t blame your users anymore. Come learn how to be part of a future where usability leads security.

NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...

This is for you, you rockstar, ninja coffee drinking workaholic who doesn’t know what a vacation day looks like. Even though you love your job and are dedicated and are super important, you need a break too. We tend to think that working all the time is an effective practice while the truth is that finding the time for self care and recharging your batteries is beneficial for both you and your company. Additionally, if you’re a leader, you’re responsible for the wellbeing of your team. In this talk I’ll discuss the importance of taking time off of work and creating a positive culture surrounding vacation time.

(Ignite) TAKE A HIKE: PREVENTING BATTERY CORROSION - LEAH VOGEL, CHEGG

This is a story about taking the cloud infrastructure of a successful company, that is still managed as infrastructure of a startup company, and rebuilding it to support the growing business requirements, especially around disaster recovery and business continuity. In the session I will share Next Insurance’s journey - where we started, where we are now and what we learned on the way so far. I will talk about how we managed to build our proven DR plans, and actually execute them in our DR drills. I will also talk about why we decided that the only way to prove your DR plan works is to continue running your business in the DR account and make it your production account, and go on to build your next DR account. If you are a part of a company that is about to embark on a similar journey, this session might equip you with some very useful insights on how to think about such a challenge, and some very useful and practical tips on how to execute it.

BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...

CI/CD pipelines are quickly becoming the path of least resistance for would-be attackers into sensitive internal systems, gaining access to critical data, with minimal effort. In the InfoSec world when we talk about CI/CD security often times this focuses on specific aspects of securing your pipeline - scanning the code, protecting secrets, securely managing code deployments, or even authentication and authorization mechanisms, but we rarely talk about all of these together. After years of being in the trenches and realizing that the attack surface is growing and the threat landscape becoming more and more complex, it has become increasingly apparent that security teams need to adapt and modify strategies to keep up with the new reality of CI/CD protection, without compromising developer velocity. In this talk I would like to propose a new way of thinking about CI/CD security - that encompasses the three disciplines that comprise CI/CD security - security in the pipeline, of the pipeline, and around the pipeline. Partial coverage of any or all of these disciplines simply will not cut it with the continuously evolving risk landscape. Security engineers need to address each of these aspects in their entirety to provide the full scope of coverage that modern organizations need, and I will take a deep dive on the challenges each introduce, and the approaches and techniques for mitigating them based on adversarial sec research.

THE THREE DISCIPLINES OF CI/CD SECURITY, DANIEL KRIVELEVICH, Cider Security

The last two decades have been all about SaaS, with advantages that cannot be overstated. Except SaaS isn’t always an option, nor is it always the right choice: businesses in tightly regulated industries, or where information security is paramount, for example, will not - often can not - consider any software that isn’t under their control. For many software enterprises, this leads to the dreaded inevitability of on-premise deployment. Fortunately, the situation today is dramatically different to a scant few years ago, let alone a decade or two: the same technologies that enable SaaS have also radically transformed on-prem deployment. Modern tools like Docker, Consul, ELK and Kubernetes - to name a few - can be leveraged to completely transform the experience for both customers and vendors. In this talk we’ll contrast the challenges and advantages of SaaS and on-prem, see how things have evolved in recent history, and see how modern on-prem deployment can be, if not pleasurable, at least relatively painless.

THE PLEASURES OF ON-PREM, TOMER GABEL

Configuration Management is at the core of Ops. It’s the biggest enabler of any compute operation, small and big. In the past decade, we have switched from thinking about the machines we are configuring, to think about the software and services we are controlling. With that change of mindset, so did the tools we are using. Traditional tools like Puppet, chef, salt and Ansible are slowly declining while new tools such as Terraform, Pulumi, Helm and Kustomize are on the rise. In this talk I will try to describe the pain-points and the opportunities of this transformation as well as suggesting a future direction based on tools developed at the big-tech companies (Mainly facebook and google).

CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack

We all know how hard it is to find DevOps engineers, and creating a diverse team despite gender and ethnicity bias? Nearly impossible. At this talk we will show our tools and methods implemented in the Develeap hiring process that overcome this inherited bias. About 2 years ago we faced a crisis in our DevOps consulting company - the market demand was higher than we could supply. The traditional recruiting process depending on CV and artificial credentials was not working. So we came up with an alternative solution, and since then - we are growing exponentially and diversely. In this talk we will show the practical tools we deployed in order to increase our capacity, and we will show how these tools overcome the inherited bias in the process.

SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap

Everyone wants observability into their system, but find themselves with too many vendors and tools, each with its own API, SDK, agent and collectors. With the increasing complexity of modern applications, continuous profiling methods and tools are gaining popularity among the Developer and Engineering communities. In this session, we cover what continuous profiling entails and why you should implement a profiler into your tech stack (if you haven’t done so already). We’ll then bring theory to practice and demonstrate a real-life scenario using gProfiler, a free open-source continuous profiling tool, covering Linux servers on multiple architectures (such as Graviton).

OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...

“Being oncall sucks. But it doesn’t have to!” We all heard this one before. Why is it though, that oncall still remains the biggest scar for many? What can a modern Engineering org do to rein the oncall dragons, and actually help people grow as professionals as they go oncall? In this talk, I will present the main reasons why oncall is difficult in modern orgs, and describe ways to mitigate these hardships. The idea is that oncall is often the ‘backroom’ of an org, where all the technical and organizational debt take their toll. Be it unwieldy systems or broken processes between teams, oncall checks all the ‘weak boxes’. Therefore, the only way to win at oncall is to sort out your debts, starting with the organizational ones. I will dive into the detail of the oncall rotation at Snyk as the org scaled from 1 to 220 people, what worked well about it, and what was less than perfect. I will discuss the decisions made to turn oncall into a building block of the org, and show a path to rein oncall in your organization as well.

HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH

Github Copilot and tools that help us code better are cool. But I’m lucky if I spend 90 minutes a day writing code. We really need to optimize the hours we spend reviewing code, updating tickets and tracing where our code is deployed. Learn how I save an hour a day streamlining non-coding tasks. This talk is unique because 99% of developer productivity tools and hacks are about coding faster, better, smarter. And yet the vast majority of our time is spent doing all of this other stuff. After I started focusing on optimizing the 10 hours I spend every day on non-coding tasks, I found I my productivity went up and my frustration at annoying stuff went way down. I cover how to save time by reducing cognitive load and by cutting menial, non-coding tasks that we have to perform 10-50 times every day. For example: Bug or hotfix comes through and you want to start working on it right away so you create a branch and start fixing. What you don’t do is create a Jira ticket but then later your boss/PM/CSM yells at your due to lack of visibility. I share how I automated ticket creation in Slack by correlating Github to Jira. You have 20 minutes until your next meeting and you open a pull request and start a review. But you get pulled away half way through and when you come back the next day you forgot everything and have to start over. Huge waste of time. I share an ML job I wrote that tells me how long the review will take so I can pick PRs that fit the amount of time I have. You build. You ship it. You own it. Great. But after I merge my code I never know where it actually is. Did the CI job fail? Is it release under feature flag? Did it just go GA to everyone? I share a bot I wrote that personally tells me where my code is in the pipeline after it leaves my hands so I can actually take full ownership without spending tons of time figuring out what code is in what release.

HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB

Do you know what it feels like to navigate as someone who can’t distinguish between green and red - looking at those badges that tell you whether something is broken or a-okay? I’ll give you a quick look into what it feels like with some examples from the monitoring tool Icinga Web 2. We all tend to forget, that not everyone sees the world like we do. In this talk I’ll be walking you through different views in Icinga Web 2 with side-by-side comparisons for the default views and how different kinds of vision impairments affect those. The talks also features a few suggestions on how to improve colour schemes and making websites and webapps better to navigate with screen readers!

FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga

Recent years have exposed startups to a major plague - cloud overspend. No vaccine appears to exist, plethora of tools and consultants fail to stop the bleeding. And yet, some companies manage to stay safe. What makes them different? Is it the tools? Is it the mindset? Is it developer training? In this session we will examine the cultural factors involved in sound and responsible financial management in the cloud. We will also look at relevant system design elements and product design elements which enable us to spend wisely while our business runs smoothly. Following this session, you should be better versed in cost-aware system design and some of the cultural and structural requirements to keeping your cloud bill low.

(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY

In every development process there is the question, do we invest enough on quality? Do we need to invest more? Every team knows about the dilemma of how many tests is the right amount of tests we should write. Is 80% test coverage is good enough? Maybe 90%? 100%? Should we invest more time in unit testing? Are we wasting too much time on unit-testing? Should we invest time on a faster rollback mechanism? WIIFM “Without data, you’re just another person with an opinion” - W. Edwards Deming SLO Driven Development is a framework that helps the developers focus on impact and balance of every aspect of the dev process. When working currently with SLI, SLA, SLO and error budget you can learn where to invest in the development process. Let’s talk about the importance of good SLOs and how they can help us improve our day2day

SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io

In this talk, I will share do's and don'ts on how to onboard successfully in a remote or hybrid setup including moving to a leadership role, speaking from my own journey onboarding remotely in the midst of a global pandemic. I will share the tips that worked for me for successful onboarding, how I was able to be productive, impactful, and make a good impression on others. The key issues as an “onbordee” that I will talk about are how to create relationships, make yourself visible in the company, time management, and more. Since I started working in Augury over 100 new employees have joined the company. Each month I give a session that is part of their general onboarding process. This became a crucial step due to the fact that we are now a hybrid company and a lot of people are onboarding remotely or in a hybrid setup for the first time in their lives. I joined the company as a backend developer and a few months into my role, the squad leader position in my squad was up for grabs and I was fortunate enough to grab it :) This is my first official leadership role, which I also needed to onboard into in a hybrid setup. I will share the process that I built for myself on “How to lead”. Also, a word or two on the process we built as a squad on how we work in a hybrid setup, what are we optimizing for when we do meet and how to include new members of the team.

ONBOARDING IN LOCKDOWN, HILA FOX, Augury

In your ever-changing Infrastructure, some changes are intentional while others are not. Drift is what happens whenever the real-world state of your infrastructure differs from the state defined in your configuration. This can happen for many reasons, sometimes it happens when adding or removing resources, other times when changing resource definitions upon resource termination or failure, and even when changes have been made manually or via other automation tools. While Terraform itself can detect drifts, in most cases, you will be informed about it too late: just before you are about to deploy new changes to your infrastructure. What’s interesting about Terraform though, is that you can apply changes in two separate and distinct steps of “Planning” and “Applying”. This means that you have full visibility of what Terraform is planning on doing beforehand, and if you are satisfied with the changes, you can choose to apply them. So how does this work? When something is changed intentionally, it will appear in the source code, and the Terraform plan will not do anything. However, if any part of the infrastructure has been changed manually, Terraform’s plan will identify this, and alert you to the change. In other words, if your IaC drifted from its expected state, then Terraform’s plan will, in fact, detect it. Applying this simple solution can empower DevOps and developer velocity, with the reassurance and context for unexpected changes in your IaC, in near real-time. This talk will showcase real-world examples, and practical ways to apply this in your production environments while doing so safely and at the pace of your engineering cycles.

DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly