This repository:
- deploy the full IBM Blue Compute shop consisting of 10 micro services with a single command into an OpenShift Cluster;
- installs OpenShift Pipelines (based on Tekton) to perform builds, deployment and various tests.
The purpose is to measure various quality aspects during the build of an application on OpenShift - and break the build if necessary to ensure a quality outcome.
The agenda for the security workstream is self-paced, with a series of video presentations and hands-on labs to complete. Please use the links provided in the table below. The timings give you guidance on the duration of the session. If you need any assistance, please access the Slack Channel you have been provided a link to in the Prevail stream session.
| Topic | Start Time (UTC) | End Time | Link |
|---|---|---|---|
| Overview/Agenda of the Workshop | 11:30 | 11:40 | 1. introduction-security-stream |
| Container & Orchestration security theory | 11:40 | 13:05 | 2. Container & Orchestration security theory |
| Lunch break | 13:05 | 13:45 | - |
| Walkthrough of the labs and tools | 13:45 | 13:50 | lab-intro |
| Deploy base BlueCompute app from template | 13:50 | 14:30 | lab1 |
| Optional: Review Security Issues Examine Deploy tools and pipelines |
14:30 | 15:00 | Optional: lab2 lab3 |
| Deploy and scan base images | 15:00 | 15:30 | lab4 |
| Wrap-up and Q&A | 15:30 | 16:00 | Prevail session stream |
The agenda for the security workstream is self-paced, with a series of video presentations and hands-on labs to complete. Please use the links provided in the table below. The timings give you guidance on the duration of the session. If you need any assistance, please access the Slack Channel you have been provided a link to in the Prevail stream session.
(Video links will be published at the end of day 1)
| Topic | Start Time (UTC) | End Time | Link |
|---|---|---|---|
| Recap of day 1, outlook into day 2 | 10:20 | 11:40 | prevail2021-sec-d2-1-intro |
| Security Lab 1 - Detect app vulns using OWASP Dependency Check and SonarQube | 11:00 | 12:00 | prevail2021-sec-d2-2-lab1-sca-sast |
| Security Lab 2 - Detect container vulns using StackRox in the pipeline | 12:00 | 12:45 | prevail2021-sec-d2-3-lab2-scan |
| Lunch Break | 12:45 | 13:30 | - |
| Security Lab 3 - Detect container vulns using StackRox to monitor the cluster Review remediated security issues |
13:30 | 15:00 | prevail2021-sec-d2-4-lab3-runtime |
| Wrap-up | 15:00 | 15:30 | prevail2021-sec-d2-6-close |
You must run all of these setup tasks in order:
| Aspect | Description | Estimate |
|---|---|---|
| 1.Deploy | Deploy the IBM Blue Compute shop | 15 minutes |
| 2.Examine | Could there be trouble? | 15 minutes |
| 3.Tools Setup | Setting up the tools | 15 minutes |
| 4.Tools Images | Loading the tool rack | 30 minutes |
Once the Blue Compute shop and the tool-chain is up and running (tasks 1-4 above) you can choose to explore various aspects:
| Aspect | Build Breakers based on | Estimate |
|---|---|---|
| Security.0 | Intro to the security labs course | 5 mins |
| Security.1 | Detect application vulnerabilities using owasp-dependency check and sonarqube. | 45 minutes |
| Security.2 | Defect application and container vulnerabilities using StackRox pipeline scanning | 45 minutes |
| Security.3 | Detect and inspect container runtime security concerns using StackRox | 45 minutes |
| Functionality.1 | Verify functional requirements using jmeter | 15 minutes |
| Functionality.2 | Verify functional requirements using selenium | 45 minutes |
| Performance.1 | Verify performance requirements using jmeter and grafana | 45 minutes |
| Availability | Be prepared for turbulant conditions, test your application's availability potential using chaos engineering and Openshift Service Mesh | 90 Minutes |
| Aspect | Description |
|---|---|
| Nuts and Bolts | For nuts and bolts lovers |
Follow the mandatory preparation.