RSS

Container Security Comes to the Party – Tech Edited!

(Once upon a time) I worked with Liz Rice (from Aquasec) for tech editing her latest and greatest title – Container Security published by O’Reilly publications. It was great working on a cutting edge technology title specially when the IT world is moving to micro services based architecture.

Security’s been ever since in my DNA with everything ICT and this was both engaging in the realms of container security as well as putting leading practices from DevOps (more so DevSecOps) into place where readers would benefit from field experiences. Glad to be part of this journey!

Here’s the book overview! Thankful to O’Reilly to include me on the team for this piece of art!

Here’s the link to download the ebook https://bit.ly/2L7lhpu

 

 

Tags: , , , , ,

It was a Blast Tech Editing ‘Google Building Secure & Reliable Systems’

I must admit, it is not everyday that I get to review a Google book! And this book was whirlwind + roller coaster from a tech editing standpoint. Too many moving parts and parties. (Yes it was a party!)

While it was definitely fun tech editing this book, it was also learning on the go for some very key topics – from other tech editors and authors. And I don’t mean on the topic(s) themselves, the perspective which they brought in from their own unique experiences. It was oozing knowledge everywhere – just had to tap the right perspective with the right messaging for the readers.

And here’s yours truly among the few from industry who got an opportunity to contribute to this title.

 

For everyone keen on understanding and learning about how Google builds and secures their gigantic data centers, this book is a must read. And for what it’s worth – it’s free! Access your copy here. You can also access all their SRE books for free here

More to come soon from O’Reilly and Pearson. Working on a few uber cool projects meanwhile!

 

 

 
Leave a comment

Posted by on April 20, 2020 in Clouds and More

 

Tags: , , , , ,

Secure DevOps – The way of modern Enterprise

To start with, I covered a few aspects from field experience (more recent and otherwise) on DevSecOps and Shift+Left approach. If you’re keen on reading these, see the following articles: DevSecOps – Making Sense of it and Let’s Talk about Shift+Left!

It’s no exception that my posts have been focused on DevOps with hints (correction – loads!) of security tinges to them!! In this post I would like to discuss the key characteristics and the changes I’ve witnessed as an evangelist in the field of Secure DevOps. None of these would be unknowns to people who are practitioners and do engage at ground level with the whole DevOps tool-chain and intricacies of navigating through the trenches while delivering customer usable code (otherwise known as Apps)

Let’s look at some of the most common yet, not very well understood concepts pertinent to DevOps, leading into the realm of Secure DevOps.

1. DevOps is a cultural change – Every organization whether born in cloud or coming from legacy roots faces the grave challenge of shifting focus from product or solution to customer requirements. And, that has been an issue since the Good Ol’ Days, focusing on ‘things’ to sell or push customers to adopt them; rather than looking at customer needs and adjusting the pace of workforce to deliver a cohesive customer experience. Now, coming back to the original point, organizations do run into issue of imagining DevOps as a big deal and breaking the silos. The right manner of thought would be – consider DevOps as a positive cultural change; from monolithic to modular thought process leading into better customer experience hence, resulting into sticky customers. Change as we know is inevitable and thus, adopting the culture shift to DevOps is a healthy and a strategic move for any mid to large enterprise.

2. Automation everywhere – By definition of automation – well, many would think of loosing their job or being re-purposed or re-aligned. That’s not true at all, in fact with automation at back/front-end new skills are required for developing more and more automation scripts and setup a regime for self sustaining workflows (technical and business) and move on to next project. No two projects are alike thus, no two automation needs are alike. Automation need not be turnkey however, the concept of bringing in automation for known variables across apps and other enterprise services is really practical.

3. Build a consistent DevSecOps Tool chain – While your organization is on a mission to implement and reap the benefits of DevOps in cloud or on premise (or Hybrid), it is key to understand that there’s a business goal to be achieved and a revenue forecast to be hit. Engaging in app development wouldn’t mean anything if the velocity of (or agility) developing and releasing apps isn’t up to mark as the business would desire. Hence, building a sustainable DevSecOps tool chain with the right set of tools (very important) that are well understood by all developers and operations teams is crucial. A tool / software that is not well known or the team hasn’t been trained on, is only going to delay the outcomes. A hidden gem here is – a tool chain that has security tools (e.g. SonarQube, reshift etc.) baked into the workflow.

4. Stick with a set deployment strategy – It is seen that DevOps teams keep swinging between different deployment strategies. While this may work for smaller setups with only a few apps, this doesn’t scale for larger enterprises with a fridge load of apps (app fridge anyone!). With the agility that businesses demand, it is good to plan in advance and have strategy set out well in terms of the deployment approach. While some organizations would want to go big bang; and there’s nothing wrong with it unless they’re not sure of what they’re rolling out – it is best to have a formal risk assessment of the app and it’s possible exposure to vulnerabilities leading to a risk averse vs. risk accepting approach. In other words – going Canary vs. Blue Green (or any other deployment strategy as deemed right). Changing deployment strategy on an app by app basis increases risk of exposure manifold.

5. On-board Information Security and Network Security teams – As a developer, one is always perplexed with security terms. While we are talking about agility, what happens to PII, PHI (and so on) if the data at rest or in motion isn’t secure and has high degree of exposure? No business would want short term gains at cost of security. With security budgets only going up YoY basis, there’s a reason behind all the hustle! It is best to have a cohort across developers, operations, and InfoSec + Network security teams. And the earlier, the better. This way, security isn’t left out and there aren’t any last second surprises on compliance or regulations – let apart, an app being blocked by security because it was too easy on TCP/UDP ports being open. Security should be seen as a positive contributor than a disruptor.

Well then, these are a few things which I personally and professionally have seen that go well with the overall construct of DevOps ~ leading to DevSecOps. It’s a Win-Win for everyone if the higher management drives the programs sensibly and has realistic time frames for apps to be released on GA basis. Not all problems can be solved by one person however, when like minds collaborate, problems give way to opportunities.

 

Let’s Talk about Shift+Left!

Security in IT and in code has been an afterthought for the longest. Security, has been seen historically as a blocker than an enabler. This was true up until security issues weren’t real. In today’s connected and ‘agile’ world security issues are very real and very threatening. The threat can be related to losses in monetary terms, reputation of the firm, and loss of clientele; amongst many other concerns.

As compliance to local legislative terms and regulations tighten with proliferation of apps, mobile devices, IoT – it becomes more important than ever to have security by design and security by default as part of the development process. Today’s average consumer wouldn’t wait for days for an update to an app; it’s got to be hours. With such rapid pace of development of new features or enhancing user experience; how can an organization inculcate culture of secure development?

“Shift+Left” (or Shift Left) is the new paradigm in DevOps security that leads to inclusion of (secure) software testing earlier in its life cycle to prevent defects early in the software delivery process. Moreover, tools for secure testing are included in the gating process thereby, enabling organizations to deliver apps and software with minimal vulnerabilities. AppSec anyone?

Note: Security is and can never be 100% and while attempts to limit vulnerabilities are important, it is most crucial to accept that any piece of software is vulnerable.

Shift Left approach also embraces automation which is the key tenet knowing that, automation will reduce possibility of errors while testing and deploying code in test environments.

Here are the key characteristics of Shift Left approach to secure DevOps:

  1. Secure by design and resilient code that can be grown upon for next releases without going back and fixing the base code
  2. Seamlessly integrates into CI/CD pipeline
  3. Ability to fix vulnerabilities faster (heard of OWASP!)
  4. Increase in offering feature velocity, with secure development and automation
  5. Testing code early and testing often leads to lesser surprises in production environment

Concluding this short article, it is key to understand the concerns that any organization would have going live with its app, holding dear customers’ data or it’s own Intellectual Property on the line without right measures to include security testing during the development process. It’s better to focus on where it begins than to fix where it is found, which is ‘Shift+Left’.

 
1 Comment

Posted by on December 9, 2019 in UC Security Posts

 

DevSecOps – Making Sense of it

I’ve been working on multiple CI/CD initiatives with a wide array of customers in my rather new role. While, it is revelation in how industry has changed in less than couple of years, it is also great to see the new and cutting edge technology helping make the Time To Market (TTM) short and products more user focused. As a result of my recent learning in the field and of interactions with customers and their DevOps – I thought I’d put out a short article on these lines.

So, there’s this question almost always wandering in customer meetings on – What is DevSecOps?

There’s one simple way to explain what it is and why the new ways of working (agile) needs it more than ever. In its entirety – DevSecOps is the inclusion of leading practices and tools around secure code development via secure Software Development Life Cycle (SDLC).

A more comprehensive way to portray the concept of DevSecOps is – Following the security leading practices and deliver code which is secure by design. Inclusion of code review tools as well as Static Application Security Testing (SAST), and where applicable/possible Dynamic Application Security Testing (DAST). Lastly, create a cultural change where People Process and Technology (PPT) aren’t disconnected; rather connected and online with whole concept of security being intrinsic part of development process than an afterthought.

Following are some of the key initiatives which facilitate (not just theoretical but practical) DevSecOps adoption and execution.

Secure Coding Practices

Observing secure code development practices which lead to development of software that has a high resilience to exploits and vulnerabilities. This includes (and in no way is limited to) not hard coding credentials or secrets, adhering to coding standards, and keeping an eye on OWASP top 10 vulnerabilities and their origins as well as remediation.

Threat Modeling

While many would not see immediate value in spending cycles in threat modeling and coming up with a threat model around an application going live soon (such is today’s rapid pace); a commitment to have mapped out threat actors, threat surface, threat vectors, and everything that can potentially jeopardize a software or app is worth the while. Yet, many organization don’t go through this exercise and this is not on the development or IT teams – it’s more on management that drives or decides not to push for time and effort in this direction.

Automation in environment provisioning and testing

Testing and automation have a huge bearing on quality of code being produced. Humans can er but automation can reduce errors hence, adopt automation of deploying infrastructure for code testing (or Infrastructure as Code / IaC) as well as automation in testing (using Terraform or Ansible) for code and configuration checks in pre-production environments using regression testing.

Leverage extended security capabilities

It is in interest of any DevOps team to leverage the extended reach of InfoSec or IT Security team’s expertise to enable the code to be resilient to cyber attacks. The findings from the deep dark web as well as security research groups are very helpful in creating defenses against the known and being unyielding to unknown threats.

DevSecOps helps revolutionize the way organizations handle security while developing apps or software. While there can be deprivation from budget or manpower (or even security expertise) perspective, the benefits of subscribing to DevSecOps are far greater than the risk of not adhering to ‘secure’ new ways of working.

 
 

Speaking at Write The Docs

Presenting on one of my life defining topics @ Write The Docs Australia. What else and better than writing!!

It is ironic that I’ve lived in India, US, Singapore, and visited many places where I’ve had a chance to present on technology and other aspects. However, it’s only in Australia that I got my first ever opportunity to present on how I wrote my first book and the journey from there on.

Again, it’s not about me – it’s about everyone else who’s had a dream to write their first ever book. And for sure, Your First Book – It doesn’t have to be Rocket Science!

Thank you Brett Bartow, Chris Cleveland, Mary Beth Ray, Marianne Bartow, Jamie Shoup, Vanessa Evans, James Manly, Virginia Wilson, Troy Mott for your leadership and giving me a chance to write all the books I’ve written and contribute to reviews across Pearson, O’Reilly, and Backstop Media publications.

Thank you and love you my dear family and friends for your ever going support without which this wasn’t possible.

If you’re in or around Sydney give me a shoutout.

https://www.writethedocs.org/conf/australia/2019/schedule/

 
Leave a comment

Posted by on November 13, 2019 in UC Security Posts

 

My First Udemy Course Published!

I promised earlier that something new and big would be coming soon. So, here’s revealing my first work with Udemy.com

I’ve published my first Udemy course (which isn’t exactly a course however, that’s what Udemy would like to call it) that’s a practice exam for CCIE Routing and Switching aspirants. It took a couple of months++ to put the two practice tests together inline with current blueprint for version 5. The practice tests capture the essence of topics across the blueprint and would be helpful to get an aspirant get the required practice in an exam like environment, once the final preparation is completed from various books or online course material. The idea is to get accustomed to the topics and the questions from these topics across the blueprint and see if a candidate for CCIE Routing and Switching and practice giving the test in prescribed time. Here’s the link to access to the practice tests on Udemy

https://www.udemy.com/course/ccie-rs-written-practice-tests/

So, what’s so not that ordinary about these tests is some of the new (and bleeding edge industry) topics have holistic coverage. Coming from https://learningnetwork.cisco.com/community/certifications/ccie_routing_switching/written_exam_v5/exam-topics – From within Evolving Technologies – Cloud, IoT and SDN are the key topics which are really in demand in industry and these have been covered from the perspective of my personal experiences (beyond the usual topics of Layer 3 and Layer 2, VPN etc.) in field both from customer consulting and hands-on experience.

I hope the aspirants would enjoy the practice tests as much as I enjoyed writing these and can benefit from the same. And I wish all CCIE Routing and Switching aspirants best in their preparation and for their success in written as well as lab exam.

 

If you read through the whole post (and that’s the reason you’re here 🙂 you can use the voucher GET_25OFF_CCIERS_NOW to get 25% off the practice test bundle.

 

 

 
Leave a comment

Posted by on September 21, 2019 in Udemy

 

Tags: , , ,