Notes from OWASP Helsinki chapter meeting #31

What is DevSec, how to use Docker securely, why developers leak credentials? All those questions were answered at OWASP Helsinki chapter meeting #31 which was held 13.6.2017 at Solita premises. Here’s my short notes from the event. I’ll add links to presentations when they’re available.

DevSec – Developers are the key to security

DevSec is a emerging trend to move developers closer to security experts, akin to DevOps. Antti Virtanen from Solita talked about DevSec and how they do it (slides, pdf). As talk’s title tells us developers are the key but often buying one cybersolution is easier (giving out money) than peoples’ time. But if we look at the return of investment, passive defense is more effective.

Value for life?
Challenges in DevSec
Issues with DevSec
Recipe works!

Docker Security

Docker is currently experiencing very high adoption rate and people are deploying on Docker without considering the security landscape. Mika Vatanen from Digia told us about Docker Security (slides, pdf), possible attack vectors, how Docker handles security and what recommendations we should use when using it.

Possible attack vectors
How Docker handle security

Docker image tech recommendations
Docker image: tech recommendations
Docker image: policy recommandations
Docker runtime
Host and engine recommendations
AppArmor and seccomp
Seccomp
Seccomp

Leaking credentials – a security malpractice more common than expected

Bogdan Mihaila from Synopsys talked about Protecode and research of leaked credentials (slides, pdf).

Why credentials are leaked
Keys that got public
Mitigation
Conclusion: raise awareness

Upcoming: DevSecOps “mini-hackathon”

Last topic was introduction to upcoming “mini-hackathon” by Pekka Sillanpää from OWASP Helsinki. They are planning a hands-on event in August for familiarizing and investigating some nice open source tools, including: OWASP Dependency-Check, ZAP Proxy, OWASP DefectDojo, DevSec hardening framework and Clair. See more info from OWASP Helsinki page.

Nebula Tech Thursday – Beer & DevOps 2.3.2017

Agile software development to the cloud can be nowadays seen more as a rule than exception and that’s also what this year’s first Nebula Tech Thursday’s topics were about. The event was held 2.3.2017 at Woolshed Bar & Kitchen alongside good food and beer.

The event consisted of talks about “Building a Full Devops Pipeline with Open Source Tools” by Oleg Mironov from Eficode and “Cloud Analytics – Providing Insight on Application Health and Performance” by Markus Vuorinen & Jarkko Stråhle from Nebula. The presentations were a bit high level and directed more to the business level people than developers but there was some new information how different tools were used in practice.

Overall it was nice event to hear how things can be done and to talk with people. Here’s my short notes from the event.

Nebula Tech Day

Cloud Analytics – Providing Insight on Application Health and Performance

Markus Vuorinen & Jarkko Stråhle from Nebula talked about how to gather data to Elasticsearch, make it accessible and visualize it with Kibana and make actions based on that. The ELK-stack (Elasticsearch – Logstash – Kibana) is commonly used and the presentation showed nicely how to utilize it with cloud.

Technical setup
Technical setup
Data flow to Elastic
Data flow to Elastic
To visualization and alerts
To visualization and alerts
Kibana main view
Kibana main view
Kibana and response times
Kibana and response times

Building a Full Devops Pipeline with Open Source Tools

Oleg Mironov from Eficode showed the building blocks of how to build a Devops pipeline with Open Source Tools and demoed it. Nothing really special if you don’t count Rancher and Cattle. Just put your code to Git, use Ansible, run Jenkins jobs, build docker images, use RobotFramework for testing, push artifacts to Artifactory and deploy with Rancher.

Rancher overview
Rancher overview
DevOps Pipeline
DevOps Pipeline

DevOps Finland Meetup goes Mobile at Zalando

Development and operations, DevOps, is in my opinion essential for getting things done with timely manner and it’s always good to hear how others are doing it by attending meetups. This time DevOps Finland went Mobile and we heard nice presentations about continuous delivery for mobile applications, mobile testing with Appium and the Robot Framework and efficient mobile development cycle. Compared to developing Web applications mobile brings some extra hurdles to jump but nothing that’s not solvable. Here are my short notes about the meetup.

The meetup was hosted by Zalando Technology at their new office here in Helsinki. Zalando is known to many as that online store that sells shoes, clothing and other fashion items but things don’t sell themselves and behind the scenes they have lots of technologies to keep things running. For the record I think they said that the meetup had 65 attendees of the 100.

Also if mobile is your thing there’s a new Meetup group for mobile developers in Finland which was announced at the meetup. They’re also on Twitter and Facebook.

Continuous Delivery for Mobile Applications

Rami Rantala from Zalando talked about “Continuous Delivery for Mobile Applications” and how they’re managing releases of their Fleek app which is available for Android and iOS in German markets.

They didn’t arrive to the final setup straightforward and it was iterative approach with how Git is used, code merged and releases done. Using Fastlane for all tedious tasks, like generating screenshots, dealing with code signing, and releasing your application made automating things easier. Interesting note was that their build server slaves are ansible managed Mac Minis on Rami’s desk. They had solved the problems nicely but testing is still difficult.

DevOps and rollbacks don’t work together, you roll forward.

Mobile testing with Appium and the Robot Framework

Mobile testing can be done with different tools and one option is to use Robot Framework just like for Web applications. Elmeri Poikolainen from Eficode demoed how to use Appium and run Robot Framework tests on real device. It has some limitations and I think with native applications it could be better to use native test tools like what Xcode has to offer.

Efficient Mobile Development Cycle

The last and most fast-paced talk was by Jerry Jalava from Qvik about “Efficient Mobile Development Cycle“. He talked about different practices and tools in the development cycle and it was nice overview to the complexity of the process from design to done. You can for example run remote preview with 27 devices.

Container orchestration with CoreOS at Devops Finland meetup

Development and Operations, DevOps, is one of the important things when going beyond agile. It’s boosting the agile way of working and can be seen as an incremental way to improve our development practices. And what couldn’t be a good place to improve than learning at meetups how others are doing things. This time DevOps Finland meetup was about container orchestration with CoreOS and it was held at Oppex’s lounge in central Helsinki. The talks gave a nice dive into CoreOS, covering both beginner and seasoned expert points of view. Here’s my short notes about the presentations.

CoreOS intro for beginners, by beginners

The first talk was practically an interactive Core OS tutorial by Antti Vähäkotamäki and Frans Ojala. Their 99 slides showed how to get started with CoreOS on Vagrant step by step and what difficulties they experienced. Nothing special.

CoreOS in production, lessons learned

The more interesting talk about CoreOS was “CoreOS in production, lessons learned” by Vlad Bondarenko from Oppex where he told about their software stack and how they’re running it. In short, they’re running on baremetal with CoreOS Nginx for reverse proxy, Node.js for UI and API and RethinkDB and SolrCloud clusters. Deployment is made with Ansible and makefiles and Ship.it is used for Node.js. Service discovery is DNS based with docker-etcd-registrator component and they’ve also written their own DNS server. For Node.js config management with etcd they’ve made etcd-simple-config component. With Docker they use standard images with volumes and inject own data to the container.

CoreOS seemed to work quite well for them with easy cluster management, running multiple versions of 3rd party and own software and having zero downtime updates or rollbacks. But there were some cons also like maturity (bugs) and scripting systemd.

Kontena, CoreOS war stories

The last talk was about CoreOS war stories in Kontena by Jari Kolehmainen. The slides tell the story of how they use CoreOS on Kontena and what are the pain points. In story short it comes to configuration management and issues related to etcd.

For bootstrapping they use CloudInit which is de-facto way to initialize cloud instances and Integrated to CoreOS. The hard parts with etcd are discovery, security (tls certificates), using central services vs. workers and maintenance (you don’t do it). Now they run etcd inside a container, bind it only to localhost and overlay network (Weave Net) and master coordinates etcd discovery. With automatic updates they use the best-effort strategy: If etcd is running, locksmith coordinates the reboots; Otherwise just reboot when update is available.

Presentation’s summary was that the “OS” part is currently best option for containers and etcd is a must, but a little hard to handle. For the orchestrator they suggest that pick one which hides all the complexities. And automate all the things.

ApiOPS and Test Automation at DevOps Finland Meetup

Couple of weeks ago at Tampere goes Agile the question was what’s beyond agile and partial answer was DevOps. I’ve read about DevOps before and tried to introduce it to use in my daily job but new things move slowly. So, it was good time to hear more about DevOps and how others are using it at DevOps Finland meetup about ApiOPs and Test Automation. The meetup was held at GE Healthcare building in Vallila and organized by Eficode. Delicious coffee and sandwiches were from Warrior coffee. Here’s my short notes about the topics discussed.

APIOps

Jarkko Moilanen, talked about APIOps – Focus on Iterative and Collaborative Design-First driven API development. How to automate and streamline API-strategy and development process. But what’s APIOps? In short, APItalist creates strategy and APIOps troops implement it.

APIOps

The talk was more about mindset related to developing APIs than tools but Swagger was mentioned for representing your API and SoapUI for testing. For API management Moilanen talked about APInf which is an API management platform.

Test automation with Robot Framework

Eficode guys talked about Test automation with Robot Framework which is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It’s originally developed in Nokia Networks 2005 and open sourced in 2006. Robot Framework uses keyword-driven testing approach and it’s capabilities can be extended by test libraries implemented either with Python or Java. Robot Framework is quite big in Finland but to get the work forward and more known worldwide there’s now Robot Framework Association put together by Eficode, Omenia, Reaktor, Eliga, Knowit, Qentinel and HiQ.

Automating payment terminal testing

After some technical difficulties with projector we heard intro to Robot Framework with Selenium2Library and saw video about using it. Selenium is a suite of tools to automate web browsers and with Selenium2Library you can use it with Robot Framework to easily implement and maintain automatic browser testing of your web application. Another use case which I find interesting is for testing REST APIs.

You can use Robot Framework in many was as we saw with the demo of a machine for automating payment terminal testing which Eficode had built (slides, blog post in Finnish). It was a Shapeoko 2 CNC milling machine where Arduino parsed g-code sent over terminal bus, payment terminal was captured with Tesseract OCR and it was controlled by Robot Framework running in Raspberry Pi. They had extended Robot Framework with new libraries for communicating over serial bus and reading images from Raspberry Pi camera.

What you can do with Robot Framework is up to you as the framework doesn’t limit you.

Future of DevOps Finland

The last talk of the meetup was about the future of DevOps Finland. DevOps Finland was started in 2013 by Erno Aapa and now the load is distributed over new planning team to keep things active. Sharing is caring and so we were encouraged to share our experiences and war stories about DevOps by talking in some future meetup.

Some possible future themes for the meetup were also discussed.

  • Infrastructure Orchestration
    • e.g. Coreos, Mesos, Kubernetes, AWS tools, Rancher.
  • DevOps on Windows
    • PoweShell and Azure.
  • DevOps without computers
    • AWS lambda, heroku, dokku, aws beanstalk, Google app engine, IBM Bluemix. (DevOps as a service).
  • How to move ops work to developers?
    • Hubot, configuration management, continuous delivery.
  • Security.
  • Ops do Dev. Dev do ops.
  • How to handle corporate IT?
  • Configuration management system
    • Chef, Puppet, Ansible, Salt.
  • Continuous integration
    • Jenkins, circleCI, Travis. Alternatives for Jenkins.
  • Working with legacy systems
    • Handling existing data, migrating legacy operations to modern operations, using old hardware to create a cloud.
  • DevOps in the cloud
    • what cloud services to use? Why?, developing in the cloud, build promoting practices
  • Measuring, monitoring, logging
    • elk-stack, Kafka, sentry, newrelic, loggly, graylog, practices & different needs
  • Containers
    • Docker, LXC, Xen, VMware, Qemu