Content of the conference

This seminar/workshop aims to implement the concepts and techniques covered in Burn the Datacenter. Everything is performed live over real infrastructure and applications, giving the audience a look into the backstage of the process: The tools used, the logs that allow us to identify issues, and even the source code that defines each step for the correct deployment of our applications, always focusing on how our infrastructure and products are updated in real time.

To help understand how everything happens and demonstrate how to take the first step to reach this configuration, we also explain all the work habits that have allowed us to reach this point and keep improving daily. These include topics such as:

• Continuous hacking the systems to guarantee the integration of the security part in the SDLC.

• Source code management inside repositories, following a monorepo structure (say goodbye to multirepo).

• Keep a clean and small environment for the developers, including the changes to the master branch, avoiding code accumulation and reaching zero inventory (leaving gitflow behind).

• Generate daily value to the customers through a micro changes methodology (instead of big changes every 3 weeks or more).

• Migrate and manage all the infrastructure as versioned source code, turning it into immutable infrastructure (avoiding management consoles and unauthorized changes).

• Define Continuous Integration environments as source code, pipeline as code, in a way that can easily be configured and modified for all kinds of tests (avoiding graphical interface limitations for pipeline configurations).

• Avoid servers at any cost, migrating to cloud services and reaching a serverless infrastructure.

• Safe password management when deploying an application, avoiding sensitive information disclosure in source code and keeping the secrets protected.

• Deploy ephemeral environments that allow testing all the developed features before passing to production (reducing project complexity by avoiding development environments, testing, QA and others).

• Breaking the build even before making a commit to the repository using local reproducible integration tests to check the source code.

• Perform tests over the source code and over the deployment that break the build as a result of the smallest error (instead of only notifying and allowing the error to keep evolving/growing):

  • Unit testing

  • Functional testing

  • Coverage

  • Strict Linters

  • Security gates (SAST y DAST)

  • E2E

• Extreme reduction of build times by using the cache correctly.

• Take advantage of the features presented in the version control client Git:

  • Peer review

  • Squashing

  • Rebasing

  • Rollback

  • Trigger builds

• Telemetry accessible to developers (not logs, only available for infrastructure area).

Each above-mentioned point is explained while accessing Fluid Attacks' systems to look at its implementation and operation. According to the needs or interest of the participants, it is possible to focus on the topics they deem most important.

Experience

This workshop has been presented to professionals in technology and auditing areas for companies such as: Accenture, Arus, ATH, Avianca, B89, Bancolombia, Banitsmo, BIVA, Cadena, Cidenet, Colpatria, Cognox, Coordiutil, Corona, EAFIT, Evendi Digital, F2X, GCO, Grupo AVAL, Grupo Éxito, Interbank, Komet Sales, Nutresa, Payválida, Protección, RUNT, Seti, Banco Pichincha, Soy Yo, BTG Pactual, Caja Cusco, Banco Azul, Sistecrédito, Banco Agromercantil, Bantrab, Telered, Virtualsoft, Linea Directa, OxxO, Chubb, Banco Bolivariano, ACH, Sodexo, Mutualser, Niubiz, Nequi, La Haus, Banco General Panamá, Yappy, MFTech, Banco Industrial and Tech and Solve.