2. ABOUT ME
• Built multiple CI/CD Pipelines for businesses with different needs.
• Lived/Worked 4 Years in Germany and now I’m back to الوطن أرض
• A Software Engineer at day, a Hacker by night.
• Love to automate everything.
• In love with Security and an OSCP Holder.
• Technical Consultant @S3Geeks
• Security and Systems Engineer @FuturaSolutionsGmbH
3. DEVOPS IN A NUTSHELL
• Problem: How do we get changes in production as fast as
possible?
7. • The developer writes code and checks into distributed code versioning system like
Git/Bitbucket
• The check-in of code triggers the build in the CI server
• The CI server creates deploy-able artefacts for testing (EAR, WAR, JAR, Docker
images, binaries ) for testing
• Unit tests, Functional tests and System tests are done on the new build and issues
are reported
• Security and penetration testing are done on Production ready model.
• Continuous Integration can also help to set up your production environment
• If the build or tests fail, the CI server alerts the team through, Slack channels, Hip
Chat, Email
DEVOPS IN A NUTSHELL
8. DEVOPS ENGINEER DUTIES
• Understand the needs and challenges of a client across operations and development, and partner to formulate solutions
that support their business and technical strategies and goals
• Develop solutions encompassing technology, process and people for:
• Continuous Delivery
• Infrastructure strategy & operations (including cloud)
• Build and release management
• Basic understanding of Networking
• Security (fair understanding of application and infrastructure security)
• Recommend and Implement solutions. Be totally hands-on and have the ability to work independently
• Ensure delivery of exceptional technical solutions
• Maintain strong expertise and knowledge of current and emerging processes, techniques and tools
• Build the DevOps practice within ThoughtWorks and drive our thought-leadership externally
• Identifies and resolves problems in a timely manner
• Design, build and maintain the CI/CD infrastructure and tools to deliver Horizon Cloud Service
• Work closely with development teams to ensure that solutions are designed with customer user experience,
scale/performance and operability in mind
9. WHAT IS A CI/CD PIPELINE
Developer commits changes to the source code repository
Build server executes the master build script, or delegates execution to another server
» Checks out source code
» Builds executable version of the application
» Runs other jobs, such as testing and code inspection
Team is notified of build results through a feedback mechanism
» If alerts are generated, the team takes immediate action to correct problems
» If a code fix is needed, developer commits the corrected code back to the repository; this
action kicks off a new build cycle.
10. ARCHITECTURE OF A CI BUILD SYSTEM
Definition: CI is the practice of regular, comprehensive, and automatic building
and testing of applications in software development.
Source: NASA IT Summit 2010
15. SECURE YOUR CI/CD
• Code Analysis. Analyze code for application specific vulnerabilities.
• Container Hardening. Remove unneeded libraries and packages; restrict functions.
• Image Scanning. Scan images for vulnerabilities at build; regularly in registries.
• Image Signing, e.g. Content Trust. Ensure trust with signing and author / publisher verification.
• User Access Controls, e.g. Registries. Restrict and monitor access to trusted registries and deployment
tools.
• Host and Kernel Security. Use SECCOMP, AppArmor, or SELinux or equivalent host security settings.
• Access Controls. Enable restricted access to system and Docker daemon.
• Auditing, e.g. Docker Bench. Perform security audit using Docker CIS benchmark.
16. SECURE YOUR CI/CD
• Network Inspection & Visualization. Inspect all container to container connections and build
visualization for application stack behavior.
• Threat Detection. Monitor applications for DDoS, DNS attacks and other network based application
attacks.
• Host & Container Privilege Escalation Detection. Detect privilege escalations on hosts and containers to
predict break outs and attacks.
• Packet Capture & Event Logging. Capture packets and event logs to enable forensics.