Win a copy of Bad Programming Practices 101 (e-book) this week in the Beginning Java forum!

David Sachdev

Ranch Hand
+ Follow
since Oct 18, 2011
David likes ...
Java Mac
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
2
Received in last 30 days
0
Total given
5
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by David Sachdev

Julien Vehent wrote:

  I think so many places don't think about the "responding to attacks" part of the equation very well. 



This is true, and working in a DevOps environment means using very different tools and techniques that one would use in a old-style infrastructure. (endpoint security on immutable servers? what about serverless forensics? etc.)

At the same time, a lot of proven techniques can and should be ported to modern environments, so the book goes over the important stuff and explains how to implement it.

There's also a little novel about a security incident in chapter 10. I had fun writing, I hope it's a good read



And in server-less computing - your attacker may be on the same host...just doing nefarious server-less computing.  I think over time this will be the way of the future, but depending on your data - you may want to watch and wait cautiously. 
3 months ago

Julien Vehent wrote:Securing DevOps is a technical book, so we talk about tools and techniques a lot! Part 1 is a complete implementation of a CI/CD pipeline and all the security components that we can fit into it. It's 100% hands on. Part 2 is also very technical but more focused on presenting tools and techniques and less on helping the reader implement them (you'll have to do homework). Part 3 is a little less focused on tool but we still present half a dozen of them in the chapter on security testing (ZAP, Scout2, bandit, gas, etc.).

So, yeah, we talk about tools a lot



Interesting - I guess I've got a list of tools to look at and evaluate! Thanks!
3 months ago



2. Monitoring and responding to attacks. It is the fate of online services that they will get broken into eventually. When incidents happen, organizations will turn to their security teams for help, and a team must be prepared to react. The second phase of continuous security is to monitor and respond to threats, and protect the services and data the organization relies on, through techniques like fraud and intrusion detection, digital forensics and incident response, with the goal to increase the organization’s preparedness to an incident.



Having an Incident Response plan before the incident happens is very important.  You don't always want to just "cut off" the attacker - as you may want to silo them off and see what it is they plan on doing.  I think so many places don't think about the "responding to attacks" part of the equation very well. 
3 months ago
I'm curious from Julian and the general audience:

What is your "definition" or "elevator pitch" for what is DevOps and what is DevSecOps?

Here is mine:


DevOps, and these days DevSecOps are word that are abused almost as much as Agile.  I was recently asked about the practice, and here is my elevator pitch:

DevSecOps ensures that applications and code are well planned out from a security and infrastructure perspective.  In helps to ensure that as systems are moved up the environment chain from development all the way to production not only is the code addressed, but  firewalls, network, and security concerns are handled often prior, but at least in concert with deployments to the upper environments.  This helps to ensure timely delivery of applications, software, and new functionality to allow the business to fully realize the potential of Agile Software Development.” - David Sachdev



“DevOps helps to reduce Time to value by bringing functionality to production at an accelerated pace” (Time to value (TtV) is a business term that describes the period of time between a request for a specific value and the initial delivery of the value requested. A value is a desirable business goal; it can be a quantifiable (tangible) or abstract (intangible)) https://whatis.techtarget.com/definition/time-to-value-TtV

“DevOps is a cultural change to how we do business”
3 months ago
I'm kind of curious to kwow how much the book delves into tools of the trade?

We personally here use:
Jenkins for Orchestration
Chef for Infrastructure as Code
Junit (and various test frameworks depending on language)
Mock services
SonarQube
Nexus
GitHub
Fortify
AWS
CloudChekr

and I'm looking at Scout2 now

Also, I'm curious to know your "definition" or "elevator pitch" for what is DevOps and what is DevSecOps?

Here is mine:

Actually, I think I will make that a new topic as I'm curious to know what the general audience has an an answer to that.
3 months ago
Welcome Julian!  Looking forward to a lively debate and discussion...and a lot of learning from others!
3 months ago

David Sachdev wrote:I have read the other threads that discuss differences between version 2 and version 3 of the book, and I have checked out the table of contents here:

https://smile.amazon.com/Effective-Java-3rd-Joshua-Bloch/dp/0134685997/ref=smi_www_rco2_go_smi_2609328962?_encoding=UTF8&ie=UTF8&tag=crfa12-20



Click at the Look Inside if you want to view the Table of Contents.
4 months ago
I have read the other threads that discuss differences between version 2 and version 3 of the book, and I have checked out the table of contents here:

https://smile.amazon.com/Effective-Java-3rd-Joshua-Bloch/dp/0134685997/ref=smi_www_rco2_go_smi_2609328962?_encoding=UTF8&ie=UTF8&tag=crfa12-20

I am a bit curious to know if Josh can provide some information on the sections that may include some of the new features included in Java 7 and 8 such as better connection management  and/or concurrency.  I've loved the previous versions, and would love to know what we can look forward to in this new book that will also help us to get up to speed with some of the newer features in Java that maybe haven't been adopted as well as they should be by our teams.

Thanks
David Sachdev
Innotac
4 months ago
Welcome Josh!  I can say that I'm thrilled that you are here, and that I have learned a lot from your previous books.  I'm sure that your latest addition will sure be a game changer as well!

Thanks
David Sachdev
Innotac
4 months ago

Alex Theedom wrote:Hi David

Thanks for your question.

In the book, I demonstrate with plenty of code examples the new features added to Java EE 8. It includes two large chapters on the brand new security API and JSON Binding. There are some really cool new additions such as the Reactive client in JAX-RS and asyn events in CDI to name just a few. I touch on the spring framework, although version 5 does looks really interesting. When developing microservices you can develop some in Java EE, some in Spring other in GoLang or whatever best solves the problem. In terms of mixing them in one project, I suggest that there would have to be a very good reason for doing so. Perhaps some of the Spring APIs could be used with a Java EE project but making them work together might be more of a headache than its worth.



Thanks for the reply - and for highlighting some of the things to look out for.   The security API and the Reactive Client have definitely piqued my interest!

Thanks
David Sachdev
With the move to the Spring Framework we saw many industry leaders move away from some of the older technologies in EE for what the Spring Framework included.  With JEE3, we started to see some benefits in EE again, and a bit of a hybrid approach to picking and choosing what was good from Spring, but also pulling in some of the good technologies that JEE3 brought to the table.  Do you address the Spring Framework and go over the pros and cons of Spring versus EE, and where they can work together, and where it is best to not intermingle?

Thanks
David Sachdev
Welcome!  Looking forward to some lively discussions and learning about the the new things I need to focus on!

Thanks
David Sachdev
Welcome!  Lookin forward to some interesting discussions! . . .
Welcome!  Lookin forward to some interesting discussions!

Thanks
David Sachdev

Richard Rodger wrote:Hey David,

So I’m a little radical when it comes to service discovery these days - I like to use SWIM https://asafdav2.github.io/2017/swim-protocol/

The weak point in any component model ( that’s what microservices are!) is identity. Component A has to know about component B to send B messages. A also has to know what messages B can accept.

Example: network location, rest URLs, message bus topics, kubernetes host env vars, ... all the same thing.

To remove the concept of identity, you want to be able to just send messages without knowing where to send them.

This is fundamentally impossible of course, but you can weaken identity significantly by using something like SWIM. Essentially each microservices builds its own internal, but hidden, routing table.


Richard



Thanks Richard - in essence the problem comes back to what the Service Bus was trying to solve - consume the message and know where to send it to next.  And as you mention there is a security aspect there. I live in the world of ICAM, where SSO has to be factored in, and micro services has to factor that in as well. I'll take a look at SWIM, and the presentation that you linked to.  Seems interesting.

Thanks
David Sachdev
6 months ago