DevSecOps - Security in times of daily deploymentsende

Security has never been more important than it is today, and never more difficult. How to deal with security in times when multiple new versions are deployed to production every day?

In this talk Michael explains how you can achieve a security-first culture in your company and how you can integrate security and pen-testing into your DevOps pipeline. The talk will cover the assume breach paradigm, zero trust, shift-left security, and red team blue team simulations.

Sichere Anwendungen und DevSecOps - von A bis Zdeen

Im Jahre 2016 legte ein Streit um den Namen Kik quasi das gesamte Internet lahm: eine Open-Source Lösung mit elf Zeilen Code wurde aufgrund des Streits zurückgezogen und tausende von Webseite sind daraufhin temporär ausgefallen. Auch SolarWinds erzeugte durch eine Sicherheitslücke im Jahre 2020 Aufregung, die durch einen Angriff auf die Softwarelieferketten ihrer Software namens Orion erfolgte und mehr als 33.000 Kunden einem Angriff aussetzte – darunter sicherheitsrelevante Behörden wie Homeland Security und das Finanzministerium.

Anwendungssicherheit ist nicht einfach nur ein Sicherheits-Check nach einem Release oder eine statische Code-Analyse. Anwendungssicherheit muss in den Entwicklungsprozess integriert werden – und sie muss die ganze Lieferkette betreffen.

In diesem Talk zeigt Michael Kaufmann wie sie Sicherheit komplett in ihren Prozess integrieren können. Schwerpunkt liegt dabei auf:

- Sichere Entwicklungsumgebungen
- Secret-Scanning und Secret-Rotation
- Analyse ihrer Abhängigkeiten (Software Composition Analysis - SCA)
- Verwaltung der Lieferketten mit Dependabot
- XSS, SQL-Injection und Speicher-Leaks finden
- Statische und dynamische Codeanalysen (SAST und DAST)
- Eigene Abfragen mit CodeQL

Der Talk ist für alle interessant, die sich für Anwendungssicherheit interessieren: sowohl Entwickler als auch DevOps-Engineers.

Deep-Dive into Gitdeen

In dieser Dev-Session werden wir Hands-on alle weiterführenden Themen in Git behandeln:

- Wie funktioniert Git?
- Was ist eigentlich DAG, SHA-1, Patch und ein Commit?
- Was sind Branches und Tags?
- Wie löst man Merge-Konflikte?
- Wie manipuliert man die Historie mit ammend, reset, rebase und cherry-pick?
- Wie arbeitet man mit dem Stash?
- Wie sucht man in Git?

Außerdem gibt es sehr viele Praxis-Tipps, die das Arbeiten mit Git leichter machen: die richtige Konfiguration, automatische Korrektur der Befehle, und viele mehr.

Die Session richtet sich an Entwickler die schon Grundkenntnisse mit Git haben – bisher aber eher durch ausprobieren gelernt haben. Sie ist aber auch für Teilnehmer geeignet, die neu im Thema Git sind aber Erfahrung mit anderen Quellcodeverwaltungen haben.

Voraussetzung für die Session ist eine aktuelle lokale Installation von Git, ein Texteditor und ein kostenloser Account auf GitHub.

To sign, or not to sign – everything there is to know about signing commits and tagsende

In today’s fast-paced software landscape, efficient release processes are critical. Git, as a decentralized version control system, relies on synchronizing changes across different repositories. However, authentication and authorization are decoupled from commit author information. To ensure authenticity, developers can sign commits and tags using PGP or SSH keys.

Join us in this session as we explore all aspects of signing commits and tags:

- GitHub Validation: Understand how GitHub validates author information for commits and tags.
- Key Management: Learn best practices for creating and managing PGP and SSH keys.
- Security Considerations: Dive into key security measures.
- Local Signing: Discover how to sign commits and tags locally.
- GitHub and Codespaces: Explore signing within GitHub and Codespaces.
- Enforcing Signed Commits: Implement signed commits for protected branches.
- Vigilant Mode: Uncover the benefits of enabling vigilant mode.
- 1Password Integration: Utilize 1Password to store SSH keys and PGP passphrases.

Whether you’re part of large open-source projects or small security-focused teams, signing practices vary based on context and Git workflows. We’ll focus on practical scenarios where signing adds value, drawing from real-world examples. Join Michael as he shares insights on when signing accelerates progress and when it’s essential to tread carefully.

Zurück in die Zukunft – DevOps als Motor der Unternehmen von morgendeen

Die Art, wie wir zusammenarbeiten, war schon immer durch unseren technischen Fortschritt geprägt – von der Zeit der Krämer und Kaufleute, über die Zeit der Industrialisierung bis in das digitale Zeitalter. Der Fortschritt hat aber nicht aufgehört: mit künstlicher Intelligenz, der Cloud, Hologrammen und der zunehmenden Vernetzung aller Geräte schreitet er schneller voran als je zuvor. Welchen Einfluss hat das auf die Unternehmen – heute und in der Zukunft?

Michael Kaufmann sieht DevOps als eine logische Folge aus einer Spannung zwischen unserer Arbeitsweise und dem technischen Fortschritt. Er erklärt in seiner Keynote, welche Faktoren Einfluss auf unsere Unternehmensstruktur und Wertschöpfung haben, welches die drei Säulen sind, auf die Unternehmen sich stellen müssen, damit sie auch in Zukunft erfolgreich sein werden und welchen Einfluss das Auf die Arbeit von Entwicklern haben wird.

„Wer in der Zukunft lesen will, muss in der Vergangenheit blättern.“ (André Malraux) – so regt dieser Vortrag dazu an, die Vergangenheit mit anderen Augen zu sehen, um eine neue Vision der Zukunft zu erhalten.

.NET in der Box: Best Practices für Microservice APIs mit .NET Core in Docker und AKSde

In diesem Workshop zeigt Michael Kaufmann Best Practices für die Entwicklung und den Betrieb von Microservices mit .NET Core in Docker Container. Die Container werden in Azure Container Services (AKS) betrieben. Folgende Themen werden behandelt:
- .NET Core Best Practices für Entwicklung von REST-APIs
Evolution der APIs (von SOAP über REST nach gRPC)
Modern .NET Patterns
Authentication
Credential Handling
Middlewares
Bereitstellen von Client APIs SDKs
- Best Practises von .NET Core Applikationen in Docker Containern und AKS
Konfiguration
Parameter
Health Checks
Logging
- Closed Loop (Development, Debugging
- Continuous Delivery mit Azure DevOps nack AKS (Container DevOps, Always-On Updates)
- Debuggen und Pull-Request Validierung von Multi-Container-Anwendungen mit AKS Dev Spaces
- Logging und Monitoring mit Application Insights und Azure Monitor

Die Teilnehmer werden lernen, wie man eine Anwendungsplattform, die aus vielen einzelnen Container besteht, strukturiert und entwickelt, was in .NET Core zu beachten ist, wie man live-debugging durchführt und wie man das Gesamtpaket ausrollt.

Das Ziel des Hands-On ist, dass jeder Teilnehmer am Ende eine funktionierende Code- Azure DevOps und Azure-Struktur haben wird, mit der er weiter experimentieren und sein zukünftiges Produkt fließend aufbauen kann.

From Application Security to Developer Security – Shift left with GitHub Advanced Securityen

Research shows, that most developers are still seeing security as a burden that slows them down. Too many security alerts in too many platforms overwhelm developers –not enough or no alerts are an indication of e a security risk. This leads to either slower software delivery or a higher security risk for your application.

This talk will demonstrate how you can use GitHub as the central developer experience platform for all your security tools – giving developers a consistent experience and allowing them to address security issues as early as possible. The talk will cover strategies to drive adoption across your teams and introduce you to the default DevSecOps tooling from GitHub: Secret Scanning, Code Scanning, Dependabot, and Security Overview.

Accelerate Innovation with DevOpsen

Research has proven, that highly effective companies, which successfully have transformed to a DevOps culture, are faster, more effective, and they score higher on customer satisfaction and innovation. But many companies still struggle to break up their silos and adopt these practices.

This talk will explain why many transformations fail and it will give you practical guidance on how to get your transformation back on track. Enriched with many real-world examples from customers, this talk will give you a battle-proven guide to a successful transformation: in small steps, but with a clear vision and direction. Starting with the WHY and a sense of urgency and celebrating the wins as you transform step by step.

DevOps is only 10 percent about tool and processes – but 90 percent about people. A successful transformation must also be 90 percent about the people and the culture to make it a success.

Deep-Dive into Gitdeen

In dieser Dev-Session werden wir Hands-on alle weiterführenden Themen in Git behandeln:

- Wie funktioniert Git?
- Was ist eigentlich DAG, SHA-1, Patch und ein Commit?
- Was sind Branches und Tags?
- Wie löst man Merge-Konflikte?
- Wie manipuliert man die Historie mit ammend, reset, rebase und cherry-pick?
- Wie arbeitet man mit dem Stash?
- Wie sucht man in Git?

Außerdem gibt es sehr viele Praxis-Tipps, die das Arbeiten mit Git leichter machen: die richtige Konfiguration, automatische Korrektur der Befehle, und viele mehr.

Die Session richtet sich an Entwickler die schon Grundkenntnisse mit Git haben – bisher aber eher durch ausprobieren gelernt haben. Sie ist aber auch für Teilnehmer geeignet, die neu im Thema Git sind aber Erfahrung mit anderen Quellcodeverwaltungen haben.

Voraussetzung für die Session ist eine aktuelle lokale Installation von Git, ein Texteditor und ein kostenloser Account auf GitHub.

Microservices - the cloud-native way with AKS and DAPRen

In this hands-on workshop you will learn how to architect microservices-based solutions, implement them with ASP.NET Core, containerize them, and deploy them to Azure Kubernetes Service (AKS). Furthermore, you will learn to continuous delivery distributed SaaS solutions in a cloud-native way with DAPR and apply SRE practices to ensure you meet your SLO’s.

GitHub Advanced Security boot camp – hands-on workshopen

Software supply chain attacks and secrets leakages are still one of the biggest threat vectors for software companies. But supply chain security does not have to be a burden and slow down development! With GitHub Advanced Security (GHAS) you can incorporate security into your development process with a developer first mindset.

This hands-on workshop is designed for developers that want to improve their security posture by giving them practical exercises to get to know GHAS.

The workshop covers:

- Dependency graph, dependabot, and dependency review
- Secret scanning and push protection
- Code scanning and pull request integration
- Include other security tools in GHAS
- CodeQL and writing custom queries
- Rolling out GHAS in your organization

Target audience
This hands-on workshop is designed for developers that want to improve their security posture by giving them practical exercises to get to know GHAS. This is an advanced GitHub topic. We assume that participants have a basic understanding of git, GitHub and GitHub Actions.

Prerequisites
- A laptop (Windows, Mac, or Linux)
- A free account for https://github.com
- A text editor of choice (Visual Studio Code, VIM, Atom, Notepad++ or similar)
- Git in a current version (>2.23, on Windows with Git-Bash for beginners)

Empowering Digital Transformation: Harnessing the Potential of OpenAI and ChatGPTende

This session delves into the transformative power of OpenAI and ChatGPT in accelerating digital transformation. We will explore the possibilities of how these advanced technologies can assist businesses in expanding their digital presence, developing more efficient processes, and delivering customer-centric solutions. Dive into the world of machine learning and artificial intelligence to understand how OpenAI and ChatGPT can revolutionize the way we conduct business and interact with customers. Discover how organizations can enhance their innovation capabilities and gain competitive advantages by strategically leveraging these powerful technologies. This session offers an inspiring perspective on the future of digital transformation and how OpenAI and ChatGPT can be a driving force in this process.

Empower Your DevSecOps Journey: GitHub Advanced Security Boot Camp - A Hands-On Workshopen

Software supply chain attacks and security breaches continue to pose significant threats to software companies worldwide. However, securing your software supply chain need not be a cumbersome process that hampers development speed. With GitHub Advanced Security (GHAS), you can seamlessly integrate security into your development workflow, fostering a developer-first mindset.

Join us for this immersive, hands-on workshop tailored for developers seeking to enhance their security proficiency through practical exercises and in-depth exploration of GHAS. This workshop will equip you with the knowledge and skills to fortify your applications and protect against supply chain vulnerabilities.

Key Workshop Highlights:
- **Dependency Graph, Dependabot, and Dependency Review:** Learn how to effectively manage and secure your software dependencies.
- **Secret Scanning and Push Protection:** Discover techniques to detect and safeguard against secret leaks.
- **Code Scanning and Pull Request Integration:** Incorporate automated code scanning into your development pipeline.
- **Integrating Other Security Tools with GHAS:** Extend GHAS capabilities by integrating additional security tools.
- **CodeQL and Custom Query Development:** Harness the power of CodeQL to create custom security queries.
- **Rolling Out GHAS in Your Organization:** Gain insights into strategies for implementing GHAS across your organization.

Prepare to embark on a transformative DevSecOps journey and elevate your security posture with GHAS. This workshop is your gateway to mastering GitHub Advanced Security, enabling you to safeguard your software supply chain without compromising development efficiency.

Don't miss this opportunity to bolster your security skills and protect your organization's digital assets.

Revolutionizing DevOps: Harnessing AI for Unprecedented Efficiencyen

Artificial Intelligence (AI) is reshaping industries worldwide, and its profound influence is extending to DevOps practices. In this enlightening conference talk, join Michael as he delves into the extensive possibilities of enhancing DevOps processes through data and AI integration. From optimizing code development (DevEx) and streamlining pipelines to enhancing production environments with AI-driven monitoring, anomaly detection, and self-healing systems, Michael will illustrate the remarkable synergy between AI bots and ChatOps. Discover how these AI-driven solutions can efficiently resolve incidents and assign the most qualified engineers to ongoing tasks, ushering in a new era of DevOps efficiency and effectiveness.

Navigating the DevOps Transformation Journey: Unlocking Innovation and Breaking Down Silosen

Embracing a DevOps culture has been proven to empower organizations with unparalleled speed, effectiveness, customer satisfaction, and innovation. However, many companies continue to grapple with the challenges of dismantling silos and implementing these practices successfully.

In this enlightening conference talk, we will explore the reasons behind the stumbling blocks that often hinder transformation initiatives. Drawing from a rich tapestry of real-world examples from various organizations, this presentation offers a battle-tested roadmap for a successful DevOps transformation. Learn how to take measured yet decisive steps, guided by a clear vision and strategic direction. Begin with the essential "WHY" and a sense of urgency, and celebrate each milestone along the transformation journey.

While tools and processes account for only 10 percent of DevOps, the remaining 90 percent centers on people and culture. Discover the pivotal role of individuals and organizational culture in ensuring the success of your transformation endeavors. Join us to gain invaluable insights into accelerating innovation, breaking down silos, and cultivating a culture of collaboration and agility within your organization. Don't miss this opportunity to embark on a transformative journey that can unlock your company's full potential.

Efficiency Unleashed: Mastering Automated Releases in a Multi-Team Environmentende

In today’s fast-paced software landscape, efficient workflows and release processes are critical. Join Michael in this session as he explores a comprehensive approach to fully automate the end-to-end release cycle across multiple teams. We’ll dive into practical techniques using GitHub Flow, GitVersion, GitHub Actions, and Dependabot to streamline versioning, release notes, and dependency updates.

Discover how this automation not only saves time but also enhances quality, allowing your teams to focus on innovation rather than manual tasks.

Whether you’re a developer, DevOps engineer, or team lead, this session will equip you with actionable insights to elevate your release pipelines and developer workflows to the next level.

Security 101: A Beginner’s Guide to Cybersecurity and Zero Trust for Developersen

In this session, we will delve into fundamental cybersecurity concepts, explore the concept of zero trust, and discuss key themes across various security domains. This session is especially for developers and will focus on how they can improve their company's security posture without having security slowing them down.

The session will cover the following topics:

**Basic Cybersecurity Concepts:**
- Understanding the CIA triad: Confidentiality, Integrity, and Availability.
- Differentiating between risks and threats.
- Exploring the role of security controls in safeguarding systems and data.

**Zero Trust: A Paradigm Shift**
- Defining zero trust and its principles.
- Why zero trust matters in today’s interconnected and dynamic digital landscape.
- How to implement zero trust strategies effectively.

**Key Concepts Across Security Domains**
- Identity and Access Management (IAM): Managing user identities and permissions.
- Networking Security: Protecting networks from threats.
- Security Operations (SecOps): Incident response, monitoring, and threat hunting.
- Infrastructure Security: Securing servers, cloud resources, and endpoints.
- Data Security: Safeguarding sensitive information.

**Examples of Security Tools**
- Firewalls: Network security appliances.
- Intrusion Detection Systems (IDS): Detecting suspicious activity.
- Endpoint Protection: Securing devices.
- Encryption Tools: Protecting data in transit and at rest.

**The Consequences for Developers**
- Securing development environments and pipelines.
- Manage the Software Supply chain and automate the update vulnerable dependencies.
- Automatically securing your code and infrastructure as code using code scanning tools.
- Prevent leaked credentials and manage / rotate credentials in a secure way.

Attendees will gain a solid understanding of cybersecurity fundamentals, learn about zero trust principles, and discover practical tools to secure the entire development lifecycle.

Unlocking the Power of AI: Transforming Software Developmentende

In a rapidly evolving world, artificial intelligence (AI) is reshaping our reality. It’s not just about automating tasks; it’s about revolutionizing how we build software. This talk will guide you through practical ways to leverage AI as a developer—from requirements analysis and coding to testing and documentation. Expect live demos that showcase the seamless integration of AI tools, empowering you to elevate your software development process. Beyond GitHub Copilot, we’ll delve into other AI forms that can enhance the entire software development life cycle (SDLC). Join us on this transformative journey!

GitHub boot camp – hands-on workshopen

GitHub is more than just source control. It is a complete DevOps solution that can help you to accelerate your entire development process – from idea to production. In this practical boot camp, you’ll get to know all parts of GitHub and you’ll learn all tricks to get you an effective start.

The workshop is designed for developers that have used other platforms like Azure DevOps, GitLab, or Bitbucket and now want to switch to GitHub. But it is also suitable for people that are new to topics like git, CI/CD and DevOps.

Agenda:

Part 1: Idea to code
- Introduction to GitHub
- Collaborate with GitHub Issues and pull requests
- Hands-on: GitHub issues und pull requests
- GitHub Projects (beta), Discussions, Wikis and Pages

Part 2: Code to Cloud
- Branching strategies and git workflows like GitHub flow
- Working locally with git (hands-on)
- Introduction to GitHub Actions workflows und YAML
- Hands-on: My first Action workflow
- Types of GitHub Actions
- Hands-on: My first container Action
- Hands-on: My first JavaScript Action
- GitHub Packages and GitHub Releases
- Hands-on: Releasing NPM packages
- Hands-on: Releasing Docker containers
- Staged deployments with environments

The workshop is designed for developers that have used other platforms like Azure DevOps, GitLab, or Bitbucket and now want to switch to GitHub. But it is also suitable for people that are new to topics like git, CI/CD and DevOps. The coding samples are all simple and in JavaScript/bash.

Participants need a GitHub account, a local git client, and a text editor.

From 0 to hero: GitHub Actions kick starten

GitHub has a new workflow and automation engine: GitHub Actions. It’s much more than just a CI/CD pipeline solution – it is a workflow engine you can use to automate anything in GitHub in a secure way. With over 10,000 actions in the GitHub marketplace, GitHub is a rapidly growing ecosystem that connects all your tools to automate every step of your software development process.

In this practical half-day workshop, you’ll learn everything related to GitHub Actions:

- YAML and YAML syntax
- Workflows, triggers, and jobs
- Workflow runners (hosted and self-hosted)
- Variables, secrets, contexts, and expressions
- Workflow commands
- Hands-on: My first workflow
- Actions: JavaScript/Typescript, Docker, and Composite Actions
- Hands-on: My first GitHub Action
- Templates und reusable workflows
- Environments und staged deployments
- Hands-on: My first multi-stage pipeline with approvals
- Security considerations when using GitHub Actions

The workshop is designed for developers and DevOps engineers that are experienced in other CI/CD platforms, like GitLab, Jenkins, or Azure Pipelines, and want to switch to GitHub Actions. But people that are completely new to the topics will also be able to follow along.

I’m a GitHub accredited trainer and give GitHub and developer trainings for many international companies.

The workshop is designed for developers and DevOps engineers that are experienced in other CI/CD platforms, like GitLab, Jenkins, or Azure Pipelines, and want to switch to GitHub Actions. But people that are completely new to the topics will also be able to follow along.