►
From YouTube: Keynote: DevSecOps in the US Air Force - Nicolas Chaillan, Air Force Chief Software Officer, USAF
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: DevSecOps in the US Air Force - Nicolas Chaillan, Air Force Chief Software Officer, US Air Force
In this session, Mr. Nicolas Chaillan will share how the US Department of Defense is embracing DevSecOps to drive innovation and digital modernization within the Department. This will showcase how any organization can leverage Kubernetes and Itsio to deliver value at the speed of relevance.
A
Hi
cubecon
and
thanks
for
joining
us
today
to
talk
about
the
the
duty
enterprise
dev
setups
initiative
with
platform,
one
pretty
excited
to
be
back
and
share
with
you,
some
of
our
two-year
journey
to
to
today's
an
issue.
Let's
get
started
so,
as
you
can
see,
the
the
duty
enterprise
dev
setups
initiative
is
a
drawing
team
across
the
department
of
defense.
The
goal
is
to
bring
enterprise
services
with
cloud
one
and
platform.
One
cloud:
one
is
our
cloud
office
to
connect
to
both
amazon
and
azure
and
be
cloud
agnostic
and
platform.
A
One
is
the
devsecops
team.
That's
focused
on
bringing
cubanese
and
the
status
mesh
and
the
hotend
security
that
we
need
to
bring
a
cicd
pipeline,
bringing
that
handiness
and
modularity
component
to
enable
reuse
across
the
department
we're
mandating
and
using
cncf
compliant
cubanist
clusters
and
oci
compliant
containers
as
lego
blocks.
So
we
can
be
more
efficient
in
the
creation
of
of
systems
and
weapons
effectively.
A
We
are
bringing
this
as
a
duty-wide
devsecops
managed
service,
with
all
the
collaboration
tools,
development
tools
and
cyber
tools
that
we
need
to
be
able
to
produce
software.
That's
not
only
doing
what
it's
supposed
to
be
doing,
but
also
with
that
baked
in
security
and
zero
trust
and
some
of
the
key
tenets
of
of
what
we
do
is
get
ups.
Everything
is
in
git.
Obviously,
everything
is
native
zero
trust
is
baked
in
with
also
that
behavior
confused
monitoring,
detection
and
prevention
capability
as
well.
A
We're
not
going
to
have
the
time
to
talk
about
zero
trust,
but
we
have
a
whole
video
on
our
website.
We'll
put
the
link
at
the
end
of
the
presentation
for
you
to
check
it
out.
It's
covering
the
north,
south
east
west
traffic,
zero
trust
enforcement
device
enforcement
for
our
employees
and
contractors
as
well.
A
Now
you
know
we
also
created
iron
bank,
which
is
the
open
source
container
registry,
where
we
harden
and
secure
450
containers,
both
open
source
and
commercial
tools,
so
they
can
be
consumed
with
hardened
configurations
and
hardened
operating
systems.
A
We
use
universal
base,
image
7
and
a
from
red
hat
as
well.
Like
I
said,
we
created
this
psycho
control
security
stack,
that's
doing
that
behavior
detection
and
zero
trust
done
to
the
container
and
all
the
function
level.
If
people
are
using
things
like
a
native
on
cubase
as
well
and
self-learning
capabilities
are
foundational
for
the
success
of
the
department,
so
we
have
about
100
000
people.
We
have
to
train
every
year,
so
we
want
to
bring
this
state-of-the-art,
dev,
setups
curriculum
with
unbiased
content.
A
We
see
a
lot
of
companies
pushing
their
one
type,
it's
all
content
training
and
we
want
to
really
make
sure
we
we
have
options.
A
So
we
are
partnering
with
the
linux
foundation,
the
cloud
native
computing
foundation
or
writing
the
box
to
bring
a
broad
and
diverse
set
of
training
content,
so
we're
not
pushing
for
a
single
product
or
cloud
everything
we
do
is
about
metrics
and
acceptable
thresholds
in
cicd
pipeline
to
break
the
build
for
safety
reasons
for
security
reasons,
and
we
created
the
concept
of
a
continuous
authority
to
operate
conscious,
ato
that
enables
us
to
release
software
multiple
times
a
day,
pretty
exciting
to
see
in
the
department
as
well.
A
So
in
2019
we
talked
about
how
we
built
these
pretty
cool
simulators,
and
then
we
showed
you
that
in
45
days
we
put
cubase
and
easter
on
f16
jets
pretty
exciting
to
see,
and
then
you
know
we
created
platform
one
to
become
that
central
team.
A
That
is
helping
all
these
beauty,
programs
and
science
and
technology
partners,
contractors
startups
and
non-traditional
ventures
groups
and
other
agencies
as
well
that
turned
into
a
broad
software
ecosystem.
All
over
the
the
united
states,
with
teams
focused
on
different
missions
from
space
to
nuclear
systems,
to
jets
to
bombers
to
business
systems,
to
cyber
offense
and
defense,
and
we
ended
up
creating
a
bunch
of
services.
A
A
One,
for
example,
is
our
susceptible
that's
where
we
put
all
the
container
source
code
and
fresh
trash
code,
all
the
cubase
distribution
that
we
hardened,
and
so
you
can
go
and
check
out
all
that
open
source
code
on
repo1.ds.mail
and
then
we
have
like
it
talks
about
the
iron
bank
and
registry,
one
which
is
our
container
registry,
where
we
have
450,
plus
containers
available
centrally
rebuilt,
signed
and
scanned
with
three
scanners,
and
we
provide
the
body
of
evidence
of
all
the
cvs
and
all
the
mitigation
done.
A
You
can
see.
Iron
bank
on
ironbank.dso.mail
and
registry1
is
registry1.dss.mail.
Those
are
free
services
that
we
provide
for
the
department,
but
also
we
open
sourced.
All
of
that
as
well.
We
also
hardened
multiple
cntf
compliant
companies
distributions
we
partnered
with
multiple
companies
that
do
business
with
the
department,
including
rancher
convoy,
vmware,
tkg,
aws,
eks,
azure,
aks
and,
of
course
red
openshift
as
well.
A
So
you
can
check
out
the
the
kubernetes
matrix
we.
We
created
this
comparison
matrix
to
compare
kubernetes
distributions
in
term
of
features
and
capabilities.
A
Looking
at
a
lot
of
details,
so
I
think
it's
very
interesting
even
for
commercial
customers
to
take
a
look
at
that
matrix
to
see
how
to
pick
today's
distribution
based
on
your
on
your
needs.
So
a
lot
of
great
information
there
as
well.
A
Now
we
created
two
main
services
party,
bus
and
big
bang
party
bus.
Is
our
multi-tenant
dev
setup
service
that
we
accredit
we
run
as
a
service
and
our
development
teams
in
dod
can
go
and
use
it.
It's
a
development
test,
staging
and
production
environment
of
different
classification
levels,
and
then
we
have
the
big
bang
and
the
big
bang
is
also
completely
open,
so
so
check
it
out.
A
If
you,
if
you
google
platform,
one
big
bang,
you're
gonna
see
on
repo
one,
the
entire
code
base
of
big
bang,
that's
our
platform,
one
on
demand,
push
button
deployment,
so
you
can
instantiate
a
dedicated
enclave
on
demand
just
by
deploying
big
bang
using
complete
automation,
again
we're
following
get
ups,
so
you
can
take
that
code
from
reaper
one
and
all
the
fresh
transcoding
configurations
code
and
and
then
you
can
even
contribute
back
to
us.
We
have
all
the
the
foundational
blocks
of
big
bang,
but
you
can
also
create
add-ons.
A
So
if
you
have
a
great
capability,
you
can
get
your
the
commercial
company.
You
can
get
your
container
approved
on
on
iron
bank,
there's
an
onboarding
guide
for
containers.
So
if
you
have
a
container,
you
want
to
get
it
approved
for
deer
to
use
all
the
way
to
the
highest
classification
level.
We
streamline
that
process
to
two
to
four
weeks
now,
so
it's
very
easy
to
do
business
with
the
department
of
defense.
A
You
can
go
on,
ironbank
get
your
container
accredited
and
then
you
can
even
create
an
ad
on
big
bang
to
have
a
full
get
ups
association,
whether
it's
a
home,
show
or
q
major
period
to
instantiate,
whatever
product
that
you're
building
on
top
of
big
bang,
for
example,
it
could
be
a
cube
flow
instantiation.
Like
a
native
association,
you
can
pick
pick
your
product
of
choice
and
create
atoms
on
top
of
big
bang
to
instantiate
that
anywhere.
A
We
ran
on
jets
bombers
on
premise,
at
the
edge
on
different
hardware
from
legacy
20
years
old
hardware,
to
cloud
native
capabilities,
all
the
way
to
agapt
clouds
as
well
so
check
out
big
bang.
It's
completely
open
tools
and
we'd
love
to
get
your
feedback
on
on
what
we've
done
now
we
obviously
invest
a
lot
of
time
and
money
in
in
training
and,
like
I
said,
we
have
a
hundred
thousand
people
to
train.
A
So
we
created
this
portal
which
created
content
partnered
with
a
linux
foundation
cncf
and
arrived
books,
but
we
also
did
workshops
right.
So
we
can
onboard
companies
that
are
trained
to
do
business
with
the
department
or
have
engagements
with
programs
within
the
department
of
defense
all
apply
for
grants
to
to
do
business
with
the
department
of
defense.
We
have
app
works,
which
is
our
grant
mechanism
venture
arm
of
the
air
force
to
to
partner
with
startups
and
to
do
business
with
the
department
of
defense.
A
So
please
check
it
out,
but
we
do
three
days
workshop
all
the
way
to
two
months
full
on
boarding
that
helps
teams
get
started
with
devsec
up
that
I've
never
done
that
setup
before
for
four
hour
duty
programs
me
I'm
moving
from
waterfall
all
the
way
to
devsecops,
so
we
can
embed
people
platform
one
into
their
teams,
and
that
really
is
what
makes
it
more
efficient
to
collaborate
and
and
have
a
successful,
minimal,
viable
product
built
within
six
weeks.
A
Two
to
two
months,
we
created
also
a
lot
of
different
services
with
our
cloud
native
vienna,
so
we
we
use
called
dns
to
move
the
dot
mil
to
dso.
That
mill
has
hosted
on
cubase
using
code
dns
completely
manage
as
configuration
as
code
or
policy
as
code
using
git
mergers.
So
that's
exciting
to
see
as
well
all
wholesome
platform,
one
infinites.
A
We
also
do
all
the
identity,
management,
single
sign-on
and
pki.
We
use
key
cloak
for
a
single
sign-on.
It's
all
provided
as
a
service
by
platform.
One
on
on
today's,
where
we
have
multiple
multi-factor
authentication
options,
we
can
do
both
personal
entities,
so
human
authentication
and
non-personal
entity
authentication
using
x509
certificate.
A
We
use
volt
to
manage
our
pki,
and
that
brings
us
that
cloud,
agnostic
native
elastic
capability
that
can
be
hosted
anywhere
again.
Everything
we
do
is
get
ops
driven,
so
push
button.
Association
of
all
these
different
products
is
is
very
easy
for
us
and,
of
course,
we
then
use
these
capabilities
to
do
code,
signing
and
continuous
signing
and
np,
and
pe
authentication
as
well.
A
A
Some
of
the
great
story
we
announced
this
year
and
last
year
is
that
the
department
of
defense,
particularly
the
air
force
and
space
force,
are
now
using
kubaz
and
easter
for
all
new
work,
but
also
bring
it
to
existing
platforms,
including
the
u2
jet,
for
example,
that
is
multiple
decades
old,
but
yet
we're
able
to
not
only
put
cubase
and
eq
on
the
jet,
but
also
fly
it
with
over
the
air
update
received
while
flying
we
deployed
big
bang
like
I
said,
the
big
bang
open
source
code
can
be
used
anywhere
or
air
gaps
or
on
clouds.
A
In
this
case,
we
put
it
on
the
jet
in
12
days
and
we
flew
the
jet
with
cubase
and
istio.
With
our
hardened
big
bang
deployment,
we
were
able
to
receive
over
the
updates
and
run
ai
and
ml
capabilities
completely
containerized
on
hardware
that
used
to
be
running.
You
know
ada
and
c
code
now
moving
to
python
and
go
and
other
languages.
A
So
it's
pretty
exciting
to
see
some
of
the
great
platform
one
metrics
we
have
now
about,
I
would
say
270
people
in
the
team.
A
majority
of
the
team
is
comprised
of
contractors,
but
we
have
all
also
military
and
civilian
personnel.
A
We
have
like,
I
said,
the
big
bang
and
the
party
bus,
big
bang
can
be
in
song
anywhere,
so
we
have
hundreds
of
those
now
across
the
department
we're
also
outside
of
the
department.
We
see
a
lot
of
commercial
organizations
starting
to
take
big
bang
and
use
it
for
their
their
setups
work.
For
example,
lockheed
martin's
just
announced
they're
going
to
use
big
bang
for
all
of
lucky,
not
just
dod
work
for
all
devsecops
team.
So
that's
going
to
be
a
big
enabler
to
to
move
fast.
A
We
have
454
containers
on
ironbank
and
the
partybus
now
has
3200
developers
on
it
with
2500
microservices
built
and
that's
just
within
the
last
seven
months.
41
applications
in
production,
209
teams
on
polybus,
the
cnap
is
our
cloud
native
access
point:
that's
our
zero
trust,
ingress
egress
to
the
cloud
to
enforce
the
device
state
and
the
user
identity
and
based
on
the
compounded
risk
of
the
device
and
the
user
with
whitelist
access
to
resources.
A
So
we
have
a
full
video
on
the
website
for
you
to
check
out
information
about
our
xero
trust
model,
so
check
it
out.
We
have
now
20
000,
also
active
user
on
the
cloud
native
access
point
and
in
terms
of
our
door
metrics
we
release
after
21
times
a
day
in
production
with
under
the
two
days
for
lead
time
and
under
15
minutes
time
for
to
restore
and
under
five
percent
change,
federal
rate,
which
is
a
good
beginning,
but
that's
not
good
enough.
A
We
want
to
obviously
continuously
improve
and
do
better,
but
it's
a
great
starting
point
for
our
government
organization.
No
doubt
now,
you
know
a
lot
of
people
ask
us
okay,
but
you
know
we
want
to.
We
want
to
learn
more
and
check
this
out.
Well,
you
want
to
go
to
the
chief
software
office
website
at
software.mail
under
dslp
documents,
you're
going
to
find
all
our
videos
and
documents,
including
the
the
xero
trust
video.
A
A
A
You
want
just
go
on,
login.dsl.mail,
create
an
account,
and
then
you
can
login
into
registry1
and
be
able
to
see
a
hub
with
harbor
for
container
registry,
so
go
on
harbor
and
check
out
the
different
containers
we
have
and
and
and
you
can
go
to
repo
one
and
see
the
docker
file,
so
you
can
see
what
kind
of
hardening
we
do
for
each
container.
A
Of
course,
if
you
see
improvement
that
can
be
made,
please
pull
push,
merge
requests
to
ripple
one,
so
we
can
improve
the
containers
and
get
better
as
as
a
team,
and
of
course
we
do
events,
we
do
a
lot
of
live
discussions
where
we
take
questions
live
from
the
audience
every
month.
So
if
you
have
questions
you're
going
to
talk
more,
please
check
it
out,
like
I
said,
with
a
whole
video
on
geotrust,
each
of
these
products
have
deep
dives
on
how
to
partner
how
to
be
part
of
this.
A
We
are
also
announcing
a
contract
vehicle
that
will
enable
a
company
is
to
take
some
of
that
code
and
effectively
create
a
commercial
service
around
it.
So
if
you
want
to
help
companies
to
harden
containers
on
iron
bank,
if
you
want
to
deploy
your
sas
capability
in
the
department
of
defense,
you
can
do
that
through
that
vehicle.
If
you
want
to
maybe
get
some
of
your
products
containerized
and
hardened
in
iron
banks,
so
they
can
be
deployed
in
dod
and
then
sell
licenses
right
for
consumption
to
create
more
revenue
for
your
company.
A
You
can
do
that.
It's
very
easy
to
follow
the
consumer
onboarding
guide
on
ironbank
to
get
your
container
approved
for
deal.
You
use
it's
not
like
it
used
to
be
10
years
ago,
like
I
said
we
streamlined
the
whole
process
for
startups
to
do
business
with
the
department,
so
you
can
even
get
grants
with
no
equity.
A
Given,
so
please
check
check
all
this
stuff
out
check
afworks.
It's
spell,
it's
spelled
a
f
w
e
all
x,
you're
gonna,
see
all
of
the
grants
and
how
to
apply
to
be
part
of
that
grand
cycle,
which
is
every
quarter
so
please,
come
and
and
share
with
us.
Give
us
feedback
see
what
we
could
improve.
What
can
we
do
better?
In
security?
A
Like
I
said,
we
do
a
lot
of
behavioral
detection
and
context
monitoring
and
we
use
each
year
for
our
service
mesh
today,
so
love
to
get
your
your
feedback
on
what
we
can
improve.
If
you
have
any
questions,
please
shoot
us
an
email
at
af.cso,
uswf.org,
looking
forward
to
hearing
from
you
guys
and
stay
safe
and
stay
tuned
for
what's
coming
next,
thanks
for
your
time,.