David Sachdev

I'm curious to know if your book gets into the pros and cons around API frameworks such as Apigee and others.  Also, we have a lot of legacy technologies - are there certain ones that you suggest get "retired"

Tim Cooke wrote:This week, we're delighted to have Arnaud Lauret helping to answer questions about the new book The Design of Web APIs.

Welcome! Looking forward to a lively discussion!

I've got years of Java and I've worked with various UI technologies, but I haven't spend much time with Angular  - and I need to rectify this. I've been busy in the DevOps world, but don't want to get too far away from application code.  Is this book a decent place for me to jump in, or would it be a better second read after spending some time with an Angular and Typescript book (or site).

Thanks
David

Tim Cooke wrote:This week, we're delighted to have Vlad Riscutia helping to answer questions about the new book Programming with Types.

Welcome!  Looking forward to the discussions!

Does your book go into what and why there are algorithms exclusive to Quantum computing?  Does it have information on if it is the speed of quantum computing, the nature of it, or other reasons that the algorithms are targeted at the platform.  Also, it seems more and more that algorithms aren't taught, but people are introduced to libraries where the low level algorithms are presented.  What are the languages and platforms that are leading the way when it comes to Quantum computing?  Looking forward to learning more!

Thanks
David Sachdev

Welcome!  Looking forward to the discussion.

Wow - thank you for such a comprehensive answer.  If your writing in the book is done to the same level of effort and understanding - I'm excited to read it even though I feel like I'm well versed in the subject!  Thank you so much for taking the time - I am actually interested in really moving all of our pipelines to the new syntax.

How well does your book translate to the world of CI/CD with respect to containers and Platform as a Service hosts like OpenShift?  Also are you addressing the Sec part of DevSecOps in your book, and how tied into your pipeline is it?

Thanks
David Sachdev

Welcome!  Looking forward to a lively discussion!

Julien Vehent wrote:

 I think so many places don't think about the "responding to attacks" part of the equation very well.  

This is true, and working in a DevOps environment means using very different tools and techniques that one would use in a old-style infrastructure. (endpoint security on immutable servers? what about serverless forensics? etc.)

At the same time, a lot of proven techniques can and should be ported to modern environments, so the book goes over the important stuff and explains how to implement it.

There's also a little novel about a security incident in chapter 10. I had fun writing, I hope it's a good read

And in server-less computing - your attacker may be on the same host...just doing nefarious server-less computing.  I think over time this will be the way of the future, but depending on your data - you may want to watch and wait cautiously.  

Julien Vehent wrote:Securing DevOps is a technical book, so we talk about tools and techniques a lot! Part 1 is a complete implementation of a CI/CD pipeline and all the security components that we can fit into it. It's 100% hands on. Part 2 is also very technical but more focused on presenting tools and techniques and less on helping the reader implement them (you'll have to do homework). Part 3 is a little less focused on tool but we still present half a dozen of them in the chapter on security testing (ZAP, Scout2, bandit, gas, etc.).

So, yeah, we talk about tools a lot

Interesting - I guess I've got a list of tools to look at and evaluate! Thanks!

2. Monitoring and responding to attacks. It is the fate of online services that they will get broken into eventually. When incidents happen, organizations will turn to their security teams for help, and a team must be prepared to react. The second phase of continuous security is to monitor and respond to threats, and protect the services and data the organization relies on, through techniques like fraud and intrusion detection, digital forensics and incident response, with the goal to increase the organization’s preparedness to an incident.

Having an Incident Response plan before the incident happens is very important.  You don't always want to just "cut off" the attacker - as you may want to silo them off and see what it is they plan on doing.  I think so many places don't think about the "responding to attacks" part of the equation very well.  

I'm curious from Julian and the general audience:

What is your "definition" or "elevator pitch" for what is DevOps and what is DevSecOps?

Here is mine:


DevOps, and these days DevSecOps are word that are abused almost as much as Agile.  I was recently asked about the practice, and here is my elevator pitch:

DevSecOps ensures that applications and code are well planned out from a security and infrastructure perspective.  In helps to ensure that as systems are moved up the environment chain from development all the way to production not only is the code addressed, but  firewalls, network, and security concerns are handled often prior, but at least in concert with deployments to the upper environments.  This helps to ensure timely delivery of applications, software, and new functionality to allow the business to fully realize the potential of Agile Software Development.” - David Sachdev



“DevOps helps to reduce Time to value by bringing functionality to production at an accelerated pace” (Time to value (TtV) is a business term that describes the period of time between a request for a specific value and the initial delivery of the value requested. A value is a desirable business goal; it can be a quantifiable (tangible) or abstract (intangible)) https://whatis.techtarget.com/definition/time-to-value-TtV

“DevOps is a cultural change to how we do business”

I'm kind of curious to kwow how much the book delves into tools of the trade?

We personally here use:
Jenkins for Orchestration
Chef for Infrastructure as Code
Junit (and various test frameworks depending on language)
Mock services
SonarQube
Nexus
GitHub
Fortify
AWS
CloudChekr

and I'm looking at Scout2 now

Also, I'm curious to know your "definition" or "elevator pitch" for what is DevOps and what is DevSecOps?

Here is mine:

Actually, I think I will make that a new topic as I'm curious to know what the general audience has an an answer to that.

Welcome Julian!  Looking forward to a lively debate and discussion...and a lot of learning from others!