1. Devops, Docker and Security
John Willis
@botchagalupe

2. • One of the founding members of “Devopsdays”
• Co-author of the “Devops Handbook”.
• Author of the “Introduction to Devops” on Linux Foundation
edX.
• Podcaster at devopscafe.org
• Devops Enterprise Summit - Cofounder
• Nine person in at Chef (VP of Customer Enablement)
• Formally Director of Devops at Dell
• Found of Socketplane (Acquired by Docker)
• 10 Startups over 25 years
About Me
https://github.com/botchagalupe/my-presentations

5. 5
What If I told you you
could be 2000 times
faster than your
competitors

6. 6
What if I told you that
you could be 100
times more reliable
than your
competitors

7. 7
What if you
could have
both

8. Faster, Effective, Reliable
• Devops (Faster)
• Docker (Effective)
• Supply Chain (Reliable)
8
Immutable
Service
Delivery

9. Devops … faster

10. DTO Solutions

11. • CAMS
• Culture
• Automation
• Measurement
• Sharing
Devops Taxonomies
• The Three Ways
•The First Way
•The Second Way
•The Third Way

12. Devops Practices and Patterns
• Continuous Delivery
• Everything in version control
• Small batch principle
• Trunk based deployments
• Manage flow (WIP)
• Automate everything
• Culture
• Everyone is responsible
• Done means released
• Stop the line when it breaks
• Remove silos12
itrevolution.com/devops-handbook

13. 30x 200x
more frequent
deployments
faster lead
times
60x 168x
the change
success rate
faster mean time to
recover (MTTR)
2x 50%
more likely to
exceed profitability,
market share &
productivity goals
higher market
capitalization growth
over 3 years*
High performers compared to their peers…
Data from 2014/2015 State of DevOps Report - https://puppetlabs.com/2015-devops-report
Recent IT Performance Data is Compelling

14. 30x 200x
more frequent
deployments
faster lead
times
60x 168x
the change
success rate
faster mean time to
recover (MTTR)
2x 50%
more likely to
exceed profitability,
market share &
productivity goals
higher market
capitalization growth
over 3 years*
High performers compared to their peers…
Data from 2014/2015 State of DevOps Report - https://puppetlabs.com/2015-devops-report
Recent IT Performance Data is Compelling
Faster
Higher
Quality
More
Effective
2555x

15. Fast
CheapGood
“Pick Two!”
Conventional Wisdom

16. Devops Automated Deployment Pipeline
16
Source: Wikipedia - Continuous Delivery

18. 18
Devops Results
Google
• Over 15,000 engineers in over 40 offices
• 4,000+ projects under active development
• 5500+ code submissions per day (20+ p/m)
• Over 75M test cases run daily
• 50% of code changes monthly
• Single source tree
• Over 75M test cases run daily

19. 19
Devops Results
Amazon
• 11.6 second mean time between deploys.
• 1079 max deploys in a single hour.
• 10,000 mean number of hosts
simultaneously receiving a deploy.
• 30,000 max number of hosts simultaneously
receiving a deploy

20. 20
Unicorns and Horses (Enterprises)
Unicorns
Enterprise
Shamelessly stolen and repurposed from: Pete Cheslock

21. 21
Devops Results
Enterprise Organizations
• Ticketmaster - 98% reduction in MTTR
• Nordstrom - 20% shorter Lead Time
• Target - Full Stack Deploy 3 months to minutes
• USAA - Release from 28 days to 7 days
• ING - 500 applications teams doing devops
• CSG - From 200 incidents per release to 18

22. Docker … effective

23. • IBM 360/370 (1960/1970)
• CHROOT - Version 7 Unix 1979 (Bell Labs)
• BSD in 1982 (Berkley)
• VMware (1998)
• FreeBSD Jails 2000
• XEN 2003
• Solaris Zones 2004
• OpenVZ 2005
• Amazon Web Services 2006
• Namespaces 2007
• Cgroups (Google) 2007
• KVM 2007
• AIX LPARS (IBM) 2007
• Drawbridge (2008)
• Hyper-V (2008)
• Linux Containers - LXC (Parelles, IBM, Google) 2008
• Docker (Dotcloud Inc) 2013
• Microsoft Docker on Windows Server 2016
History
of
Virtualization

24. •Type 1 Virtualization
•VMware ESX, XEN, Hyper-V
•Type 2 Virtualization
•KVM, Virtualbox, QEMU, VMware Workstation
•OS Level Virtualization
•OpenVZ, LXC, Docker
Virtualization

25. www.slideshare.net/
BodenRussell/realizing-
linux-containerslxc

26. • Provision in milliseconds
• Near bare metal runtime performance
• VM-like agility – it’s still “virtualization”
• Lightweight – Just enough Operating System (JeOS)
• Supported with modern Linux kernel
• Growing in popularity
Why OS Level Virtualization

28. • Isolation
• Lightweight
• Simplicity
• Workflow
• Security
• Community
Why Docker

29. 29
Docker Security Enhancements
• Docker Security Scanning
• Docker Content Trust
• Docker Trusted Registry
• TLS by Default for Swarm/Docker Data Center
• Read Only Containers
• User Namespaces
• Secomp and LSMS support
• Enhanced System “Capabilities” support
• Secrets Management
• Immutable Operating System (Coming Soon)

30. 30
Immutable Delivery

31. 31
Immutable Delivery

32. Supply Chain … Reliable

33. 33

35. 35
Supply&chain&advantage&
Source:(Toyota(Supply(Chain(
Management:(A(Strategic(
Approach(to(Toyota’s(
Renowned(System,(by(Ananth(
Iyer(and(Sridhar(Seshadri(
Toyota&
Advantage&
Toyota&
Prius&
Chevy&
Volt&
Unit%Retail%Price% 61%& $24,200% $39,900%
Units%Sold/Month% 13x& 23,294% 1,788%
In?House%ProducBon% 50%& 27%% 54%%
Plant%Suppliers% 16%&& 125% 800%
Firm@Wide(Suppliers( 4%# 224( 5,500(

36. Use their highest
quality parts
Use fewer, better
suppliers
Track which parts
you use & where

37. 37
Variety
• Determine your variety of
offerings based on operational
efficiency and market demand
Velocity
• Maintain a steady flow through all
processes of the supply chain
Variability
• Manage inconsistencies carefully
to reduce cost and improve
quality
Visibility
• Ensure the transparency of all
processes to enable continuous
learning and improvement
Toyota Production Systems - 4VL

38. 38
Docker and the Three Ways of Devops

39. 39
Variety
• Learn faster, Limited frameworks,
Limited operating systems, Limit
vendors.
Velocity
• Small Batch, Small Teams,
Microservices and Containers
Variability
• Docker and Immutable Delivery
Visibility
• Automated Testing, Docker Trust,
Docker Security Scanning, Bounded
Context, Bill of Materials
Immutable Service Delivery (4VL)
Use their highest
quality parts
Use fewer, better
suppliers
Track which parts
you use & where

40. 40
Visibility - Docker - Bill of Material
• Where and when was it built and why
• What was its ancestor images
• How do I start, validate, monitor and update it
• What git repo is being built, what hash of that git repo
was built
• What are all the tags this specific container is known as
at time of build
• What’s the project name this belongs to
• Have the ability to have arbitrary user supplied rich
metadata
Software Supply Chain - 4VL

41. Devops Automated Deployment Pipeline
41
Source: Wikipedia - Continuous Delivery

42. DevSecOps
Requirements
& Design
Development CI
Interval
Trigger
Assessment
Production
Application Risk
Classification
Security Requirement
Definition
Secure Libraries
Static Analysis/IDE
SCM
Open Source
Governance(CI)
Secure Coding
Standards
Perimeter
Assessment
Dynamic
Assessments
Threat-Based Pen
Test
Web Application
Firewalls
Automated Attack/
Bot Defense
Container Security
Management
Security Mavens (Security-Trained Developers and Operations)
Role Based Software Security Training
Continuous Monitoring, Analytics and KPI Gathering
Preventative Detective
Lightweight threat
modeling approach
Detailed manual
assessments
triggered
automatically at
appropriate interval;
detached from
release cycle
Container Security
Compliance (CI)
Threat modeling
Static Analysis (CI)

43. 43
Immutable Service Delivery
Fortune 500 Insurance Company
• Tracks critical and high security defect rate per 10k
lines of code
• Started out with (10/10k)
• After applying Devops practices and principles (4/10k)
• After applying Toyota Supply Chain 4VL (1/10k )
• After Docker with Immutable Delivery (0.1/10k)

44. 44
With Docker
Fortune 500 Insurance Company
• One Service
• One Container
• One Read Only File System
• One Port

45. Immutable Service Delivery
• Devops (Faster)
• Docker (Effective)
• Supply Chain (Reliable)
45
2000x Faster
and
100x Reliable