#simplifyYourBusiness: Wir teilen unser Wissen zu den Themen Software-Modernisierung und Entwicklung
Im Februar war es wieder soweit – am 26.02.2025 haben sich Entwickler:innen, DevOps-Spezialist:innen und IT-Interessierte versammelt, um sich über aktuelle Trends und Best Practices im Cloud-Native-Bereich auszutauschen.
Auch dieses Mal dürften wir uns auf zwei hochkarätige Speaker freuen: Christoph Ruhsam, Tech Lead für das Auto-Update Service bei Gepardec und Damjan Gjurovski, CTO bei Posedio, teilten ihr Wissen über moderne Automatisierungstechniken in CI/CD-Pipelines sowie Zero Trust Security in Cloud-Native-Architekturen.
- Auto-Update Service
- Cloud Native
- Events & Meetups
- Software-Modernisierung
Cloud Native Meetup Linz #2
Im Februar war es wieder soweit – am 26.02.2025 haben sich Entwickler:innen, DevOps-Spezialist:innen und IT-Interessierte versammelt, um sich über aktuelle Trends und Best Practices im Cloud-Native-Bereich auszutauschen.
Auch dieses Mal dürften wir uns auf zwei hochkarätige Speaker freuen: Christoph Ruhsam, Tech Lead für das Auto-Update Service bei Gepardec und Damjan Gjurovski, CTO bei Posedio, teilten ihr Wissen über moderne Automatisierungstechniken in CI/CD-Pipelines sowie Zero Trust Security in Cloud-Native-Architekturen.
Automatisierung in CI/CD: Kein Platz für manuelle Updates
Den ersten Vortrag des Abends hielt Christoph Ruhsam, unser erfahrener Software Engineer und DevOps-Spezialist. Er stellte seine Lösungen vor, wie Microservices automatisch aktualisiert werden können und Sicherheitslücken effizient geschlossen werden können. Besonders spannend war sein Ansatz mit OpenRewrite, das über klassische Tools wie den Renovate Bot hinausgeht.
Für alle, die nicht dabei sein konnten, gibt es hier die Aufzeichnung:
Video-Transkript hier.
Designing Zero Trust Systems
Nach einer kurzen Pause folgte der zweite Talk von Damjan Gjurovski, CEO/CTO von Posedio. Sein Thema: Zero Trust Security – eine Herangehensweise, die klassische Netzwerksicherheit hinter sich lässt. Er erklärte, warum Zugriffsrechte in Cloud-Native-Systemen ständig überprüft werden müssen und wie Unternehmen Security by Design in ihre Architektur integrieren können.
Video-Transkript hier.
Wir freuen uns schon auf das nächste Cloud Native Linz Meetup! 🚀
Willst du Zeit und Geld beim Update sparen?
Wir freuen uns auf deine Kontaktaufnahme.
Bist du der Lese-Typ?
… dann haben wir die Talks für dich in Schriftform.
[Introduction]
A warm welcome to everyone! First, I’d like to thank our host, gepardec, for providing the food, drinks, and this great location for our meetup. It’s great to see so many of you here today.
I’m Christoph Kofler, and on my business card, my title is „Mountain Guide for Software Modernization.“ What does that mean? Well, gepardec is all about software modernization, and just like a mountain guide helps you reach your summit, I help organizations navigate the challenges of modernizing their software.
One of the most critical aspects of software modernization is keeping your custom software up to date. That’s exactly what Kristoph will discuss in his talk today—how to automate this process efficiently.
There are two main reasons why keeping software and dependencies up to date is so important:
- Security – Many vulnerabilities exist in outdated dependencies. Today, roughly 60% of an application’s code comes from dependencies, and if these aren’t regularly updated, they pose a security risk. Attackers often exploit outdated libraries, making it crucial to stay up to date.
- Compliance – The European Union has introduced several regulations to enhance cyber resilience, and most companies are affected. Laws such as DORA, the Cyber Resilience Act, and NIS2 explicitly require businesses to manage their dependencies properly. This is not just a recommendation—it’s mandatory.
With that in mind, let’s welcome Christoph, who will present his talk on auto-updating custom software to make your life a little bit easier!
[Presentation by Christoph Ruhsam]
Hello everyone, and welcome to my presentation on auto-updating custom software. My name is KChristoph Ruhsam, and I work at Gepardec IT Services. So far, I’ve successfully implemented our auto-updating service for two customers, and I’m excited to introduce this innovative technology to you today.
At gepardec, we develop custom software solutions tailored to our clients’ needs. Many of our customers operate large-scale microservice architectures that require frequent updates. Manually updating dependencies is time-consuming, and often deprioritized because, well, if it works, why change it? But over time, this approach leads to outdated software that falls multiple major versions behind. Eventually, catching up becomes a burden, with developers spending hours debugging, fixing errors, setting up test environments, and resolving unexpected issues.
To solve this, we developed an automated update service designed to keep software up to date regularly, seamlessly, and reliably.
How Can We Accelerate Updates and Reduce Errors?
Our update service integrates Renovate with OpenRewrite recipes to automate version updates while also applying necessary code changes. After the update, our build validation pipeline ensures everything still works as expected. If the build fails, no problem—our system automatically generates a DevSpace link in the pull request. This DevSpace is a fully configured environment where developers can debug, fix, and test the update without even checking out the code locally. It’s efficient, convenient, and developer-friendly.
Additionally, we integrate dependency tracking using Dependency-Track to monitor security vulnerabilities. This allows teams to see which dependencies are outdated and track which vulnerabilities have been resolved with each update.
[Live Demo: Automating Updates with Renovate, OpenRewrite, and DevSpace]
Let’s see this in action with a live demo. We have a Quarkus service running an outdated version, and our goal is to upgrade it while applying necessary code changes.
- Renovate Configuration: We configure Renovate to scan the repository and apply updates. It automatically generates pull requests for outdated dependencies, including those in Docker images and Maven configurations.
- OpenRewrite Integration: Renovate executes an OpenRewrite post-upgrade task, applying migration rules for breaking changes (e.g., migrating from
javaxtojakartain Quarkus 3 updates). - Build Validation: If an update introduces issues, the build pipeline detects failures.
- Automated Debugging via DevSpace: If a failure occurs, our system provides a one-click DevSpace link, launching a fully preconfigured environment with all dependencies set up for easy debugging.
This automation allows developers to resolve update-related issues without needing to set up a local development environment.
Why Is This Useful?
This approach is particularly beneficial for organizations managing large-scale microservice architectures (e.g., 300+ services). Not every developer has each service checked out locally, so setting up an environment for a single update can be tedious. Instead, developers can simply click a link, enter the DevSpace, and start debugging immediately.
Key Benefits
- Faster updates with fewer manual steps.
- Reduced errors through automated validation.
- No need for local setup—developers can fix issues directly in DevSpace.
- Integrated security tracking, ensuring dependencies are always up to date.
- Seamless CI/CD integration, running entirely within the customer’s environment.
Challenges
Setting up the service initially can be complex, as every application landscape is different. We tailor the service to each customer’s needs and integrate it into their CI/CD pipelines (e.g., GitHub Actions, GitLab, Jenkins, Azure DevOps). A key requirement for success is having good test coverage, as automated updates rely on test validation to prevent regressions.
OpenRewrite: Automating Code Changes
OpenRewrite recipes automate repetitive refactorings (e.g., migrating JUnit 4 to JUnit 5). The OpenRewrite catalog contains predefined recipes for various technologies, and teams can also create their own.
Example: Migrating JUnit 4 to JUnit 5
- Add the Rewrite Maven Plugin to the project.
- Specify the migration recipe.
- Run
mvn rewrite:run, and the tool automatically refactors test annotations, imports, and best practices.
Live Demo: Running OpenRewrite to migrate JUnit tests. The tool updates the dependency, refactors annotations, and removes deprecated patterns—all in a single step.
Dependency-Track: Monitoring Security Vulnerabilities
We integrate Dependency-Track into CI/CD pipelines to generate and track SBOMs (Software Bill of Materials). This enables teams to:
- Monitor outdated dependencies.
- Identify security vulnerabilities (CVEs) in real time.
- Track resolution history over time.
- Generate security compliance reports for management.
Automating dependency updates improves security, compliance, and developer efficiency. Our service helps teams maintain up-to-date software without disrupting development workflows.
My GitHub repository is open-source—feel free to explore and try it out! Looking forward to further discussions during networking. Now, any questions?
[Introduction]
Hi, everyone. Thanks for having me. My name is Damjan, and I’m the Head of Technology at Posedio. We’re a relatively young company, founded about three to four years ago, primarily focusing on cloud-native development. You may have seen us around, and I’ve noticed some KCD Austria shirts here, so maybe you caught us at the last event. We specialize in software engineering, infrastructure setup, and DevOps—the full range of services within the cloud-native space.
I started my career as a software engineer. I studied at TVIN and moved to Vienna in 2012, originally coming from Macedonia. My journey began with Java backend development, then transitioned into full-stack development with React and TypeScript. Over time, I moved into DevOps, platform engineering, Kubernetes, and Google Cloud. Currently, my main focus is on building a data platform, working at the intersection of platform and data engineering.
I’ve worked on several large-scale projects in the cloud-native space. One of them involves one of Austria’s largest transaction processing services. If you’re curious about the details, feel free to ask me later—just not on record. Another major project I worked on was an internal developer platform for the same company. Throughout this process, I’ve developed a strong interest in security, particularly how security in the cloud-native space differs significantly from traditional security models.
[Security in the Cloud-Native Space]
Security in cloud-native environments is fundamentally different from traditional perimeter-based security models. Older security approaches focused on network perimeter security—putting up firewalls and assuming everything inside the private network was safe. However, with modern microservices architectures, this approach is no longer sufficient.
Today, services are constantly changing, and their locations and identities are dynamic. The traditional model of segmenting networks into public, DMZ, and private zones does not provide adequate security in cloud-native environments. Firewalls and network segmentation still have value, but they should not be the only security measure relied upon.
This brings us to the concept of Zero Trust security, which follows the principle of “trust but verify.” Instead of assuming that anything inside the perimeter is safe, every request must be authenticated and authorized, regardless of its origin. This ensures security at every level, not just at the network boundary.
[Key Security Concepts]
To establish a shared understanding, let’s define some key security terms:
- Confidentiality: Ensuring that sensitive data is only accessible to authorized users.
- Integrity: Preventing unauthorized modification of data.
- Availability: Ensuring that systems and data remain accessible to authorized users when needed.
To achieve these security goals, we use the AAA model:
- Authentication – Verifying the identity of users and machines.
- Authorization – Determining what authenticated entities are allowed to do.
- Auditing – Keeping track of security events and ensuring accountability.
A crucial lesson I’ve learned is that authentication and authorization are distinct processes. For example, we once assumed that a Google service handled both authentication and authorization for us. However, we later realized that while Google confirmed the identity of users, it did not enforce any authorization policies. This highlights the importance of implementing authorization separately and not assuming authentication providers handle it.
[Establishing Trust]
Security always relies on some form of trust. However, the challenge is determining what can be trusted. Every system needs a root of trust, whether it’s a trusted identity provider, hardware, or cryptographic mechanism. The problem is that trust decisions always involve some level of risk acceptance. There’s an insightful paper from the 70s that illustrates how, in theory, you can never fully trust any software, as everything ultimately depends on the trustworthiness of compilers, hardware, and lower-level systems. That said, we must do our best to mitigate risks, as the alternative—doing nothing—is far worse.
[Human vs. Machine Identities]
Security considerations differ depending on whether we’re dealing with human identities, machine identities, or workload identities:
- Human Identities: Employees, customers, and external users who authenticate via traditional methods (e.g., usernames, passwords, MFA).
- Machine Identities: Servers, jobs, or services that authenticate via service accounts, certificates, or API keys.
- Workload Identities: Cloud-native workloads that dynamically authenticate with short-lived credentials.
Traditionally, network security relied on IP-based identity verification. However, in cloud environments where workloads frequently move, IP addresses are no longer a reliable identity mechanism. Instead, we rely on workload identity solutions that authenticate services dynamically.
[Security Tools and Best Practices]
There are several open-source tools that help implement strong security in cloud-native environments:
- Open Policy Agent (OPA): A policy engine that allows centralized enforcement of authorization rules.
- SpiceDB: Based on Google Zanzibar, this authorization system models relationships between entities in a scalable way.
- Vault (or OpenBao): A secrets management tool that dynamically generates credentials and encrypts sensitive data.
- Istio (Service Mesh): Implements mTLS for secure service-to-service communication.
- Cosign: Ensures container image integrity by verifying cryptographic signatures.
- Falco: Provides real-time security threat detection for Kubernetes clusters.
[Real-World Implementations]
We’ve successfully implemented these security practices in several projects. One example is a multi-tenant financial services platform. Each tenant is completely isolated using Vault, Keycloak, and Kubernetes workload identities. The backend dynamically retrieves database credentials from Vault, ensuring that no credentials are statically stored or shared between tenants.
Another example is an internal developer platform for a large enterprise. Developers deploy workloads to Kubernetes namespaces assigned to their teams. Authentication is managed through Keycloak, and workload identities are used to grant permissions dynamically. To enforce security policies, we use Istio for network segmentation and Vault for secrets management. Additionally, we have automated image scanning and signing to ensure secure deployments.
[Challenges and Lessons Learned]
Maintaining security in cloud-native environments is an ongoing challenge. One of the biggest lessons we’ve learned is the importance of automating security updates. We use tools like Renovate to automatically update dependencies and apply security patches. However, even with automation, human oversight is necessary to ensure that updates do not introduce breaking changes.
Another challenge is balancing security with usability. For example, developers often request access to production environments for debugging. We implemented a privileged access management system where developers must explicitly request access and justify their need, ensuring accountability while maintaining security.
[Conclusion]
Security in cloud-native environments is complex, but by leveraging the right tools and adopting a Zero Trust approach, we can build systems that are both secure and scalable. If you have any questions or want to discuss any of these topics further, feel free to reach out. Thanks for your time!
[Applause]
Schreibe etwas…
Christoph Kofler, Christoph Ruhsam
Das könnte dich auch interessieren:
How We Achieved Fully Automated Dependency Updates With Renovate, OpenRewrite & Red Hat DevSpaces.
Seamless Quarkus Dependency Updates with Renovate, OpenRewrite & Red Hat DevSpaces
Es gibt Dinge, die niemand besonders gern macht. Steuererklärung. Reifenwechsel. Und – ganz oben auf der Liste vieler Entwickler:innen – Software-Updates.
Dabei sind genau diese Updates heute entscheidend. Nicht für irgendeinen Schönheitsfehler. Sondern für’s Überleben. Klingt dramatisch? Vielleicht. Aber wenn man sich anschaut, was aktuell passiert – Cyberangriffe, neue Gesetze, steigende Anforderungen – dann wird klar: Wer nicht regelmäßig pflegt, verliert. Im schlimmsten Fall alles.
Alte Software, neue Haftung?
Code ist kein Beiwerk – er ist dein Wettbewerbsvorteil. In einer Zeit, in der Innovation über den Erfolg deines Unternehmens entscheidet, ist es keine Frage mehr, OB du modernisierst – sondern WIE. In diesem Beitrag erfährst du, worauf es ankommt, wenn du deinen Code zukunftssicher machen willst – basierend auf echten Erfahrungen und klaren Learnings aus der Praxis. Zusätzlich kannst du dir gratis die Studie „Software-Modernisierung im Fokus“ herunterladen 👇
