Velocity Conference - Notes & Takeaways, pt.1

Lots of insightful and different things going on at Velocity conference in Amsterdam this year! I've written up some of the key takeaways from the sessions I joined.

Docker Tutorial (John Willis)

If you haven’t worked much with Docker yet, the slides for this tutorial might be useful - they are a general walk-through with both explanation of concepts, products, some hints at best practices and practical exercises for consolidation. Be aware it’s pretty long (at Velocity the session took 3hs and that was with him actually skipping all the exercises), but it really does cover a lot!

Using Docker Safely (Adrian Mouat)

Mouat discussed the different attack vectors of containers, as well as a good few practical steps and strategies for applying common security paradigms (defence-in-depth and least privilege) to Docker and containers generally. A book chapter version of the talk is available from O'Reilly, which is handy!

Tracking Vulnerabilities in your Node.js Dependencies (Guy Podjarny and Assaf Hefetz)

Very neat demo of a security project (snyk.io - or if you prefer: npmjs.com/package/snyk) that finds and fixes (!) known security vulnerabilities in your Node.js dependencies. Watch the actual demo yourself if you're curious, it’s only 13 min long!

Managing Secrets At Scale (Alex Schoof)

Really valuable talk, and well worth reviewing. Some key considerations: 

• Secrets are everywhere, whether we think of them or not. 
• As an industry, we don’t currently tend to manage secrets very well - even when bearing in mind that security is always about trade-offs. 
• Secret management should be considered tier 0 / core infrastructure, i.e. should be highly available, have monitoring, alerting and access control.

In light of this, Schoof proposed the following core principles of modern secret management:

1. The set of actors who can do something should be as small as possible.
2. Secrets need to expire, so set up efficient, easy ways to do secret rotation (this shouldn't require a deploy). NB: This also implies that secrets shouldn't be in version control.
3. Make secret management user friendly: It should be easier to handle secrets in secure ways than insecure ways.
4. As the security of a system is only as strong as its weakest access link, make sure you know what your weakest links are, and address them.
5. Secrets must be highly available, as they will stop the basic functioning of apps if they aren't.

The talk went on to discuss all the various aspects of building a secret management system, which you can follow along via the slides, it was quite interesting. Existing services that were discussed and recommended in the talk were: Vault, Keywhiz and CredStash, but all of these solutions are still pretty new, so with any of them there’ll probably still be quite a bit of tweaking required to get a management system in place that works well for your company.

Seeing the Invisible: Discovering Operations Expertise (John Allspaw) 

Etsy CTO John Allspaw reveals what he gets up to in his free time: he pursued an MA in “Human Factors and Systems Safety” at Lund University Sweden (as you do). His own research as part of completing this MA explores the area of human factors in web engineering, both with respect to understanding catastrophic failures, but also with respect to understanding the human factors involved in not having catastrophic failures in the face of things potentially going wrong literally all the time. Human Factor & Ergonomics (HFE) research has a long history in areas like aviation, surgery and mining, but for our industry is still relatively under-researched. 

The talk itself (20 mins) was more of a primer with not a lot of hard and fast content - for some of the latter have a look at Allspaw’s MA thesis or, for a shorter version, his contribution in the forthcoming book “Human Factors and Ergonomics in Practice.”

PS: I also managed to partake in book signings by both Kelsey Hightower and John Allspaw! Meaning I finally got my own copy of the incredible "Web Operations". RESULT.