SlideShare a Scribd company logo

Secure Application Development

Download as PPTX, PDF
Radu Vunvulea
Radu Vunvulea

This session aims to identify the tools that help us build secure applications and environments for Azure during the development journey. The focus is on the developers and the tools we can use to ensure that our code is secure and aligned with all the available best practices and recommendations. It’s a hands-on session, limited to 10 slides and a lot of demos.

Technology
1 of 21
@RADUVUNVULEA SECURE APPLICATION DEVELOPMENT
@RADUVUNVULEA SECURE THINKING INSIDE AZURE
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 250% increase of cyber-attacks in EU
H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 273% increase of large-scale breaches in 2020
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 47% of individuals fall for phishing scams while working at home
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L Phishing attacks increased by 350%
INCREASES IN CLOUD WORKLOADS PER REGION INCREASES IN CLOUD WORKLOADS BY INDUSTRY H T T P S : / / W W W . P A L O A L T O N E T W O R K S . C O M / R E S O U R C E S / I N F O G R A P H I C S / U N I T 4 2 - C O V I D - 1 9 - A M P L I F I E S - C L O U D - S E C U R I T Y - C H A L L E N G E S
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L February to May 2020 more than 500.000 people globally were affected by breaches where personal data of video conferencing users was stolen and sold on the dark web.
FINAL THOUGHTS
THANK YOU @RaduVunvulea
Azure RBAC Azure role-based access control User Group Service Principal Managed Identity Security Principal Role Operation type (R/W/C/D) Scope Management Group Subscription Resource Group Resource Role assignment Assign a security principal Assign a scope Assign a role Development Group Contributor Dev and Playground Resource Group
Secrets scanning Protectingyourcode,yoursecrets,youridentity SCAN COMMITS BEFORE A PUSH (1)Placegit-secretssomewhereinthePATHtobeeasilyaccessiblebygit (2)./install.ps1|Commandtoinstallgit-secretsonaWindowsmachine (3)cd/path/RaduVRepo/IoTHome|Navigatetotherepothatyouwanttoprotect.You needtodothisactionforeachrepositorythatyouwanttosecure (4)gitsecretsinstall|Installthetool (5)gitsecrets-register-azure|RegistertheAzureplugin (6)gitsecrets-register-aws|RegistertheAWSplugin (7)gitsecrets-register-gcp|RegistertheGCPplugin
Secrets scanning Protectingyourcode,yoursecrets,youridentity
The total no. of secrets used by a single-owner H T T P S : / / S P E C T R A L O P S . I O /
Secret Scanning Tools for Dev(Sec)Ops Protectingyoursecrets,dataandyourclouds gitLeaks gitLeaks is an open-source static analysis command-line tool released under the MIT license. The gitLeaks tool is used to detect hard-coded secrets like passwords, API keys, and tokens in local and GitHub repositories (private and public). SpectralOps Spectral offers one of the most comprehensive secret scanning solutions, integrating into every facet of the build process Git-Secrets Git-Secrets is an open-source command-line tool used to scan developer commits and “–no-ff” merges to prevent secrets from accidentally entering Git repositories. Whispers Whispers is an open-source static code analysis tool designed to search for hardcoded credentials and dangerous functions. GitHub Secret scanning GitHub makes available its own integrated secret scanning solution, capable of detecting popular API Key and Token structures Gittyleaks Gittyleaks is a straightforward Git secrets scanner command line tool capable of scanning and cloning repositories. Scan Scan is a comprehensive open-source security audit tool. Git-all-secrets Git-all-secrets is an open-source secret scanner aggregation project. This tool currently relies on two open-source secret scanning projects: truffleHog and repo-supervisor Detect-secrets Detect-secrets is an actively maintained open-source project designed with the enterprise client in mind. H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /
Secret Scanning Tools for Dev(Sec)Ops Protectingyoursecrets,dataandyourclouds gitLeaks Open source | free of use | Cloning, Audit and Integration capability No UI | Limited integration options | Goof for niche development projects SpectralOps Intuitive UI | Easy to manage | Strong ML mechanism that reduce the false positive rates Complex | Not easy to use for small projects | Build to be used to large codebase with a high no. of people Git-Secrets Easy integration with CI/CD pipeline | Capable to force secrets to not show in the commit (Secret Providers) Simple algorithms | Based on regular expressions like formula | Not maintained anymore | Not suitable for corporate environment Whispers Works out of the box | Wide range of secrets formats | Easy to extend to support new formats Focus on text file | Is not able to do deep scans without integration with other solutions | Rules based on regs,Ascii and Base64 GitHub Secret scanning Easy to integrate in GitHub | UI and nice visualization for scanning, integration and configuration | Strong support for a high number of popular services Main target is string structures (keys, tokens) | Does not covers password, emails, URLs Gittyleaks Simple to use and configure | Easy to integrate in small projects and add the secrets scanning concept Fixed rules | Limited on the formats that can be detected | Not suitable for non-education purposes Scan Open source | Well integration with Azure, GitHub, GitLab, Team City and so on | The most powerful free tool 4 DSO Setup is complex | Limited user interface | Hard to process the results Git-all-secrets Integration Hub | Does not rely only on a single algorithm Default configuration is basic | Looks like a MVP and less as a ready for production solution Detect-secrets High no. of plugins (including Azure, AWS) Pre-commit hook is basic and does not covers all base secrets | Output split across multiple lines H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /

Recommended

COVID-19 are a cloud security catalyst
COVID-19 are a cloud security catalystCOVID-19 are a cloud security catalyst
COVID-19 are a cloud security catalyst
Radu Vunvulea
 
Phone page hotspot app
Phone page hotspot appPhone page hotspot app
Phone page hotspot app
Nandkishor Dhekane
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
Splunk
 
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
James Wickett
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk
 
A Day in the Life of a GDPR Breach
A Day in the Life of a GDPR BreachA Day in the Life of a GDPR Breach
A Day in the Life of a GDPR Breach
Splunk
 
Phone page pc connect app
Phone page pc connect appPhone page pc connect app
Phone page pc connect app
Nandkishor Dhekane
 
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk
 

Recommended

COVID-19 are a cloud security catalyst
COVID-19 are a cloud security catalystCOVID-19 are a cloud security catalyst
COVID-19 are a cloud security catalyst
Radu Vunvulea
 
Phone page hotspot app
Phone page hotspot appPhone page hotspot app
Phone page hotspot app
Nandkishor Dhekane
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
Splunk
 
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
James Wickett
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk
 
A Day in the Life of a GDPR Breach
A Day in the Life of a GDPR BreachA Day in the Life of a GDPR Breach
A Day in the Life of a GDPR Breach
Splunk
 
Phone page pc connect app
Phone page pc connect appPhone page pc connect app
Phone page pc connect app
Nandkishor Dhekane
 
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk
 
Secure Application Development
Secure Application DevelopmentSecure Application Development
Secure Application Development
Radu Vunvulea
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
Radu Vunvulea
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptx
Radu Vunvulea
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
 
The Red Hat Way
The Red Hat WayThe Red Hat Way
The Red Hat Way
Software Guru
 
Flutter Development –Connect Infosoft
Flutter Development –Connect InfosoftFlutter Development –Connect Infosoft
Flutter Development –Connect Infosoft
Connect Infosoft Technologies Private Limited
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
Sylvain Martinez
 
Internet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and FutureInternet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and Future
Losant
 
Cybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital TransformationCybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital Transformation
Alex G. Lee, Ph.D. Esq. CLP
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Azure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevAzure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/Dev
Hostway|HOSTING
 
R u hacked
R u hackedR u hacked
R u hacked
Sumedt Jitpukdebodin
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security
apidays
 
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
SaraPia5
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDER
IRJET Journal
 
Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton
Hostway|HOSTING
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
DevOps.com
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
Remote DBA Services
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

More Related Content

Similar to Secure Application Development

Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
 
Cybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital TransformationCybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital Transformation
Alex G. Lee, Ph.D. Esq. CLP
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 

Similar to Secure Application Development (20)

Secure Application Development
Secure Application DevelopmentSecure Application Development
Secure Application Development
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptx
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
 
The Red Hat Way
The Red Hat WayThe Red Hat Way
The Red Hat Way
 
Flutter Development –Connect Infosoft
Flutter Development –Connect InfosoftFlutter Development –Connect Infosoft
Flutter Development –Connect Infosoft
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
 
Internet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and FutureInternet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and Future
 
Cybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital TransformationCybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital Transformation
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Azure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevAzure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/Dev
 
R u hacked
R u hackedR u hacked
R u hacked
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security
 
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDER
 
Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Secure Application Development

  • 3. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
  • 4. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 250% increase of cyber-attacks in EU
  • 5. H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 273% increase of large-scale breaches in 2020
  • 6. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 47% of individuals fall for phishing scams while working at home
  • 7. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L Phishing attacks increased by 350%
  • 8. INCREASES IN CLOUD WORKLOADS PER REGION INCREASES IN CLOUD WORKLOADS BY INDUSTRY H T T P S : / / W W W . P A L O A L T O N E T W O R K S . C O M / R E S O U R C E S / I N F O G R A P H I C S / U N I T 4 2 - C O V I D - 1 9 - A M P L I F I E S - C L O U D - S E C U R I T Y - C H A L L E N G E S
  • 9. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L February to May 2020 more than 500.000 people globally were affected by breaches where personal data of video conferencing users was stolen and sold on the dark web.
  • 10.
  • 12.
  • 14.
  • 15. Azure RBAC Azure role-based access control User Group Service Principal Managed Identity Security Principal Role Operation type (R/W/C/D) Scope Management Group Subscription Resource Group Resource Role assignment Assign a security principal Assign a scope Assign a role Development Group Contributor Dev and Playground Resource Group
  • 16. Secrets scanning Protectingyourcode,yoursecrets,youridentity SCAN COMMITS BEFORE A PUSH (1)Placegit-secretssomewhereinthePATHtobeeasilyaccessiblebygit (2)./install.ps1|Commandtoinstallgit-secretsonaWindowsmachine (3)cd/path/RaduVRepo/IoTHome|Navigatetotherepothatyouwanttoprotect.You needtodothisactionforeachrepositorythatyouwanttosecure (4)gitsecretsinstall|Installthetool (5)gitsecrets-register-azure|RegistertheAzureplugin (6)gitsecrets-register-aws|RegistertheAWSplugin (7)gitsecrets-register-gcp|RegistertheGCPplugin
  • 18.
  • 19. The total no. of secrets used by a single-owner H T T P S : / / S P E C T R A L O P S . I O /
  • 20. Secret Scanning Tools for Dev(Sec)Ops Protectingyoursecrets,dataandyourclouds gitLeaks gitLeaks is an open-source static analysis command-line tool released under the MIT license. The gitLeaks tool is used to detect hard-coded secrets like passwords, API keys, and tokens in local and GitHub repositories (private and public). SpectralOps Spectral offers one of the most comprehensive secret scanning solutions, integrating into every facet of the build process Git-Secrets Git-Secrets is an open-source command-line tool used to scan developer commits and “–no-ff” merges to prevent secrets from accidentally entering Git repositories. Whispers Whispers is an open-source static code analysis tool designed to search for hardcoded credentials and dangerous functions. GitHub Secret scanning GitHub makes available its own integrated secret scanning solution, capable of detecting popular API Key and Token structures Gittyleaks Gittyleaks is a straightforward Git secrets scanner command line tool capable of scanning and cloning repositories. Scan Scan is a comprehensive open-source security audit tool. Git-all-secrets Git-all-secrets is an open-source secret scanner aggregation project. This tool currently relies on two open-source secret scanning projects: truffleHog and repo-supervisor Detect-secrets Detect-secrets is an actively maintained open-source project designed with the enterprise client in mind. H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /
  • 21. Secret Scanning Tools for Dev(Sec)Ops Protectingyoursecrets,dataandyourclouds gitLeaks Open source | free of use | Cloning, Audit and Integration capability No UI | Limited integration options | Goof for niche development projects SpectralOps Intuitive UI | Easy to manage | Strong ML mechanism that reduce the false positive rates Complex | Not easy to use for small projects | Build to be used to large codebase with a high no. of people Git-Secrets Easy integration with CI/CD pipeline | Capable to force secrets to not show in the commit (Secret Providers) Simple algorithms | Based on regular expressions like formula | Not maintained anymore | Not suitable for corporate environment Whispers Works out of the box | Wide range of secrets formats | Easy to extend to support new formats Focus on text file | Is not able to do deep scans without integration with other solutions | Rules based on regs,Ascii and Base64 GitHub Secret scanning Easy to integrate in GitHub | UI and nice visualization for scanning, integration and configuration | Strong support for a high number of popular services Main target is string structures (keys, tokens) | Does not covers password, emails, URLs Gittyleaks Simple to use and configure | Easy to integrate in small projects and add the secrets scanning concept Fixed rules | Limited on the formats that can be detected | Not suitable for non-education purposes Scan Open source | Well integration with Azure, GitHub, GitLab, Team City and so on | The most powerful free tool 4 DSO Setup is complex | Limited user interface | Hard to process the results Git-all-secrets Integration Hub | Does not rely only on a single algorithm Default configuration is basic | Looks like a MVP and less as a ready for production solution Detect-secrets High no. of plugins (including Azure, AWS) Pre-commit hook is basic and does not covers all base secrets | Output split across multiple lines H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /

Editor's Notes

  1. <Key point>: Cloud Adoption Framework—modular phases of adoption. As your organization evolves, the Cloud Adoption Framework adapts to your business needs. Each module in the diagram is an iterative phase that advances your business through the complete lifecycle of cloud adoption. Customers can choose the phase best-suited to their degree of cloud adoption maturity. The Cloud Adoption Framework offers a guiding methodology to cloud adoption, with specific approaches to overcoming common blockers to cloud adoption in each module, such as “Define Strategy,” “Plan,”, etc. The Cloud Adoption Framework offers the enterprise a modular framework of how to incrementally onboard to the cloud. Cloud adoption shifts how companies obtain, make use of, and lock down their technology resources. And—this kind of modular framework flips the model of how enterprises operate: Transitions organizations to need-based consumption of technology resources Change from cap-ex (capital expenditure) to op-ex (operating expenditure) model Cloud model assumes security, governance, cost-optimization, and hybrid cloud by default Develop a future-ready workforce—developing and deploying cloud skill readiness organization-wide As an organization progress through the Cloud Adoption Framework, what are the main goals of each methodology of “Define Strategy,” “Plan,” you can focus efforts on? <Transition>: Now that we have taken look at the phases and modular approach, lets look at about some common business blockers that the Cloud Adoption Framework can help you resolve.
  2. https://spectralops.io/blog/top-9-git-secret-scanning-tools/