Lionel GAIROARD, DevOps Practice Leader at Squad, attended the third edition of WAX CONF, an event bringing together experts in DevSecOps and cybersecurity. Relive the conferences that made an impression on him in this exciting RETEX:
" I'm trying to deploy microservices on-premises. Is that a problem, doctor? Or how to industrialize the deployment of microservice applications on-premises " by Ludovic Blass, IKKI LEAGUE, and Gérald Roncajolo, SOFTWAY MEDICAL
The challenge? Industrializing the deployment of microservices in an aging architecture. And who better to guide us than Ludovic Blass and Gérald Roncajolo from Softway Medical, a full-service company specializing in publishing, integration, and hosting.
Their plan to move from publisher to host is part of a broader initiative involving 34 functional squads that develop products, services, or features, supported by cross-functional and infrastructure teams.
They told us about "Hospital Manager," a patient record management tool that is a Java monolith. To make it more flexible, they decided to break it down into a microservices architecture to gain modularity and scalability.
The RedHat OpenShift solution was their choice for orchestrating containers, with the code hosted on a private GitLab instance. Updates are managed via continuous GitLab pipelines.
They had to juggle two installation modes: local clusters hosted directly at certain customers' premises to reduce latency, and the use of the entire SaaS solution and microservices.
A temporary DevOps team was set up to train the squads and empower the teams to implement industrialization. For packaging and deployment management, they used Helm and ArgoCD.
They successfully validated a POC with an initial critical service that needs to be updated weekly, then generalized and defined a templatization strategy to make integration and deployment actions consistent and easily reusable.
The result? Secure and rapid updates, up-to-date local sites, and teams that are autonomous in updating and deploying their services. Twenty industrialized microservices out of fifty services is a good start!
All that remains is to finish industrializing microservices, continue evangelizing squads, build dashboards with key infrastructure metrics, add more automated tests to CI, and implement A/B testing or Blue/Green testing.
" We put Chaos into production at Carrefour " by François Berthault, FGTECH
Chaos Engineering at WAX CONF—does that ring a bell? It's the work of François Berthault, K8s expert and head of Chaos Engineering implementation at Carrefour. Get ready, it's going to make some noise!
First, a quick lesson: what is Chaos Engineering? It is the art of unpredictability in a complex system. This concept was popularized by Netflix during their migration to the AWS cloud.
How does it work? We start with a stable state, then we make a hypothesis about that state, introduce a variation, and either refute or confirm the hypothesis. It's a way of testing a system's resilience. Note that this is not a machete test, nor is it an anti-fragile system.
Chaos Engineering is like a vaccine: we inject failures into the system to simulate outages before they occur in production. It's a way to strengthen the system's resilience, much like our bodies become more resistant after a vaccine.
Why Chaos? Because it's spreading. From Netflix to OuiSNCF, many companies are adopting this approach to improve their resilience. And at Carrefour? Chaos arrived in the form of "Chaos Night": nighttime debugging sessions in production.
And the outcome? It's a real adventure in learning, sharing, and improvement. With Chaos Engineering, we become stronger and more resilient, we simulate realistic scenarios, and we minimize the impact of failures by having a very good understanding of applications and how they interact. In short, we experiment, we fail, we correct, and we improve. That's what agility is all about!
" When Ansible is no longer enough: orchestrating 236 firewalls in a critical infrastructure at Enedis," by Lucas Galton and Henri Sourdet, Enedis
Think Ansible can do everything? Think again! Lucas Galton and Henri Sourdet explain how they developed FOOGaaS, a logical firewall, to effectively manage 236 firewalls in a critical infrastructure at Enedis.
FOOGaaS, developed in GoLand, is a logical firewall that groups together several physical firewalls and applies rules to easily deploy configurations on multi-vendor firewalls. The application is stateless; only the version of the application to be deployed is generated.
But why not just use Ansible?
- Complexity: Ansible struggles to manage multiple firewall manufacturers and OSP data manipulation.
- Performance: Ansible would take 425 minutes to update all firewall rules in the zone (55,000 rules to write at 850 ms per rule), which is far too long.
- Rights management: it is difficult to maintain rights segmentation with Ansible.
- Responsiveness: Ansible is not responsive enough for Enedis's needs.
So they created FOOGaaS: an MVP with "as code" definition, two-step validation, and the desire for a certain degree of responsiveness in firewall rule management.
The policy language is very similar to Terraform's HCL language.
And the result? Very high availability for orchestrating and updating 55,000 rules on 236 firewalls on OpenStack cluster instances at AURA (Enedis). This is a solution that does the job, and does it well!
" My Life on Flash Sale on the Dark Web " by Nicolas Comet, Ubisoft Bordeaux
Nicolas Comet, Senior Cloud Engineer at Ubisoft Bordeaux, shared a captivating personal story at WAX CONF. With a touch of humor, he recounted the disturbing discovery that his personal and professional information was being sold on the Dark Web.
While he was quietly enjoying his weekend with his family, a call from Ubisoft's CTI turned this moment of relaxation into a real-life crime drama.
"Hello, Nicolas, just to let you know that over 400 of your user accounts are currently on sale in a flash sale on the Dark Web..." And now our friend Nicolas is in panic mode...
Never mind, after a few exchanges with Ubisoft's security team and a turbo reset of all his compromised accounts, Nicolas humorously shared his adventure on the conference's main stage, turning his misadventure into a lesson in IT security for everyone.
Ubisoft worked with a service provider to purchase all the information sold on the Dark Web in order to assess the extent of the damage.
Nicolas then shared some tips on how to avoid getting caught out, such as using an effective password policy (diceware method, passphrases, MFA, password rotation) and opting for password managers (KeePass, BitWarden, Keeper, etc.).
He summed up his advice with his trademark humor: "Do as I say, not as I do!"
The highlight of the show? The admission that the flaw came from his own personal computer, following the download of an unofficial version of CPU-Z. A word of advice for gamers: always download official software!
Nicolas concluded his speech by mentioning the W3C's WebAuthn standard, which enables strong passwordless authentication through the use of asymmetric keys.
This memorable presentation reminded us that we can learn and laugh at the same time, but above all, how important it is to implement a strict security policy and raise awareness among all staff in our organizations.
" Behavioral analysis for the security of your production" by Rachid Zarouali, SevenSphere
When Rachid Zarouali, CNCF ambassador, Docker Captain, Microsoft Azure MVP, talks about security, we listen!
At WAX CONF, Rachid gave us a fascinating presentation on the Falco tool, including a live demo. For those who are unfamiliar with it, Falco is an open-source tool that enables threat detection and behavioral analysis in container and orchestration environments, such as Kubernetes.
It is your trusted spy, working in real time to monitor system activities and enforce security rules to identify suspicious or malicious behavior.
Falco can do much more than just play spy:
- Detection of abnormal behavior: Falco analyzes system events and, if there is activity that matches a defined security rule, triggers an alert to signal potentially dangerous behavior.
- Customizable security rules: Need rules specific to your environment? Falco has what you need. It offers the ability to create and customize security rules according to your needs.
- Integration with other tools: Falco can be integrated with other security systems to enhance threat detection and incident response.
- Real-time notifications: When suspicious activity is detected, Falco immediately alerts administrators or security teams for a rapid response and thorough investigation.
- Audit and compliance: By monitoring and recording system activities, Falco can help meet regulatory compliance requirements.
- Container and Kubernetes support: Falco was designed specifically for container and orchestration environments such as Kubernetes, enabling it to detect threats specific to these environments.
The conference concluded with a demonstration of the application of a behavioral rule on access to a site on a particular port.
If a user attempts a query, Falco automatically logs the actions, blocks the user from accessing the target VM again, and can then aggregate the logs and make them available in a SIEM for analysis and detection of potential threats. A real must-have in cybersecurity!
In conclusion, WAX CONF 2023 was an incredible gathering of professionals and experts in the fields of DevSecOps and cybersecurity.
Participants had the opportunity to learn, exchange ideas, and connect, all with a focus on continuous improvement and technological innovation.
We can't wait to return next year for another dose of learning, inspiration, and sharing!
Lionel GAIROARD
DevOps Practice Leader
