Thursday, October 24, 2019

ATO 2019 - an event report

ATO 2019 was a good year.

For a number of years now, each October, thousands of technical folks converge in Raleigh for All Things Open. The "all things" includes a lot of developers talking about opensource platforms, tools, stacks, and applications but it also includes topics on open hardware, open government, open education, and building communities in addition to projects and products.

For a couple of years, I felt there was too much of a programmer focus for me and I wasn't finding new things in the community tracks. It is local though and so with expectations set, I continue to support a great  conference and enjoy the hallway track with a number of people I "see" mostly online even though I was not previously finding a lot of talks for my sysadmin or infosec interests.

I know several local people that have not attended the past couple of years because of this trend and I bring it up because this year was a bit different. While I attended expecting to once again content either repetitive (of other years and other conferences) or too dev focused, I was pleasantly surprised. There were full tracks both days for Security and Linux/Infrastructure. [1]

I attended a few of the security sessions, two that stood out were:

Prepping for the Zero Day Attack 
Eric Starr discussed a CI/CD pipeline that includes checking for vulnerabilities with both source code analysis and container scanning. He shared experiences where unit tests were disable "to speed up the deployments" which later turned into disasters. He was practical in his approach where some of the scans take hours to run. If the deployment or test cycle is shorter than a day, maybe those scans get run daily instead of with each change but do NOT eliminate them just because they take too long! He mentioned tools that work for his project but regularly pointed out what type of tool it was and that the specific tool used is not important. I would add that the best or right tool is any one you will use though you may be limited by what will work in your environment.

Insecurities and Vulnerabilities: How to Keep the National Vulnerability Database Current
I really enjoyed this one! Rob Tompkins shared his experience reporting CVE as part of an opensource project security team. When I teach about tools such as openscap and Red Hat Insights which include information from the NVD and then suggest remediations, it is helpful to understand how the information gets into this database. This example along with a talk from OSCON years ago about reporting embargoed security issues helps me also explain how an administrator should go about reporting a suspected vulnerability with correct documentation. This is a topic I am now adding to my "write and article on this" list.

Next door, at the Linux/Infrastructure room, by title, I would be interested in Getting Started with Flatpak and possibly Platform Agnostic and Self Organizing Software Packages . Also the What You Most Likely Did Not Know About Sudo…  and maybe the Terminal Velocity: Work faster in your shell  talks.

With these tracks, I would encourage a few of my more "Ops" friends to rethink attending this conference, especially if they are local to the area. I also have some new ideas for articles to write and possible presentations at future events.

Oh, they also have great book signings scattered across both days!


[1] Note: at the time of writing the URLs for the tracks were for the current year. At some time in the future these will be replaced with the next year tracks. I do not know if they will be archived. I was able to submit the parent tracks page for the wayback machine.

No comments: