Mon Oct 28 14:31:20 UTC 2019 Keynotes today are The Container Operator's Manual and In search of Security Shangri-la ##The Container Operator's Manual ### Alice Goldfuss ------ The talk opens with a slide of an old car, and an analogy I didn't quite get at first. Containers are like car commercials. There are plenty o of talks about them, and they tell you all about what you can do with them, and how amazing it is to implement them, but then they go away. You're left wondering how and why and exactly what do you do to make it work. You don't notice the tiny print that warns yo unhat it is in laboratory conditions. The workshops you go to don't give yo enough. We need less 101s and more WTFS. This talk was very humorous and fun to watch. Alice is a wonderful blend of someone who knows her stuff and also knows how to flipping talk to people. The slides were really clear, and contained only the highlights. The images used featured women and marginalize groups of people;e. It was really cool to see so much representation and not have it being called out or pointed out, it wa just a present thing. There were four things or lessons to be learned. 1. Container Strengths - Containers are good at being stateless. Take in x and pop out y, think micro-services. They are good for development, and deployment. They're really portable. 2. Container weaknesses - Stateful apps or persistent apps like databases. If you have to do this consider checking out Vitess. It's MySQL and Kubernetes in a nice package. 3. Containers need friends - How will you build this, are yo going to use existing stuff, or make something new. how are you orchestrating this, or deploying this. What's the process going to be? These are big questions that we need to answer. The other big questions are about monitoring, networking, provisioning additional resources. This si a gradual roll out and promotion. 4. Containers need head count - You need a team of 4 at least but ideally it would be 6-8 people. The big people are monitoring, operations, a kernel person, security, networking, internal adoption, project managers. the fewer people the more work it is to have a good container roll out. This is not something to be taken lightly. There were several applause breaks including when the speaker mentioned that Information security should be part of the planning process. ##In Search of Security Shangri-la ### Rich Smith ------ I was apprehensive at first, because I thought Shangri-la was going to indicate a more metaphysical kind of event. This was not accurate, and I'm glad that I was open to the experience. Rich showed a cartoon that was really nice it was I spent my 20s for the lulz, and my thirties doing gray hat stuff for money, and then now in my forties I work for the man. Hypothesis was Security generates FUD to sell hope. As the conversation moved forward a book was shared that the speaker had worked on called Agile App Development. This was about including security in the development process especially in an agile environment. A fun story / analogy was that of the phishing test and your enterprise being on fire. If you were 80% on fire and then afterwards you are only 40% on fire, you are still on fire. This isn't a useful metric because the goal of something like this is to get 100% compliance all the time. A more realistic goal is to measure time to first report of issue. This is a more useful metric because the sooner the security team can get on it the better for everyone. book recommendation Agile App Development. We also looked into the problem of culture. You need to socialize to be integrated. They spend 350 a month on candy in their department to draw foot traffic to their area. this gets people used to seeing and talking to the security team. There was a story about having kids coming through and tours visiting. Doctorow quote from information doesn't want to be free was used. I need to read that it seemed really cool. The idea or quote that I liked is that the security team needs to recognize they're roadies not rock-stars, and we are all working together to get the stage setup. "Roadie not rock-star." The three key concepts to take away from the talk are that security culture needs to foster Transparency - Don't hide or unnecessarily obfuscate anything Enabling - Provide tools to let people succeed Blameless - If something goes wrong analyse it without blaming anyone.