Posted on August 2020 By Theo Borek
Last week iO’s Consultants, James and Theo, hosted their own Breakfast Briefing for DevOps Leaders. Read Theo’s thoughts and summary of the session below:
I was recently involved in iO Associate’s first fully virtual round-table-style DevOps breakfast briefing. The focus of the session was around Testing and Deployment in the Cloud, however this topic is inherently intertwined with many others meaning that the discussion was very dynamic and covered many more topics and insights.
Are you still using Jenkins? Why/Why not?
It was discussed that Jenkins needs lots of maintenance to stay secure as it is overcomplicated with lots of permissions therefore vulnerable to a hack. This surprised me as Jenkins is so widely used. Circle was promoted as a preferred alternative, with more use of Github Actions touched on as a potential next step in the future.
How do you test for security?
A common opinion was that the security testing done in most organisations was insufficient; common methods like external PEN tests could gleam some value but were generally very limited. It was suggested internal tests and audits with shared responsibility from security focused professionals and development teams could cover deficiencies in each team and ensure better security.
How do you measure your team’s success in deployment?
Our attendees mentioned how they are not using any methods to measure success of deployment. The breadth of tools available limit the ability to measure, however they would want to be moving much faster and efficiently in monitoring capacity – therefore increasing the observability of the processes throughout deployments.
What is the future of testing in the cloud?
The last two questions, on the future of testing in the cloud and missing tools for container deployments had a lot of overlap. Flagger – a progressive delivery operator for Kubernetes – and VAMP – an AIOps platform for Cloud-Native Release Orchestration – seem to have a lot of potential for the future, however both need to be easier to use. It was agreed that CloudWatch seems to be the monitoring stack of choice for testing in cloud environments currently.
What are the missing tools for great container deployments?
Regarding the missing tools for great container deployments, it was discussed that there were MPM issues that were yet to be solved. As touched on already, Flagger and VAMP seem to be tools that should be more widely used and, in many settings, would greatly aid organisations’ container deployments.
We concluded that to really nail security, developers need to build model and strategy from the assumption that all clouds are compromised (with zero trust in the cloud). However, a huge amount of OS changes would be needed and therefore not realistic.
We, at iO, thoroughly enjoyed getting insights into other sectors, other organisations and perspectives. We hope everyone who attended also got something out of the breakfast briefing to aid their future strategies regarding deployments in the cloud. If anyone would like to get involved or has ideas on future topics we could cover, please get in touch!