DevSecOps - Security in times of daily deployments en de

Security has never been more important than it is today, and never more difficult. How to deal with security in times when multiple new versions are deployed to production every day?

In this talk Michael explains how you can achieve a security-first culture in your company and how you can integrate security and pen-testing into your DevOps pipeline. The talk will cover the assume breach paradigm, zero trust, shift-left security, and red team blue team simulations.

DevSecOps: Sicherheit in Zeiten von täglichen Deployments en de

Sicherheit war noch nie so wichtig wie heute – und noch nie so schwierig. Wie geht man mit Sicherheit in Zeiten um, in denen jeden Tag mehrfach auf Produktion neue Versionen ausgerollt werden?

In diesem Vortrag zeigt Michael Kaufmann, wie man eine Kultur der Sicherheit schafft und Security- und Pen-Testing in den DevOps Prozess integriert. In praktischen Demos zeigt er die Best-Practices für Azure Security und Governance. Außerdem stellen Sie Übungen wir Red-Team/Blue-Team und Chaos-Engineering vor.

Sichere Anwendungen und DevSecOps - von A bis Z de en

Im Jahre 2016 legte ein Streit um den Namen Kik quasi das gesamte Internet lahm: eine Open-Source Lösung mit elf Zeilen Code wurde aufgrund des Streits zurückgezogen und tausende von Webseite sind daraufhin temporär ausgefallen. Auch SolarWinds erzeugte durch eine Sicherheitslücke im Jahre 2020 Aufregung, die durch einen Angriff auf die Softwarelieferketten ihrer Software namens Orion erfolgte und mehr als 33.000 Kunden einem Angriff aussetzte – darunter sicherheitsrelevante Behörden wie Homeland Security und das Finanzministerium.

Anwendungssicherheit ist nicht einfach nur ein Sicherheits-Check nach einem Release oder eine statische Code-Analyse. Anwendungssicherheit muss in den Entwicklungsprozess integriert werden – und sie muss die ganze Lieferkette betreffen.

In diesem Talk zeigt Michael Kaufmann wie sie Sicherheit komplett in ihren Prozess integrieren können. Schwerpunkt liegt dabei auf:

- Sichere Entwicklungsumgebungen
- Secret-Scanning und Secret-Rotation
- Analyse ihrer Abhängigkeiten (Software Composition Analysis - SCA)
- Verwaltung der Lieferketten mit Dependabot
- XSS, SQL-Injection und Speicher-Leaks finden
- Statische und dynamische Codeanalysen (SAST und DAST)
- Eigene Abfragen mit CodeQL

Der Talk ist für alle interessant, die sich für Anwendungssicherheit interessieren: sowohl Entwickler als auch DevOps-Engineers.

Deep-Dive into Git de en

In dieser Dev-Session werden wir Hands-on alle weiterführenden Themen in Git behandeln:

- Wie funktioniert Git?
- Was ist eigentlich DAG, SHA-1, Patch und ein Commit?
- Was sind Branches und Tags?
- Wie löst man Merge-Konflikte?
- Wie manipuliert man die Historie mit ammend, reset, rebase und cherry-pick?
- Wie arbeitet man mit dem Stash?
- Wie sucht man in Git?

Außerdem gibt es sehr viele Praxis-Tipps, die das Arbeiten mit Git leichter machen: die richtige Konfiguration, automatische Korrektur der Befehle, und viele mehr.

Die Session richtet sich an Entwickler die schon Grundkenntnisse mit Git haben – bisher aber eher durch ausprobieren gelernt haben. Sie ist aber auch für Teilnehmer geeignet, die neu im Thema Git sind aber Erfahrung mit anderen Quellcodeverwaltungen haben.

Voraussetzung für die Session ist eine aktuelle lokale Installation von Git, ein Texteditor und ein kostenloser Account auf GitHub.

To sign, or not to sign – everything there is to know about signing commits and tags en de

Git is a decentralized version control system and relies on synchronizing changes between different repositories. That’s why authentication and authorization is completed decoupled from the author information of commits. To ensure authenticity of commit author information you can sign commits and tags with a PGP key.

This talk covers all aspects of signing commits and tags:

- How GitHub validates author information of commits and tags
- Creating and managing PGP keys
- Key security
- Signing commits and tags locally
- Signing commits and tags in GitHub and Codespaces
- Enforcing signed commits for protected branches
- Enabled vigilant mode
- Signing off commits

From big public open-source projects to small teams that work in private repos on security relevant code – not all repositories in GitHub are the same. Best practices for signing depend on the context and git workflow used. The focus of this talk lies on the applicability and practical scenarios in which signing brings value. Michael brings a lot of real-world examples when signing brought real value – and when it only slowed down teams.

Sign oder nicht sign – alles, was man über das Signieren von Commits und Tags wissen muss en de

Git ist eine dezentrale Versionsverwaltung, die darauf ausgelegt ist Änderungen zwischen unterschiedlichen Repositories zu synchronisieren. Aus diesem Grund sind Authentifizierung und Autorisierung komplett von den Autorinformationen der Commits und Tags unabhängig. Um Authentizität sicherzustellen kann ein Autor diese mit seinem PGP-Key signieren.

Dieser Talk deckt alle Aspekte von Signaturen in Git und GitHub ab:

- Wie GitHub Authorinformation von Commits und Tags validiert
- Erstellen und Verwalten von PGP-Schlüsseln
- Sicherheit der PGP-Schlüssel
- Lokales signieren von Tags und Commits
- Signieren von Tags und Commits in GitHub Codespaces
- Signaturen in geschützen Branches erzwingen
- Der Vigilant-Mode
- Signing off commits

Von großen Open-Source Projekten bis hin zu kleinen Teams, die in privaten Repositories arbeiten – der Kontext für die Arbeit mit Git ist sehr vielseitig. Best-Practices für das Signieren von Commits hängen aber sehr von diesem Kontext und dem verwendeten Workflow ab. Der Fokus dieses Talks liegt darauf zu erklären, in welchen Szenarien Signaturen einen Mehrwert bringen und die Sicherheit erhöhen und in welchen sie Teams einfach nur ausbremsen.

Back to the future – is DevOps as the driving force for tomorrow's businesses? de en

The way we humans collaborate has always been related to our technological advancement – from the time of chapmen and merchants, over the time of the industrialization, until the digital age. But our progress did not stop: artificial intelligence, cloud computing, holograms, connected devices – what influence does this technological progress have on the way we collaborate - and therefore on businesses?

Michael Kaufmann believes that DevOps is the logical consequence of the tension between our current way of collaborating and our fast technological advancements. He explains in his keynote what factors influence our corporate culture and the way we create value for our customers.

You will learn how the role of engineers has evolved over the time and the impact it has on our daily work: teamwork in cross-functional teams, globally distributed teams that span multiple time zones, asynchronous ways of working, and a completely new approach to attract, retain, and train talent.

The talk will focus on topics like:
- Open and inner sourcing
- GitOps and ChatOps
- Containers
- Security

“Who wants to read in the future, must scroll in the past.” (André Malraux) – this talk invites you to see at the past with different eyes – to get a new vision for the future of work.

.NET in der Box: Best Practices für Microservice APIs mit .NET Core in Docker und AKS de

In diesem Workshop zeigt Michael Kaufmann Best Practices für die Entwicklung und den Betrieb von Microservices mit .NET Core in Docker Container. Die Container werden in Azure Container Services (AKS) betrieben. Folgende Themen werden behandelt:
- .NET Core Best Practices für Entwicklung von REST-APIs
Evolution der APIs (von SOAP über REST nach gRPC)
Modern .NET Patterns
Authentication
Credential Handling
Middlewares
Bereitstellen von Client APIs SDKs
- Best Practises von .NET Core Applikationen in Docker Containern und AKS
Konfiguration
Parameter
Health Checks
Logging
- Closed Loop (Development, Debugging
- Continuous Delivery mit Azure DevOps nack AKS (Container DevOps, Always-On Updates)
- Debuggen und Pull-Request Validierung von Multi-Container-Anwendungen mit AKS Dev Spaces
- Logging und Monitoring mit Application Insights und Azure Monitor

Die Teilnehmer werden lernen, wie man eine Anwendungsplattform, die aus vielen einzelnen Container besteht, strukturiert und entwickelt, was in .NET Core zu beachten ist, wie man live-debugging durchführt und wie man das Gesamtpaket ausrollt.

Das Ziel des Hands-On ist, dass jeder Teilnehmer am Ende eine funktionierende Code- Azure DevOps und Azure-Struktur haben wird, mit der er weiter experimentieren und sein zukünftiges Produkt fließend aufbauen kann.

Back to the future – DevOps as the driving force for tomorrow's businesses de en

The way we humans collaborate has always been related to our technological advancement – from the time of chapmen and merchants, over the time of the industrialization, until the digital age. But our progress did not stop: artificial intelligence, cloud computing, holograms, connected devices – what influence does this technological progress have on the way we collaborate - and therefore on businesses?

Michael Kaufmann believes that DevOps is the logical consequence of the tension between our current way of collaborating and our fast technological advancements. He explains in his keynote what factors influence our corporate culture and the way we create value for our customers.

You will learn how the role of engineers has evolved over the time and the impact it has on our daily work: teamwork in cross-functional teams, globally distributed teams that span multiple time zones, asynchronous ways of working, and a completely new approach to attract, retain, and train talent.

“Who wants to read in the future, must scroll in the past.” (André Malraux) – this talk invites you to see at the past with different eyes – to get a new vision for the future of work.

From Application Security to Developer Security – Shift left with GitHub Advanced Security en

Research shows, that most developers are still seeing security as a burden that slows them down. Too many security alerts in too many platforms overwhelm developers –not enough or no alerts are an indication of e a security risk. This leads to either slower software delivery or a higher security risk for your application.

This talk will demonstrate how you can use GitHub as the central developer experience platform for all your security tools – giving developers a consistent experience and allowing them to address security issues as early as possible. The talk will cover strategies to drive adoption across your teams and introduce you to the default DevSecOps tooling from GitHub: Secret Scanning, Code Scanning, Dependabot, and Security Overview.

Accelerate Innovation with DevOps en

Research has proven, that highly effective companies, which successfully have transformed to a DevOps culture, are faster, more effective, and they score higher on customer satisfaction and innovation. But many companies still struggle to break up their silos and adopt these practices.

This talk will explain why many transformations fail and it will give you practical guidance on how to get your transformation back on track. Enriched with many real-world examples from customers, this talk will give you a battle-proven guide to a successful transformation: in small steps, but with a clear vision and direction. Starting with the WHY and a sense of urgency and celebrating the wins as you transform step by step.

DevOps is only 10 percent about tool and processes – but 90 percent about people. A successful transformation must also be 90 percent about the people and the culture to make it a success.

Deep-Dive into Git de en

In dieser Dev-Session werden wir Hands-on alle weiterführenden Themen in Git behandeln:

- Wie funktioniert Git?
- Was ist eigentlich DAG, SHA-1, Patch und ein Commit?
- Was sind Branches und Tags?
- Wie löst man Merge-Konflikte?
- Wie manipuliert man die Historie mit ammend, reset, rebase und cherry-pick?
- Wie arbeitet man mit dem Stash?
- Wie sucht man in Git?

Außerdem gibt es sehr viele Praxis-Tipps, die das Arbeiten mit Git leichter machen: die richtige Konfiguration, automatische Korrektur der Befehle, und viele mehr.

Die Session richtet sich an Entwickler die schon Grundkenntnisse mit Git haben – bisher aber eher durch ausprobieren gelernt haben. Sie ist aber auch für Teilnehmer geeignet, die neu im Thema Git sind aber Erfahrung mit anderen Quellcodeverwaltungen haben.

Voraussetzung für die Session ist eine aktuelle lokale Installation von Git, ein Texteditor und ein kostenloser Account auf GitHub.

Microservices - the cloud-native way with AKS and DAPR en

In this hands-on workshop you will learn how to architect microservices-based solutions, implement them with ASP.NET Core, containerize them, and deploy them to Azure Kubernetes Service (AKS). Furthermore, you will learn to continuous delivery distributed SaaS solutions in a cloud-native way with DAPR and apply SRE practices to ensure you meet your SLO’s.

Deep dive into git de en

In this practical session, we’ll cover all advanced topics of git:

- How does git work?
- What is a DAG, SHA, patch, and a commit?
- What are branches and tags?
- How do you solve merge conflicts?
- How do you manipulate your history using commit amend, reset, rebase, and cherry-pick?
- How do you work with the stash?
- How do you search in git?

Furthermore, the session is pact with practical tips that help you to work with git: the right configuration, auto-correct of commands, recording merges, and many more.

The session is designed for developers that already have a basic knowledge of git but learned it through try and error. But it is also suitable for developers that are new to git and only have experience in other version control systems.

I'm the author of the book Git for Dummies (Wiley-VCH 2021, German) and an accredited GitHub trainer and I give many git and developer trainings to international customers.

The session can be a hands-on workshop or a demo session. both work.

The session is designed for developers that already have a basic knowledge of git but learned it through try and error. But it is also suitable for developers that are new to git and only have experience in other version control systems.

If the session is a hands-on workshop, than the prerequisites are a local git installation, a text editor, and a free GitHub account.

GitHub Advanced Security boot camp – hands-on workshop en

Software supply chain attacks and secrets leakages are still one of the biggest threat vectors for software companies. But supply chain security does not have to be a burden and slow down development! With GitHub Advanced Security (GHAS) you can incorporate security into your development process with a developer first mindset.

This hands-on workshop is designed for developers that want to improve their security posture by giving them practical exercises to get to know GHAS.

The workshop covers:

- Dependency graph, dependabot, and dependency review
- Secret scanning and push protection
- Code scanning and pull request integration
- Include other security tools in GHAS
- CodeQL and writing custom queries
- Rolling out GHAS in your organization

Target audience
This hands-on workshop is designed for developers that want to improve their security posture by giving them practical exercises to get to know GHAS. This is an advanced GitHub topic. We assume that participants have a basic understanding of git, GitHub and GitHub Actions.

Prerequisites
- A laptop (Windows, Mac, or Linux)
- A free account for https://github.com
- A text editor of choice (Visual Studio Code, VIM, Atom, Notepad++ or similar)
- Git in a current version (>2.23, on Windows with Git-Bash for beginners)

GitHub boot camp – hands-on workshop en

GitHub is more than just source control. It is a complete DevOps solution that can help you to accelerate your entire development process – from idea to production. In this practical boot camp, you’ll get to know all parts of GitHub and you’ll learn all tricks to get you an effective start.

The workshop is designed for developers that have used other platforms like Azure DevOps, GitLab, or Bitbucket and now want to switch to GitHub. But it is also suitable for people that are new to topics like git, CI/CD and DevOps.

Agenda:

Part 1: Idea to code
- Introduction to GitHub
- Collaborate with GitHub Issues and pull requests
- Hands-on: GitHub issues und pull requests
- GitHub Projects (beta), Discussions, Wikis and Pages

Part 2: Code to Cloud
- Branching strategies and git workflows like GitHub flow
- Working locally with git (hands-on)
- Introduction to GitHub Actions workflows und YAML
- Hands-on: My first Action workflow
- Types of GitHub Actions
- Hands-on: My first container Action
- Hands-on: My first JavaScript Action
- GitHub Packages and GitHub Releases
- Hands-on: Releasing NPM packages
- Hands-on: Releasing Docker containers
- Staged deployments with environments

The workshop is designed for developers that have used other platforms like Azure DevOps, GitLab, or Bitbucket and now want to switch to GitHub. But it is also suitable for people that are new to topics like git, CI/CD and DevOps. The coding samples are all simple and in JavaScript/bash.

Participants need a GitHub account, a local git client, and a text editor.

Deep dive into git – half-day workshop de en

In this half-day workshop, we’ll cover all advanced topics of git:

- How does git work?
- What is a DAG, SHA, patch, and a commit?
- What are branches and tags?
- How do you solve merge conflicts?
- How do you manipulate your history using commit amend, reset, rebase, and cherry-pick?
- How do you work with the stash?
- How do you search in git?

Furthermore, the workshop is pact with practical tips that help you to work with git: the right configuration, auto-correct of commands, recording merges, and many more.

The workshop is designed for developers that already have a basic knowledge of git but learned it through try and error. But it is also suitable for developers that are new to git and only have experience in other version control systems.

Prerequisites for the session are a local git installation, a text editor, and a free GitHub account.

I'm the author of the book Git for Dummies (Wiley-VCH 2021, German) and an accredited GitHub trainer and I give many git and developer trainings to international customers.

The workshop is designed for developers that already have a basic knowledge of git but learned it through try and error. But it is also suitable for developers that are new to git and only have experience in other version control systems.

Prerequisites for the session are a local git installation, a text editor, and a free GitHub account.

From 0 to hero: GitHub Actions kick start en

GitHub has a new workflow and automation engine: GitHub Actions. It’s much more than just a CI/CD pipeline solution – it is a workflow engine you can use to automate anything in GitHub in a secure way. With over 10,000 actions in the GitHub marketplace, GitHub is a rapidly growing ecosystem that connects all your tools to automate every step of your software development process.

In this practical half-day workshop, you’ll learn everything related to GitHub Actions:

- YAML and YAML syntax
- Workflows, triggers, and jobs
- Workflow runners (hosted and self-hosted)
- Variables, secrets, contexts, and expressions
- Workflow commands
- Hands-on: My first workflow
- Actions: JavaScript/Typescript, Docker, and Composite Actions
- Hands-on: My first GitHub Action
- Templates und reusable workflows
- Environments und staged deployments
- Hands-on: My first multi-stage pipeline with approvals
- Security considerations when using GitHub Actions

The workshop is designed for developers and DevOps engineers that are experienced in other CI/CD platforms, like GitLab, Jenkins, or Azure Pipelines, and want to switch to GitHub Actions. But people that are completely new to the topics will also be able to follow along.

I’m a GitHub accredited trainer and give GitHub and developer trainings for many international companies.

The workshop is designed for developers and DevOps engineers that are experienced in other CI/CD platforms, like GitLab, Jenkins, or Azure Pipelines, and want to switch to GitHub Actions. But people that are completely new to the topics will also be able to follow along.

Application security and DevSecOps - end to end de en

In 2016, a dispute over the name Kik let to an outage that affected nearly the entire internet: an open-source package with 11 lines of code, that every developer could easily write themselves, was withdrawn from the package registry and caused thousands of websites to break. And, in 2020, SolarWinds caused a security leak that affected over 33,000 customers, amongst them the Department of Homeland Security and the Department of Treasury: an attack to the software supply chain of their software Orion was successful and let to malicious software to be distributed to many of their clients.

Incidents like this proof that application security is not just security testing before you ship your software or architecture reviews. Security must be baked into your development process and if must span the entire software supply chain.

In this talk you’ll learn how you can integrate security into your complete development process:
- Secure development environments
- Secret scanning and secret rotation
- Dependency management and software composition analysis (SCA)
- Manage your software supply chain with Dependabot
- Find XSS, SQL injection, and memory leaks
- Static and dynamic security testing (SAST and DAST)
- Hunt for vulnerabilities writing your own CodeQL queries

The talk is for everyone that is interested in application security – developers as well as DevOps engineers.

The talk explains how you can bake security into your development and DevOps process. The focus lies on GitHub Advanced Security – but also other tools for SCA, SAST, and DAST are introduced.