pixel
Select Page

NETWAYS Blog

stackconf online 2021 | Continuous Security – Integrating Security into your Pipelines

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Matt Jarvis held a talk about the continuous security within pipelines. This is a great topic as security is not only extremly important, but more and more people are realising its importance.

Matt started off by giving us an introduction as to how Dev-ops has progressed and in the pre-cloud era the developer wrote the application and then IT operations took over the security side of things. Nowadays developers write the code, check, deploy and manage almost everything. Which can be a lot! The line has become blurred and the responsibility of security doesn’t have a rightful place, which is where Snyk comes in.

Security is usually considered to be an external practise and as it requires a higher responsibility, it needs to be made easier for developers to use. As we all know, once deployed, it is hard to implement security and having a secure system will help win over the trust of your customers. This problem only grows as each year, more and more code is written, which of course means a higher probability for errors and vunerabilities.

Dependencies and Vunerabilities

The problem with these vunerabilities isn’t always with dependencies themselves, but in fact their dependencies. Up to 70% of the vunerabilities are found here and these indirect dependencies can be used to hide malicious code.

In this example here, the code is hidden in sub dependencies and has had over 440,000 downloads/month! If people are only checking the top layer, there is a whole lot more they are missing. Sometimes all it takes is rebuilding an image or getting newer images. Up to 44% of Docker image vunerabilities can be resolved with a newer base image.

Here lies another problem and that is mainly when it comes to configuring the code. One of the most commonly seen issues is the misconfiguration of code. This is usually unintentional, but also what some developers don’t realise is that not all applications need root access. By default containers run as root and if this rule was changed before it was deployed, it could restrict access for would-be attackers. Something else to consider is the writable file systems that are mounted onto a container. By allowing this an attacker that compromises a container then has write access to the mount drive. If your containers are stateless, the attacker will have a harder time doing damage.

Integrate in a Developers Workflow

Matt went on to talk about how these security flaws can be shifted to the developers level. Security needs to be integrated into a developers workflow to help eliminate these problems at the source. Repositories need to also be taken into consideration and things like two factor authentication, strong key management practises and strong review processes are a great way to reduce weaknesses being exploited.

With the help of Snyk a developer is able to identify a lot of these flaws with monitoring scans and checks. These scans and checks can be automated into pipelines and relieve a lot of the responsibility. This was shown in the demo that Matt gave us and with these checks, the vunerabilities were able to be fixed with the Snyk wizard, amazing! This means that errors are found and corrected before they are even deployed. This is what was meant by moving the responsibility back and fixing the problem at the source. By integrating Snyk into the IDE, it fixes issues right away and elimates the need to worry about containers that are already deployed. Snyk is even smart enough to check packages and repos before they are pulled.

This is exactly the right approach to fixing the problem and by making the whole process easier, there really is no reason not to start implementing Snyk in you setups. Matt has identified the problem and shifted the responsibility to developer, but at the same time made it easy to implement. These tools give developers the help they need in order to secure their containers at the source and not cause future problem that can be easily solved with a few checks and corrections. Snyk helps developers at every step on the way and takes care of the security aspect allowing to release code faster and more securely.

Full talk and more from and about stackconf

Watch the the whole talk by Matt Jarvis:

 

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

Andrew Constant
Andrew Constant
Junior Systems Engineer

Andrew ist der NETWAYS Familie 2020 beigetreten. Er absolviert derzeit seine Ausbildung zum Fachinformatiker für Systemintegration im Bereich der NETWAYS Web Services. Der ehemalige Fremdsprachenkorrespondent und aus Northamptonshire stammende Engländer besticht durch seinen Humor und ergänzt das Team sehr gut. Seine Freizeit verbringt er gerne mit der Fotografie aber auch nach wie vor als Tandem Partner für neue Sprachen.

Jitsi-Feature – Pop-up-Fenster

Jitsi ist sehr datenschutzfreundlich. Als Videokonferenzlösung halte ich es für eine der Besten auf dem Markt, da es absolut keine Einzelheiten an Dritte weitergibt. So kann man sicher sein, dass die eigenen Daten sicher und geheim bleiben. Jeder Jitsi-Raum wird nur auf Verlangen erstellt und nach Verlassen aller Teilnehmer sogleich gelöscht. Hiernach bleibt an Benutzerdaten nichts zurück – nichts. Jitsi speichert keine Daten, Chat-Historie oder Videodateien. Deshalb wird Jitsi bei denjenigen, die sich um ihre Privatsphäre sorgen, immer beliebter. Das ist aber noch nicht alles! Zusätzlich zur Teilnahme an der Videokonferenz ohne Spuren zu hinterlassen, kann als zusätzliches Feature Kamera und/oder Mikrofon bei Betreten des Raumes defaultmäßig deaktiviert eingestellt werden. Wer noch ein wenig mehr Sicherheit haben möchte, kann die Kommunikation im Raum auch Ende-zu-Ende-verschlüsseln. Was kann man sich mehr wünschen?

Obwohl Jitsi bereits Open Source ist, entsteht immer mal wieder der Kundenwunsch, eine Zustimmungsabfrage einzurichten, bspw. zum Akzeptieren des Datenschutzes, um strengeren europäischen Richtlinien zu genügen. Solche Pop-ups kennen Sie wahrscheinlich schon. Hier zeigen wir unsere Lösung, um das für unsere Jitsi-Kunden umzusetzen. Dies ist eine Eigenentwicklung und bei Jitsi in dieser Form nicht vorgesehen.

Das Pop-up bietet zwei Wahlmöglichkeiten. Wer den Bedingungen zustimmt, die frei formuliert werden können, wird berechtigt, die Jitsi-Instanz zu benutzen und einen Raum zu betreten. Ferner wird ein Cookie gespeichert, damit die Abfrage auf diesem Gerät nicht mehr erfolgen muss. Er wird für 30 Tage lokal gespeichert, verfällt danach und wird ausschließlich für den erläuterten Zustimmungszweck genutzt; wir sammeln oder verteilen keinerlei Daten. Falls man aus irgendwelchen Gründen den Bedingungen nicht zustimmen mag und auf “Ablehnen” klickt, wird man auf die zuvor besuchte Seite abgelenkt. Natürlich kann das Pop-up auch farblich anders gestaltet oder mit einem alternativen Logo versehen werden.

Es ist ebenfalls sehr nützlich, um Kunden/Besucher mit weiteren Informationen zu versorgen und/oder die Video-/Audio-Freigabe zu erläutern, kann aber auch sehr gut als Willkommensnachricht dienen.

Bei NETWAYS arbeiten wir immer hart daran, die neuesten Features zu implementieren und die kleinen Dinge an Ihrem System zu verbessern. Unsere Server werden hier in Deutschland betrieben. Haben Sie weitere Anpassungsideen oder -wünsche? Nehmen Sie gerne Kontakt mit uns auf und teilen uns diese mit!

Andrew Constant
Andrew Constant
Junior Systems Engineer

Andrew ist der NETWAYS Familie 2020 beigetreten. Er absolviert derzeit seine Ausbildung zum Fachinformatiker für Systemintegration im Bereich der NETWAYS Web Services. Der ehemalige Fremdsprachenkorrespondent und aus Northamptonshire stammende Engländer besticht durch seinen Humor und ergänzt das Team sehr gut. Seine Freizeit verbringt er gerne mit der Fotografie aber auch nach wie vor als Tandem Partner für neue Sprachen.

stackconf wrap up – DAY 2

We are back for day 2 and ready as ever. Everyone definitely felt a lot more relaxed and from the get go people were communicating with each other. We were welcomed back by Bernd and Christian and without wasting any time we jumped right into the first talk with Frank Karlitschek. Frank talked to us about “First hand experience: How Nextcloud stayed productive during COVID-19”. A very relateable topic for a lot of us that have spent a lot of time in home office and have had to change our way of working. Flexibility, communication and trust with remote work were key points and how we should act with our employees due to the change in environment. He also showed us some of the cool features that Nextcloud has to offer.

The great Migration

Nadja following Paul’s talk.

Paul Puschmann from REWE Digital was next to the stand and talked to us about “How we finally migrated an eCommerce-Platform to GCP”. Paul explained what was needed to transition their Platform to a Google Cloud Platform and how he managed to do it. He showed us the uses of Consul and the possibility of sharing it across more virtual machines and its functionality within Docker containers. There was a lot of discussion in the stackconf Rocket.chat and there were a lot of great questions that Paul managed to answer both in his talk and on the channel.

“Monitoring Microservices The Right Way” was the next talk for today, which was presented by Dotan Horovits. Dotan talked to us about how the shift to microservices came with it’s difficulties with the introduction of Docker and Kubernetes. Dotan went over flexible querying over high cardinatlity and the requirments needed to monitor microservices efficiently with scalability to handle large volumes of metrics.

We took a short break with talks about Icinga and board games and UNO rules (you know what I mean). Back to the talks, Rodolpho Cocurde talked about his topic “Fuzzing: Finding Your Own Bugs and 0days!” Rodolpho is a penetration tester and is also an author in several magazines like Hakin9 and Pentest Magazine. He talked to us about the ever important issue on security and the different types of attacks, targets and an interesting fuzzing script in Python. He also demonstrated a great demo of how you can infiltrate malicious code with a buffer overflow through an mp3.

Developer on-call 24/7

Hello! Me at Tom’s talk.

Our next speaker Tom Granot spoke about his talk “On-call done right: how even a developer can help”. He showed us the Oasis Stack and how one develeper is on-call in order to stay active 24/7. Tom went on to talk about the wealth of tools available to developers to use in order to decipher problems that may arise in an area they are unfamiliar with. Not only that but also the things these tools don’t tell you and being able to “read between the lines”. Tom then demoed how to debug and check through services and transaction resources to find the cause of the problem when on-call.

During the lunch break Christian showed us the setup for Openstack and how everything is produced, which was a really nice insight as to what is going on in the background.

“Stretching the Service Mesh Beyond the Clouds” was the first talk after the break shown by Rosemary Wang. She demonstrated the uses of a service mesh, it’s advantages and disadvantages and the extra benefits of “streching” the mesh. Rosemary showed a typical topological map of how the services can be configured and the use of Consul and Terraform. The service mesh was then split over both a datacentre and a cloud which is great as it offers one place to control retries and error handling and progressive delivery across all environments. We saw a successful canary deployment and a manual reduction and redirection of traffic.

We all scream for icecream! 😛

Serhat Can joined us next to talk about “How DevOps changed the way we operate software”. Serhat spoke about the way software teams work together and the need for a shared responsibility. It is easy to push the blame onto another team, but what is needed is leadership support, transparency and ownership. He then compared software teams to formular one teams in a great analogy, where the expection should not just lie in one area, but the teams should be able to interact and take part in a variety of different departments.

How Agile are you?

Flo spotting Martin.

The next interesting topic came from Martin Hinshelwood with “The Tyranny of Taylorism and how to spot Agile BS”. Martin started off with some figures on what companies say they do and what they actually do. He then gave a quick recap of the management and work practices through the years and how they hold up today. Martin then engaged the audience with a series of truth questions that asked us whether or not our own companies are following the Agile guidelines, very creative!

After a quick break and discussions about board games and anime, we were joined by Lakmal Warusawithana who talked about “Reference Architecture for a Cloud Native Digital Enterprise”. Lakmal discusses the structure and operation on cloud native and the way the different tools are integrated. He tells us about how an API-led integration platform creates effective architechture and helps expand management capabilities. These capabilities help increase flexibility and productivity within a team.

Stephane’s Story: GitOps, Users, Drift

Our penultimate speaker for the day is Stephane Jourdan and “Why you should take care of infrastructure drift”. Stephane introduced IaC (Infrastructure as Code) users, their causes, consequences and also solutions and understanding drift. He then showed us a demo of how using driftctl can easily identify a problem with admin access and security groups from real world problems he had encountered. Driftctl could really save you from an embarresing talk with your manager!

Monitor everything with Thola

Last but definitly not least we had Tobias Berdin and “Introducing Thola – A tool for Monitoring and Provisioning Network Devices”. Tobias demonstrated the problems in monitoring by sending generic requests when specific requests are needed. This is where Thola comes in. It is compactly integrated into Ansible and serves as a unified interface for communication for a variety of devices with the added opportunity of creating additional device types.

Games, yeay!

The atmosphere from todays event was really great and one of my favourite things of the day was the amount of communication. Everyone really loosened up and got into the conference feel by chatting and joining our digital stackconf on Work Adventure. After the event there was a chance to relax and play some video games with everyone to help with the lack of seeing each other in person. Stay tuned for the final day and keep in the loop on our Twitter @NetwaysEvents.

Andrew Constant
Andrew Constant
Junior Systems Engineer

Andrew ist der NETWAYS Familie 2020 beigetreten. Er absolviert derzeit seine Ausbildung zum Fachinformatiker für Systemintegration im Bereich der NETWAYS Web Services. Der ehemalige Fremdsprachenkorrespondent und aus Northamptonshire stammende Engländer besticht durch seinen Humor und ergänzt das Team sehr gut. Seine Freizeit verbringt er gerne mit der Fotografie aber auch nach wie vor als Tandem Partner für neue Sprachen.

stackconf wrap up – DAY 1

stackconf is back and better than ever! Today started off very strong with a few new additions and great speakers that gave us an insight to a variety of topics.

This being my first year at the conference, it was very exciting to get to started and involved with all the action and flow of all of the people coming together to learn something new. Right from the get go, you can see the amount of work that the Events Team put into making stackconf happen and the fact that it is all done online is really quite impressive. Of course we had the event online last year, but you can really see that this year has really been refined and delivered to a very high quality.

We’ve had a stackconf cake!

Before the conference had even started, people had already started communicating in the Rocket.chat channel and this year they also had the opportunity to be “present” at the event. This year we made our own conference in the form of Work Adventure! This gave people the chance to walk around with their character and interact with people as if they were really there! This gave everyone the chance to be able to „meet“ with other people at the conference and have their very own chats with one another. The ones that didn‘t want to talk right away were busy sprinting around the conference area (me being one of them…).

We had a great kick-off from Bernd and Christian, who were both looking very smart and ready to guide us through the first day of stackconf!

Spot the Antipattern and the IKEA effect

Jumping into the first talk of the day Arushi Jain from Reddit kicked things off with her topic on Spot the Antipattern. Arushi showed us how to spot an Antipattern, why they exist and what we can do to help identify and avoid such patterns. This was also a very honest topic as Arushi went through some of the problems Reddit faced themselves and the systems they were using. She also talked about the use of certain methods and how sometimes they can be falsely used in lots of other applications instead of the ones they are meant for. An interesting point I picked up was the IKEA effect, where people that have made something themselves they have a hard time letting go and this was a very good comparison to code and current workplaces practices.

Katja tweeting.

Looking into our second talk, we’re greeted by Ara Pulido as she showed us Policy as code in Kubernetes with OPA and Kubernetes. This was another interesting topic and for those of you who are up to date with K8s, you would have found this talk very informative. Ara showed how some policy rules can be implemented to Gatekeeper so that pods can only be launched once they have reached a specific set of criteria. This can help avoid a wrong deployment and keep everything organised and working together. We got a quick look at the OPA Ecosystem, some constraint templates and a short demo on auditing pods to check to see if they are performing as planned.

We were gracefully transitioned through the talks by Bernd and Christian, who kept us chatting and talking in the channels whilst keeping the pace with all of the talks that went on today. Great job lads!

From Peter Elmer’s talk.

Our next speaker Peter Elmer came by with a very interesting topic about Data Driven Security. This gave us an insight into machine learning and how they incorporate data to make their programs „smarter“. Peter went into more detail as to how logic is created from data and turning decisions from a probabilistic factor to a more determining one. He also looked at how we can prevent attacking by defending at the source. This is a hot topic at the moment and also one to watch for the future.

Pragmatic application migration

Our next topic came from Nicolas Fränkel and he talked about Pragmatic application migration to the cloud with Quarkus, Kotlin, Hazelcast and GraalVM. Nicolas gave us some points as to why using the cloud is such a great idea and the benefits of doing so. He then went onto explain the different methods used when transitioning to the cloud and the drawbacks of having to rewrite everything from scratch. Alternatively, the use of JVM although it has a slow start up time, can be run once everywhere and adapts to the current workload. At the end Nicolas gave us a quick demo on a URL shortener, very cool!

Yummmm: stackconf and icescream!

To help break up the pace after lunch, we had two Ignites which were quick snippets of two very interesting presentations from Lawrence Finn and Tadeh Hakopian.

Lawrence talked to us about a cloud-sidecar application which sits next to your application and speaks to cloud services for you. The application even thinks it‘s talking directly to the cloud services!

More training methods are always better

Tadeh Hakopian then came by and talked to us about the importance of visuals when teaching code and reducing bias. Tadeh helps explain that removing barriers and using visuals helps make the first steps of developing easier and less scary when starting out. We have all been there before and looked at code thinking that it is something from The Matrix. Another good point he mentioned was that more training methods are always better, which is true as not everybody learns the same and this opens up a lot of opportunity for people that think differently. These methods help people build better room designs for example or build buildings more efficiently.

From Ricardo Castro’s talk.

Getting back on track with our talks, Ricardo Castro enlightened us with GitOps: yea or nay? Ricardo showed the advantages of using GitOps like enhanced productivity, stability and reliability.

He also went into the usefulness of rollback with applications as it is on the same basis of git we are all used to. The idea is to have a lot of it automated and out of the box integration. We then got the chance to see it in action with a demo of flux deploying an application and showing us how it pulls the information needed to work.

The scaler is very clever

Sebastian, Head of NWS, at stackconf.

Our next talk came from Bram Vogelaar and his topic on Autoscaling with HashiCorp Nomad. Bram gave us a brief look at how scaling was done in the past and how it has proceeded up until now. The great thing with Nomad is that is follows a very simple procedure, Keep It Simple Stupid. He showed us how easily the code is written and how the autoscaler works based on checks. The scaler is very clever as it is able to swell in order to keep up with demand, so you never run out of resources, and reduce them again so they aren’t being wasted.

Diego Ciangottini was up next to talk about Setup Min.io and Open Policy Agent for a multi purpose scientific platform. Diego brought up the demand for computing resources for the INFN communities, that are based all over Italy and their need to be able to obtain these resources. This very interesting and complex project looks at various computing challenges for data storage for multiple communities and the sustainable reuse of data. He then gave us a quick look at the solutions and user management with MINIO.

Our stackconf organizers Markus and Lukas.

Our next speaker was Matt Jarvis with a talk about the importance of Continuous Security – integrating security into your pipelines. Matt explained how the line between the roles of developers and security is increasingly getting blurred and how there is a need to bring the security checks to a developers level and the tools needed to do so. Of course this means a greater responsibility, which is why Snyk is there to help the Devs when checking their Pipelines a whole lot easier. Matt also went over some current flaws with current images and containers and then showed us how they could be checked and corrected by Snyk. Another great topic from our speakers.

We accidentally created a cloud

Great job, moderators!

Our last awesome speaker of the day was JJ Asghar and his very interesting topic, We accidentally created a Cloud on our IBM Cloud. JJ starts off with how everything started with ‘for loops’ on bash and the problems they faced and how they moved on to learning and using python scripts instead. Now as things have improved JJ explained the use of AWX and using Ansible playbooks to help run the code for you. With the help of their kubeadmin IBM are able to control a multitude of clusters all at once.

Although people may have been a little shy on the first day, which is understandable, the general atmosphere and communication from everyone was fantastic. We had a strong start to stackconf and we have a great feeling for more on what is to come. Our guests and speakers will have plenty of opportunities to mingle with other tech-heads and ask plenty of questions in the coming days. Keep up to date with everything that is going on and come and join the fun, it‘s free!

Andrew Constant
Andrew Constant
Junior Systems Engineer

Andrew ist der NETWAYS Familie 2020 beigetreten. Er absolviert derzeit seine Ausbildung zum Fachinformatiker für Systemintegration im Bereich der NETWAYS Web Services. Der ehemalige Fremdsprachenkorrespondent und aus Northamptonshire stammende Engländer besticht durch seinen Humor und ergänzt das Team sehr gut. Seine Freizeit verbringt er gerne mit der Fotografie aber auch nach wie vor als Tandem Partner für neue Sprachen.

NETWAYS Chefs – Andrew backt Osterkekse!

This entry is part 3 of 7 in the series NETWAYS Chefs

Wer uns kennt weiß, dass gutes Essen bei NETWAYS eine große Rolle spielt: Angefangen bei der phänomenalen Verpflegung bei unseren Schulungen und Events, über gesunde Snacks oder weniger gesunde Leckereien, die uns den Büroalltag versüßen, bis hin zu gemeinsamen Koch-Events in der NETWAYS Küche. In dieser Blogserie stellen wir die Lieblingsrezepte unser Kolleg*innen vor.

Andrew backt gerne und bringt zum Glück auch gerne die Leckereien mit ins Büro und teilt mit uns! Über sein Rezept sagt er:

“Vanille Osterkekse sind einfach zu backen und schmecken fabelhaft!”

Und hier ist das Rezept! Viel Spaß beim Nachbacken!

Zutaten


300 g Mehl
120 g Puderzucker
1 Päckchen Vanillezucker
Eine Prise Salz
200 g weiche Butter
2 Eigelb

100 g Aprikosen Konfitüre

 

Zubereitung

 

1. Zuerst alle Zutaten außer der Konfitüre auf einer Arbeitsfläche oder in einem Mixer zu einem glatten Teig verkneten.

 

2. Den Teig in eine Frischhaltefolie wickeln und für eine Stunde in den Kühlschrank stellen.

 

3. Den Backofen auf 200 Grad Ober-/Unterhitze vorheizen und ein Backblech mit Backpapier auslegen. Den Teig auf einer bemehlten Arbeitsfläche ausrollen und mit beliebigen Formen Kekse ausstechen. Gerne die Hälfte der Kekse mit einer kleineren Form zusätzlich ausstechen.

 

4. Die Kekse auf das Backblech legen und für ca. 10 Minuten backen lassen bis sie eine hellgelbe Farbe erhalten.

5. Während die Kekse backen, Schokolade deiner Wahl schmelzen. Dann auf die abgekühlten Kekse Schokolade verteilen und beliebig dekorieren. Wir haben hier bunte Zuckerstreusel verwendet.

 

6. Lass die Kekse abkühlen und dann auf die Kekse ohne Aussparung die Marmelade verteilen. So viel Marmelade auftragen, dass der gesamte Keks bedeckt ist und dann die dekorierte obere Hälfte darauf legen.

 

7. Eure Kekse sind nun fertig! Lasst euch die Osterkekse schmecken und nicht vergessen mit den Kollegen zu teilen!

 

 

 

 

 

 

 

 

Andrew Constant
Andrew Constant
Junior Systems Engineer

Andrew ist der NETWAYS Familie 2020 beigetreten. Er absolviert derzeit seine Ausbildung zum Fachinformatiker für Systemintegration im Bereich der NETWAYS Web Services. Der ehemalige Fremdsprachenkorrespondent und aus Northamptonshire stammende Engländer besticht durch seinen Humor und ergänzt das Team sehr gut. Seine Freizeit verbringt er gerne mit der Fotografie aber auch nach wie vor als Tandem Partner für neue Sprachen.

Trainings

Web Services

Events