DevSecOps Pune Meetup 4

9th March 2019

This is our 4th DevSecOps meetup. More and More and More swag sponsors added to the list. New sponsors: Elastic, Sonatype, Synk along with previous sponsors i.e. Polyverse and Cloudneeti already into the list. The meetup head count was usual and exact. We have been hitting the correct and intended audience.

Qualys Pune was the venue for the meetup. This is the 2nd time we organized the meetup at Qualys. We started at 10.30 am. We had a huge list of topics this time and I was pretty sure not all of them are going to get discussed since the most voted topics were very interesting. The following topics got discussed:

• Machine Learning for Security: This topic got discussed for a good 40 minutes although none of us was an ML engineer and only understood theoretical ML concepts. The topic was chosen more for a discussion as the person suggester of the topic just had the curiosity to see if this can be done. The topic unfolded as people discussed and understood how ML works and how is it being used in the industry. Different tools like TensorFlow, Pandas, etc got discussed. Once we had a clear picture of ML, we moved to understand what security breaches we experienced in our Ops lives in industry. Based on our experience, we framed logic as to how ML algorithm could be written by Data Science engineers by studying security auth logs and application logs. We also discussed how ELK stack could be used to prove a security attack on system and further. We agreed to the part that as an Ops person we can only best provide inputs and prove security issues in systems. An ML engineer should be the best person to provide inputs on what ML algorithms could be used to mitigate security issues.

•  Ansible for DevSecOps CI/CD pipeline: Ansible was suggested multiple times in the past meetups as well but always went not noticed and never got discussed. In this session, we started with Ansible and went on an on for a good 1 hour. We understood how Ansible is best used in different organizations. We also discussed how a bad code in Ansible can mess up and not make any difference between olden days shell script. We discussed Idempotency feature of Ansible. We also discussed as to how Ansible is being used by some firms for Provisioning, Configuration Management and Deployment altogether. We agreed how many used Puppet for multiple jobs and later moving to a different tool was difficult for them. Hence using different tools for specific different jobs could be useful. We discussed a typical CI/CD workflow with Terraform for provisioning, Ansible for CM and Fabric/Capistrano or different language specific deployment tools for easy deployments and rollbacks. We also did a small white board presentation on how CI/CD can be used for all 3 purposes. We also discussed DR strategies, Cloud managed services like auto-scaling services etc.

• Git for securing code : The suggester was a Developer and knew exactly how was not being used in the best manner to ensure security and highlighted some best ways like code review practices, git hooks to be used in Jenkins, linting analysis using pre-commit hooks, static code analysis with SonarQube before merge. We discussed this in details already in CI/CD pipeline above as well.

• Burpsuite :  Burpsuite was a tool that many knew but never got a chance to use as such. The suggester of the topic had extensive experience using it and spoke about multiple possibilities and usecases that could be achieved using Burpsuite. He also highlighted on how precautions need to be  taken before using this tool for testing giving examples of one of his projects. Burpsuite indeed was very interesting for many members and we decided to have a demo session on this.

Takeaways from this session for speakers to prepare were:

•  Session required on ML in security
• Demo on CI/CD in DevSecOps
• Demo on Burpsuite

Many topics that did not get discussed were:

• Nexus scan in Jenkins pipeline
• SonarQube for secure code analysis
• Pentesting with Python
• IOT Security
• Metasploit for pentesting
• Cloud security
• Prowler
• Automobile software release cycle and missing lacking devops chain
• Maven
• Regulations

In the end Shirish wanted to highlight the recent All Intel Chips Open To New 'Spoiler' Non-Spectre Attack

Some clicks :)

DevSecOps Pune Meetup 3

9th Feb 2019

This is our 3rd DevSecOps meetup. I am glad to see the head count getting even better. Another Goodies sponsor added to the list. Cloudneeti Software sponsored T-shirt and Mugs to best presenter.

For this meetup, we got an exact count again with 2-3 last minute exits. Cloudneeti Software was the venue for this meetup. We started sharp at 10.30. Surprisingly the topics discussed this time were pretty advanced and much looked out for. The following topics got discussed:

•  Kali Linux for security : The topic was super hit and got discussed for pretty long hours. We spoke for a good 20 minutes on Kali Linux and only stopped because the next topics were also equally interesting. We spoke about the old distro Backtrack and how Kali got introduced. Others added their inputs as to how Kali is used by different SecOps people in industry. Overall we all agreed that Kali was a really vast topic to be just discussed and this rather needed a presentation + demo with so many tools within.
• OWASP Top 10 web app security risks: As we discussed Kali, we also spoke about OWASP top 10 in the same discussion and this got prolong for another 20 mins. Not all of us were aware of all OWASP top 10 attacks hence we Googled it just for making notes, however with time limitations we could only discuss the most famous SQL Injection and a little about XSS. We also concluded that this needed a bigger session.
• CI/CD in DevOps Pipeline: DevSecOps CI/CD pipeline was discussed shortly in 1st meetup but we did not deep dive in it then. In this meetup we actually went to the depth of Jenkins, Git, SonarQube, Static code analysis, Container Image security, SecOps role to play, Vulnerable libraries being used by devs and how to resolve this. How Github has inbuilt vulnerability analysis done now and many more details. We also drew the following CI/CD architecture diagram for DevSecOps pipeline.

• Ansible secure key rotation: This was more of a question to the forum as to how this could be done since Chef and Puppet use clients and use their own keys for security, while Ansible uses SSH. We agreed to the fact that the keys must get rotated and many companies do follow this. Ansible's authorized_keys module helps you to rotate keys was the perfect answer suggested.
• Security Patching at scale in cloud: This was again a question and the answer was many companies did this using cloud native tools to create a golden images and other tools to get into the image to verify if the images were CIS compliant this is not just for images but also for Cloud environment and resources in general. Once again Prowler was discussed to evaluate the cloud environment.

Takeaways from this session for speakers to prepare were:

•  Kali Linux hands on demo
• OWASP Top 10 risks
• CI/CD in DevSecOps

A few topics that did not get discussed were:

• Metasploit for Pentesting
• GDPR automation
• Deploying Software securely
• Cloud security trends 2018-19

An important Topic that Budhram did put forth as to what minimum qualifications and expertise do companies look for in a fresher candidate to call him an eligible candidate for DevOps Engineering further. This was a good debate cum discussion that we all spoke about in the end.

This turned out to be a long event in spite of small number of attendees. Ashish, Budhram, Shrikant and Dhiru got goodies to keep discussion more happening and actively participating in all topics as well. Some others got stickers.

Some clicks :)

DevSecOps Pune Meetup 2

For the 2nd DevSecOps meetup, we already had our first swag sponsor. For DevOps Pune, I received swags from Docker and Ansible. Hashicorp was also planning to send a few.

With DevSecOps our 1st swag sponsor was Polyverse :) I couldn't resist posting these.

For this meetup, I changed the RSVP format to get an exact count. I was expecting to start soon at a bigger location. We couldn't risk wasting of resources. Lean coffee needs logistics to take care of and hence needs to be addressed really well. Everyone who RSVP' at the meetup page was informed to Call/SMS/WhatsApp the organizers to book a slot. So the Meetup page RSVP meant nothing.

Qualys Pune, was our venue, logistics and refreshment sponsor this time. When I 1st told them about the meetup, this is how the they arranged the seating :) :

I told them about the format and later we changed the seating to best suit the format. 

We had 12 RSVP and 10 attendees this time with just 1 last minute informed cancellation. That was a perfect number . We also made sure that the refreshment we take was a packed and long lasting one so we don't waste food. 

With 10 attendees we stared pretty much on time and this time we had a huge list to discuss and the participants were from mixed domains unlike last meetup. This time we had QAs, Support Engineers, DevOps, Consultants and Developers altogether.

The following topics got discussed:

• Understanding PKI - Public Key Infra (How SSL Works?)
• CIS Benchmarking
• SOAR (Security, Orchestration, Automation and Response)
• AWS Compliance
• Securing serverless in Azure (Function as a Service)
• Debian Linux and Contributing to it
• Microservices with an example

SSL and PKI got discussed a lot since Muneeb Shaikh really explained concepts that we were unaware of that goes behind PKI formation and how public and private keys work. A 5 minutes discussion prolonged to a good long 30 minutes with inputs from everyone.

SOAR was a new process and concept that Rahul spoke about and worth reading for everyone. CIS compliance was a hit one this time too. We understood that it was topic worth presentation hence added to the DevOps Pune meetups Agenda. Later we spoke about AWS compliance and how Prowler could be used to ensure compliance in AWS. We also discussed importance of good naming conventions and Tagging in AWS. There was a chaos when we spoke about both serverless and microservices resulting to a debate topic that we discussed at the end of the meetup. The final closure was on Debian systems and how we would contribute to it.

Takeaways from this session for speakers to prepare were:

•  PKI and SSL encryption
• Microservices

A few topics that did not get discussed were:

• Types of Security and importance of each
• GRC - Governance, Risk and Compliance
• Security Testing with Selenium
• Achieving CI/CD with Ansible

This turned out to be a long event in spite of small number of attendees. Muneeb got Polyverse T-Shirt to keep PKI discussion happening and also actively participating in all other topics as well. Some others got stickers.

Some clicks :)

DevSecOps Pune Meetup 1

After some good success, a huge gap and some mixed learning experiences with organizing DevOps Pune meetups, I decided to start with DevSecOps Pune meetup. This was mainly since I was exploring possibilities in Information Security world. The idea started after seeing DevSecOps Seattle Meetup and the learning experience I had their simply by reading their updates. I saw regular posts on Facebook about this meetup group from my long time mentor Archis Gore. I was still confused whether to start a meetup in Pune or just stick to Seattle meetup and attend it virtually. You don't always have to be an organizer to learn.

However, Archis told me that the Seattle meetup could not be attended virtually, as the format could not support virtual attendance. This was a Lean Coffee format. Something different for me. On learning more about the format, it sounded really like a plan to start a similar meetup in Pune. Archis was here in Pune in October 2018, when I met him to understand the organizer's roles in this format. And then, and we were in or a great start. I got Rahul Khengare with me this time as a Co-organizer and started the meetup group. Cloudneeti helped us sponsor the meetup group.

The first meetup I knew would be a small one with limited attendees. I expected less than 10 attendees to show up and the RSVP count always go wrong. I remember wasting lot of food and other resources in the past due to incorrect RSVP count. I chose a location to the central Pune so that its easy to commute to everyone. Thanks to Bobby Jadhav for sponsoring the venue, i.e HauteBook's office.

We had 5 attendees in this meetup as expected. The count was not important. What was more important was whether good topics came up. With Lean Coffee we expect every participant to come up with good topics to vote for and speak about. The topics that got discussed were:

• Docker image security and its challenges (Highest voted)
• DevSecOps CI/CD pipeline with Kubernetes
• Cloud Security
• Metasploit - Kali Linux

We discussed a lot about Docker security and Snyk, Twistlock being the docker security tools were also explored further. How CIS compliance helps cloud security and the recent how engineers disable SELinux first on any system and that is a bad practice. Although just 5, the discussion went along for a huge 2 hours and it was indeed a wonderful learning experience.

We also decided later that the takeaways from these lean-coffee format will end up becoming speaker-attendee format topic for us to deep dive into important topics further. This was a great takeaway since with DevOps meetups we only spoke about what the speaker was best at, and may or may not be community learning requirement. Takeaways from this session for Speakers to prepare about was:

• CIS Compliance
• SELinux / Apparmour

These topics were added as Topics on DevOps Pune meetup and the hunt for the speaker started there. A few topics that did not get discussed due to lack of time were:

• iptables
• Ansible, Terraform and CI/CD for pod deployments on AWS
• AWS security alternatives
• Security compliance
• Securing Nginx

Overall it was a wonderful learning experience. Cheers to all the attendees.

Some clicks :)

Mumbai Technology Meetup - DevOps Special

On July 27th 10 am a DevOps special meetup was conducted at Directiplex, Mumbai. Its very rare to see a meetup given importance as much as any other technology conference. Speakers from different organizations were present and shared their knowledge. Tremendous knowledge and experience shared free of cost. The meetup went on from 10 am (Started a little late) and went around till 5.30 pm. The agenda itself was too appealing.

No entry fees. Its a free event. Just ensure you learn and make use of that learniing :-)

======================================

11.00 am - 12.00 pm : SaltStack [incl. LXC basic]: by Rigved Rakshit - Directi

Rigved introduced to LXC its setup, its concepts and how its similar/different than Docker. SOme commands and configs. Due to lack of time he could not cover Saltstack though

=====================================

12.00 pm - 1.00 pm : Configuration Management at Rackspace by Shaunak Kashyap - Rackspace

Shaunak conducted this on Hangout while he was at a 12 hr difference. Shaunak showed how rackspace uses Ansible for getting provisioning and other CM task automated.

======================================

1.00 pm - 1.30 pm : Chef Fundamentals and DevOps by Sanju Burkule - OpexSoftware

Sanju took a brief introduction to Chef and how OpexSoftware who are partners of Chef and conduct professional Chef training with certifications. Sanju also shared his knowledge on how Chef is different from Puppet as he has used both.

======================================

1.30 pm - 2.00 pm : Lunch - Lets not talk about this. Blame the rain.

======================================

2.00 pm - 3.00 pm: Puppet [incl. preparatory VirtualBox fundamentals] by Ashish Chandra. - Reliance Jio

Ashish took introduction to Puppet some basics , how easy is it to setup a Puppet master and get going. He also shared some of his scripts that he uses to provision 500 instances in 6 - 7 minutes.

=======================================

3.00 pm - 4.00 pm: Ansible by Aditya Patawari - BrowserStack

This was the 2nd time I met Aditya, we met earlier at RootConf in Bangalore. Aditya shared introduction to Ansible and how is it better/different than Chef//Puppet.

=======================================

4.00 pm - 5.00 pm : Capistrano by Mayur Rokade - Directi

Mayur conducted a live demo of how to use Cap for deploys and a a little intro and setup for Capistrano.

=======================================

5.00 pm - 6.00 pm : Docker Fundamentals by Augustine Correa - Organizer of the event

Meetup.com practices

Some rights reserved by Christain Senger

For quiet sometime I have been attending meetups/sessions organised through meetup.com at different locations. I have seen that the general practice is quiet similar everywhere. 

• The Agenda is posted on the meetup group by the organizers/speakers . 
• People mark RSVP(even when most of them wont show up). 
• Less than 30 percent of attendance is seen.
• The actual event would start at least 30-40 minutes (or more) late than it was scheduled because of late comers.
• The speakers and the participants would just socialize or sit idle.
• The late comers would give the same reason always; couldn't find the location/stuck in traffic.
• Many 1st time visitors for the meetup who will probably have no clue of what the meetup is all about and will be expecting to have the basics covered 1st.
• The organizers would probably consider reviewing the basics based on the majority.
• The meetup will cover most of the times everything as per the agenda.
• A break with some snacks/refreshments and for socializing.
• Meetup concludes with an informal planning for the next meetup to be arranged.
• Feedback mail received for the meetup.

Finally it all goes well here, but I see a few problems that could be avoided. 

Latecomers :  

 This is something that cant be avoided. However I honestly feel that this could be minimized to a certain extent for sure. Also, most of the organisers already practice this and I think it helps them for sure.

• While giving a time, keep a buffer of at least 15-20 minutes as certain things like traffic cannot be avoided.
• Provide a google maps link for the users to locate things fast. Also some important landmark nearby could help too.
• Traffic situation at a particular time in general will also be helpful for people to leave little early. e.g if the meetup is conducted in the evening, at a busy location, it would take hours to reach the location.
• A way to reach the location would help too. e.g if someone comes by bus, the bus stop he should be informing to the bus-conductor and the bus number he needs to look for. If by rickshaw, the nearest possible landmark to the location and approximate walkable distance from any location if its complicated to find.

Newcomers :

Many meetups will have new faces who expect basics or the introductory things to be covered for them to keep up with the pace. When the meetup starts directly these people don't get most of the things and then they would probably not join in the next meetup as well. Covering the basics time and again will make the regularly coming people bored as it would just eat up their time.

• Newcomers need to make an attempt to reach the venue as early as possible and ask questions to the organizers or the people present there and make the maximum out of the time to understand the introductory part.
• The organizers could play slides of the previous meetup or of the introductory meetups for the beginners/newcomers to know what was covered or perhaps covering the basics for the 1st 15-30 minutes buffer can also be a good idea provided the newcomers are coming early.
• Beginners can also read about the past meetups and check if the slides for the past meetups are available on the page and review them, understand what topics are covered, read them and then join the meetup. Its just like attending the classes in the college and reading a brief info of the topic before the lecture.

Socialize : 

Less participation is been seen in terms of socializing at a few meetups. You never know, who could help you in what kind of problems where you are stuck at office. I have come across so many situations where I don't get what use cases could be followed for a particular problems and the experts I meet in the meetup/conferences have really splendid and simple solutions that I could not have think of. Not only will they give you a solution, they would also explain why would that solution be the best one to be used. Michael Ducy from Chef(old Opscode) provided a really good, simple and descriptive answer for the best use case to be followed for Chef-Docker integration.

Incorrect RSVP :

One practice that has been seen is that people would simply click attending/going and will not turn up for the meetup. In almost every meetup I see an attendance less than 30%. Planning to attend a meetup in advance and marking RSVP is good, however if the plan changes, updating the RSVP is a good practice too. It will keep the organizers updated and help them arrange the function well. It gives me a feeling that people would just RSVP yes to a meetup cos its free. It becomes difficult for the organisers to arrange the meetup because of incorrect RSVPs. I have seen last minute arrangements being made to many meetups and I will surely not blame them for it, its just the RSVP that they cant trust and then have to rely on the last minute attendance.

• Update your RSVP whenever you change your decision for any reason.
• Mention reason in the comments if your decision changes due to any reason so that the co-participants will look for you in the next meetup. Everyone is an important member in the meetup.
• If you plan to bring a friend/colleague along with you, update the RSVP to reflect the change.

Feedback :

The organizers keep looking for feedback for the meetup that they organized voluntarily and selflessly (marketing the brand can be ignored for sometime). The attendance is as low as 30% and the feedback is even lesser, close to around 10%. An honest feedback helps the organizers organize better in future. 

• Always provide a feedback after the meetup verbally as well as on the meetup page.
• Let the people know that it was nice to see them at the meetup. This builds a good network, there are high chances that next time they would attend the meetup to meet you and socialize further. 
• Its all about giving respect and getting it back.