DevOpsDays Chicago 2022: Cloud security, hacking containers, community, and more

I was thrilled to attend DevOpsDays Chicago 2022 as my first personal event as a Developer Advocate at GitGuardian. I’m so excited to share with you all about this horrific event that took place from September 21 to 22 at The Isador and Sadie Dorin Forum at the University of Illinois, Chicago. Over 350 attendees, vendors, and volunteers gathered to take stock of the state of DevOps and share our knowledge and love of building in the cloud.

DevOpsDays Celebrates 8 Years of Chicago

Chicago is a city in the middle of everything, not just geographically. It is also home to several corporations and a vibrant technology community. DevOpsDays Chicago brought together developers, operations teams, SREs, and InfoSec leads to share their knowledge and experiences with the goal of helping us all adopt better DevOps best practices and be more secure.

Due to the pandemic, DevOpsDays Chicago moved to a one-day virtual event in 2020 and was canceled in 2021. The absence really warmed the heart, as each participant I spoke to noted how happy they were that the event had returned. The community of DevOps professionals was eager to share stories, and appreciations about the challenges of modern cloud-native software development and newly learned best practices.

For those who weren’t able to make it in person, most of the programs were also streamed for free. DevOps professionals from around the world were able to tune in live for single tracks of 30-minute talks, short, 5-minute Ignite talks, as well as afternoon workshops, which included mine.

DevOps Chicago Session Photo

Open Spaces Make DevOpsDays a Unique Event

There was an important part of the event that was not shared on the live stream: the open space portion of DevOpsDays. This is one of the biggest reasons I personally spoke to the people I spoke to to participate in the event. Open Spaces are one way to run an “unconference”, where the agenda is set by conference attendees, and sessions run as small, interactive group discussions in breakout rooms.

It starts with the attendees volunteering of subjects of interest. Some of this year’s topics include: achieving amazing observability, the DevOps feedback loop, book recommendations, chaos engineering, GitOps in practice, and even volunteering and running for DevOpsDays.

After collecting the suggested topics, the organizers allocate breakout rooms and fit everything within the allotted time slot. While on the surface it may seem a little chaotic that conference attendees have to self-organize in roundtable discussions, it’s actually a fairly easy process, thanks to a few simple rules:

  1. The people who appear are the right people.
  2. Anything can happen anytime.
  3. Whenever it starts is the right time.
  4. When it’s over, it’s over.
  5. Law of Mobility – If you want to move to another open space, move on.
  6. Bring your best self.

I think it’s a really great way to let people share their knowledge and experiences. I really learned a lot during Open Space. I hope more events take this non-convention approach as it is a very empowering experience for all involved.

open space board photo

Container Security Conversation on DevopsDays

The sessions covered a wide range of very interesting topics, from Leslie Cordero’s Effective Overview in Microservices Architecture to Abby Allen’s Parenting Makes Me a Better Product Manager. All were great and well delivered by the speakers. A key thread that went through a lot of conversations and many of my conversations was container security. While every talk is worth watching, I will highlight a few talks that turned out to clarify the security discussions underlying the program.

Developers are securing their clouds

Akash Shah, CTO of Oak9, asked attendees holding the title of full-time security engineer, during his speech “Stories from the Trench – Democratizing Security with Modern Development”. Not a single hand was raised. Then they asked who the DevOps engineer was and almost everyone got up. The room was filled with DevOps professionals very concerned about security!

In his speech, Akash discussed the AAA model of how security for devs should be set. While he goes into more detail in his point, those A’s stand for:

  • Accessible – translate security best practices into user stories; avoid jargon
  • Actionable – Fit security into sprints instead of 40+ page requirement documents
  • Applicable – understand business use cases; action plan based on reality

It can be overwhelming to think of all the possible ways to approach security, but keeping those AAAs in mind when discussing and implementing security solutions can help everyone work smarter and safer. It’s important to put user stories and business use cases front and center of the discussion, especially when containers, and tools like Kubernetes. Rapidly increase the complexity of modern cloud-native architectures.

He also warned that it is tempting to “just dump another tool” to deal with security issues. While tools are absolutely essential, he advocated a more developer productivity mindset, where continuing education and better collaboration between security and development teams is more important than any single piece of technology.

DevOps Chicago Sessions Photo: Developer Champions Program

learn how to hack containers

Eric Smalling, Developer Advocate of Snyk gave one of the most chilling and eye-opening workshops ever titled “Hands-on Hacking Containers and How to Stop It”. Instead of just a lecture on best practices, Eric tells us how a hacker can systematically peek through a container, elevating privileges, its own namespace, and potentially an entire cluster!

They did this securely against a demo environment set up using Sync Lab’s Kubernetes Goof repository. About repo reads: “Kubernetes is Stranger Danger.” It is a free and open source tool that you can use to learn how Kubernetes clusters can be attacked and show why some best practices need to be implemented.

He pointed out that one of the big dangers was how often people forget to set the correct permissions for the namespace. It’s much easier to give full access rights to namespaces, while treating them like private secure spaces that can contain scripts that can contain secrets. If they are accessed it potentially causes disaster for the entire cluster and application.

Another dangerous threat was container privilege escalation. Once a bad actor knows they can, they will have as much ownership of it as they can, which may be the “world” for your application. He insisted that if there was one major conclusion to be drawn from his speech it would be “don’t allow an escalation of privilege!”

DevOps Chicago Presenter Photo

Integrating Security into the DevOps Culture

Building DevOps isn’t something you can buy off the shelf, it’s about adopting the right culture and methodology before investing in the technology. Similarly, if you look at security only as an add-on and not addressing the culture or methodology, you can never fully deliver DevSecOps, as the senior developer relations engineer at New Relic said. According to, daniel kim During his speech, “Building Security into the Massive DevOps Pipeline.”

“We can’t just keep an audit at the end” when shipping features: We need to think about security at every stage of SDLC.

We can do this from the very beginning by defining the threat model in the planning phase and bringing it to the security team while the application still exists on a whiteboard. During the coding phase, developer errors can be addressed by applying the right tooling. His example was hardcoding secrets, which can be prevented by using git hooks.

Catching problems early will help ensure that your build and deployment is going as planned. Adding security testing through the build phase to your CI/CD pipeline will mean the security team will not be seen as a blocker, needing to perform a full security audit per build. One of the tests that Daniels discussed in depth was software structure analysis to ensure that dependency libraries do not present threats.

Daniels also addressed a larger area of ​​concern for developers and security: the rapid development of tools and the threats that come with them. While containers and Kubernetes allow us to build amazing things at scale, we must recognize legacy security tools and approaches, such as firewalls, often do not correspond to reality. This is where incorporating security into your DevOps culture comes in: the more security teams are part of the development plan, the easier it is to identify potential threats and apply the best tools to keep everyone safe.

DevOps Chicago Daniel Kim Photo

learn from each other

I had a blast at DevOpsDays Chicago 2022. My workshop, with “Git – Beyond Just Coming” was great for teaching people some advanced git, but I think the biggest learning in the whole event came from the conversation in the hallway track and during the open space. I know I walked away with a newfound appreciation for topics like GitOps automation and container egress testing.

Congratulations to the awesome organizing team and volunteers for making DevOpsDays 2022 a personal one. It was a lot of work and is greatly appreciated by the community!

DevOps Chicago attendees and yak photo

Although we can’t all agree on the particular tools or what we mean by Chicago Style PizzaWe all agreed that the future is DevOps and security is something we all need to keep discussing. I look forward to continuing that conversation at next year’s DevOpsDays Chicago and other events, perhaps with you soon!

Leave a Comment