Security in a Continuous Delivery World - 2015 - Sherif Mansour

•

0 likes•94 views

Imagine a world where a developer can have her/his code pushed into production a few minutes after its checked in. How do you engrain web application security in such a development pipeline? How do you keep track of the security issues? In this talk we'll discuss some of the security challenges for this paradigm shift and how OWASP can help development teams navigate some of these challenges.

Technology

Security in a Continuous
Delivery World
Sherif Mansour

“Give me six hours to chop down a tree and I will spend
the first four sharpening the axe.”
-Abraham Lincoln

Two things about Automation
1. Automation applied to an efficient operation will
magnify its efficiency
2. Automation applied to an inefficient operation will
magnify its inefficiency
-Bill Gates

Two things about Web Programming
1. Control-C
2. Control-V

Two Things About World Conquest
1. Divide and Conquer. 
2. Never invade Russia in the winter.

Two Things About Information Security
Complete:
1.
2.

Overview
• Timeline - 1986
• Agile Security
• Bug Tracker
• Definition of Done
• App Sec Radar
• Continuous Delivery
• Security Testing
• How OWASP can help

Timeline - 1986
• HBR publishes an article: “The New New
Product Development Game”
• Computer Fraud and Abuse Act

The New New Product Development
Game
Leading companies show six characteristics in managing their new product
development processes:
1. Built-in instability
2. Self-organizing project teams
3. Overlapping development phases
4. “Multilearning”
5. Subtle control
6. Organizational transfer of learning

Agile Frameworks
• XP
• Scrum
• Crystal
• FDD
• Lean and Kanban
• DSDM

Computer Fraud and Abuse Act
• Enacted in 1986
• First Felony in 1988 - Morris Worm
• Mr. Robert Morris Sr. (his father) was the
Chief Scientist at NSA
• Comm-Sec & Compu-Sec merged Info-
Sec
• CERT was created in CMU

Stop me of you have seen this before
Applying controls without understanding its limitations.

Fast Forward to 2001
1.OWASP was formed :-)
2.Agile Manifesto was published :-) :-)

OWASP
• OWASP Top Ten
• OWASP Software Assurance Maturity Model
• OWASP Development Guide
• OWASP ZAP Project: The Zed Attack Proxy
(ZAP)

Agile Manifesto
• Individuals and Interactions over
processes and tools
• Working software over comprehensive
documentation
• Customer collaboration over contract
negotiation
• Responding to change over following a
plan

Security in an Agile Framework
• Communicate Security
Recommendations simply and clearly
• Identify the biggest risk and which ones
you teams are exposed to
• When you raise a security issue:
• Unique - No duplicates
• Useful - Improves the security and
quality of the software
• Actionable - All necessary
information is in the ticket

App Sec Issues Tracking and Metrics
For every security issue detected raise
a Jira bug ticket and include the
following attributes to the bug type:
1. Business risk
2. Attack vector
3. Priority
4. Components
5. Testing Method
6. Dev Team

App-Sec Radar
The Application Security Radar is a
site in forms the technology teams
on security technologies they should
embrace or move away from.
This ensures developers adopt
more secure technologies, there are
6 recommendation categories for
the app sec radar:
• Plan for Removal
• No New Use
• Evaluate
• Trial
• Adopt
• Hold

DoD - Definition of Done
• Security should include a reference quick
check list for developers on what to
avoid, and what to look out for during
code review.

Continuous Delivery
You’re doing continuous delivery when:
• Your software is deployable throughout its lifecycle
• Your team prioritises keeping the software deployable
over working on new features
• Anybody can get fast, automated feedback on the
production readiness of their systems any time
somebody makes a change to them
• You can perform push-button deployments of any
version of the software to any environment on demand

How OWASP Can Help
• If you solve a problem and I solve a
problem, each of us has two solutions.
• Guidance
• Security Libraries
• Developer tools
• Training
• etc..

Interests
• Headers reporting back:
• Content Security Policy CSP
• HTTP Public Key Pinning
• DMARC - (Email Standard)

What's hot

Using jira to manage risks v1.0 - owasp app sec eu - june 2016

Dinis Cruz

Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS). This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints. But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

Threat Stack

we45 SecDevOps Presentation - ISACA Chennai

Abhay Bhargav

Engineering Trust in Your Automated Tests

Jyoti Mittal

we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle. Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.

we45 - SecDevOps Concept Presentation

Abhay Bhargav

SecDevOps Risk Workflow - v0.6

Dinis Cruz

Presenter - Peter Chestna, Veracode If you are moving between methodologies, you are probably looking for a roadmap or at least lessons from someone that’s been through it already. Over its 10+ years, Veracode has moved from monolith to microservice and fromwaterfall to DevOps. We have learned a lot along the way and I’m eager to share the story. As you consider the shift from waterfall to agile, or agile to continuous deployment and eventually DevOps, there is more to think about than just architecture. Peter Chestna, the Director of Developer Engagement at Veracode, led Veracode’s own transition from Waterfall to DevOps and in turn has helped hundreds of customers do the same. Join us as Peter shares his own case study, how Veracode reengineered its own architecture but more importantly the overall process including team structure, the technologies to build a robust pipeline, security considerations and the cultural shifts required.

A Secure DevOps Journey

Sonatype

s its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority: - Integrate effective threat modeling into Agile development practices - Introduce Security Automation into Continuous Integration - Integrate Security Automation into Continuous Deployment While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic: - The talk will be replete with anecdotes from personal consulting and penetration testing experiences. - I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle. - I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app. - My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools. - Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav

Abhay Bhargav

Veracode Automation CLI (using Jenkins for SDL integration)

Dinis Cruz

David Hurley, Microsoft Bryan Jeffrey, Microsoft Naveed Ahmad, Microsoft Speed Kills. If you cannot detect and remediate the attacker before they have achieved their objective, you lose. The sooner you detect your attacker along the kill chain, the better your chance to disrupt and thwart attacks. The M365 Vanquish system leverages open source technologies like Spark on Azure HDI clusters and Siphon/Kafka to deliver detections and alerts in minutes at scale for M365. Signals are generated from an on-box agent, HostIDS (developed by ODSP Protect), as well as Windows security events which are sent to Vanquish for processing in the cloud. Detection processing is not tightly coupled to workload service resources. Implementation of new detections is not tied to the deployment of workload services they are monitoring. This removes the risk of changes in security detection processing impacting production services and allows increased agility in detection creation, processing and deployment. We’ll show examples from the ‘Red October’ pen test of how this agility allows incident specific detections to be created, deployed, and delivering results as an incident is in progress. Additionally, enabling M365 wide IOC (Indicator of Compromise) detections can be added in seconds. We’ll show recent pen test examples of how adding incident specific command and control IPs can provide scope and insight into attacker movement. Dynamic signal filtering capabilities across all of M365 can be added in seconds to allow focus. Another key factor in enabling agility is being able to validate quickly that changes to the system work as intended. With usage of Attackbot (the M365 Red Team attack generation tool), Vanquish continuously measures detection effectiveness across M365 services with automated real attack signal allowing us to validate that detections continue to work. By measuring rather than attesting to effectiveness, you can to quickly identify regressions when they occasionally happen and have confidence that your detections are up and working. Agility is also a key factor in our machine learning based detections. M365 Vanquish has model training and promotion fully automated. Training and promotion of new models happens constantly, with measurements of effectiveness detecting AttackBot and historical attacks gatekeeping the promotion of new models. By automating this process end to end, we have confidence that we are always armed with the best possible models. Signals are evaluated and scored in real time against the most recent model. This enables high fidelity, low latency urgent alerting within minutes of attacker activity. We’ll show you examples of pen test activity that produced urgent alerts within minutes! By designing detection systems that ensure agility with measurable effectiveness, you can improve your security posture with confidence that is not misplaced.

BlueHat v18 || Improving security posture through increased agility with meas...

BlueHat Security Conference

Abstract: Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are: • An understanding the real value of each type of AST tool (SAST, DAST, IAST); • How to leverage your tools for better security visibility and process efficiency; • Steps to find the right tool for your security program; • Keys to finding the best stage of the SDLC to implement each tool type within your security program; • How to integrate new tools with your existing DevOps or Agile environments and processes Additional Takeaways: • Examine the strengths and limitations of SAST, DAST, and IAST tools • Learn how to choose the right tools for your security program • Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes • Provide security visibility to developers, managers, and executives by enhancing your existing technology • Learn to use your tools to improve the efficiency of security tasks that are currently manual

What Good is this Tool? A Guide to Choosing the Right Application Security Te...

Kevin Fealey

This article examines the emerging need for software assurance. As defense contractors continue to develop systems for the Department of Defense (DoD) those systems must meet stringent requirements for deployment. However as over half of the vulnerabilities are found at the application layer organizations must ensure that proper mechanisms are in place to ensure the integrity, availability, and confidentiality of the code is maintained. Download paper at https://www.researchgate.net/publication/255965523_Integrating_Software_Assurance_into_the_Software_Development_Life_Cycle_(SDLC)

Secure Software Development Life Cycle

Maurice Dawson

Agile and Secure SDLC

Nazar Tymoshyk, CEH, Ph.D.

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Black Duck by Synopsys

Basic of SSDLC

Chitpong Wuttanan

Legacy-SecDevOps (AppSec Management Debrief)

Dinis Cruz

App sec and quality london - may 2016 - v0.5

Dinis Cruz

Effective DevSecOps

Pawel Krawczyk

Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018

Larry Eichenbaum

Open Source Security for Newbies - Best Practices

Black Duck by Synopsys

What's hot (20)

Using jira to manage risks v1.0 - owasp app sec eu - june 2016

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

we45 SecDevOps Presentation - ISACA Chennai

Engineering Trust in Your Automated Tests

we45 - SecDevOps Concept Presentation

SecDevOps Risk Workflow - v0.6

A Secure DevOps Journey

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav

Veracode Automation CLI (using Jenkins for SDL integration)

BlueHat v18 || Improving security posture through increased agility with meas...

What Good is this Tool? A Guide to Choosing the Right Application Security Te...

Secure Software Development Life Cycle

Agile and Secure SDLC

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Basic of SSDLC

Legacy-SecDevOps (AppSec Management Debrief)

App sec and quality london - may 2016 - v0.5

Effective DevSecOps

Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018

Open Source Security for Newbies - Best Practices

Similar to Security in a Continuous Delivery World - 2015 - Sherif Mansour

Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products. During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.

Digital Product Security

SoftServe

Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements. However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software. Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses: 1. The four layers of open-source security 2. How to integrate continuous security into your SDLC 3. Best practices for organizations to own and execute the security process

Open Source Security: How to Lay the Groundwork for a Secure Culture

WhiteSource

Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements. However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software. Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses: The four layers of open-source security; How to integrate continuous security into your SDLC; Best practices for organizations to own and execute the security process.

Open Source Security: How to Lay the Groundwork for a Secure Culture

DevOps.com

Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...

Simon Storm

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt

gealehegn

PCI and Vulnerability Assessments - What’s Missing

Black Duck by Synopsys

All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.

PCI and Vulnerability Assessments - What’s Missing?

Black Duck by Synopsys

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...

Manoj Purandare ☁

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...

Manoj Purandare ☁

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...

Manoj Purandare ☁

Дмитро Терещенко, "How to secure your application with Secure SDLC"

Sigma Software

Many products-no-security (1)

SecPod Technologies

2013 michael coates-javaone

Michael Coates

A journey into Application Security

Christian Martorella

Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.

Cyber security - It starts with the embedded system

Rogue Wave Software

HP Protect 2015 Presentation with Denim Group's John Dickson and HP's Bruce Jenkins - Software security historically has been a bolt-on afterthought, frequently a "nice to do" and not a "must do" activity in many organizations. Despite the obvious need to build security in from the outset, organizations continue to struggle to gain momentum and focus resources in support of a structured and measurable software security assurance program. How can organizations determine the best-fit activities and appropriate resource allocation levels to adequately address software risk? How can security leaders know what other organizations are doing to produce more secure software? This session provides an overview of the Open Software Assurance Maturity Model (OpenSAMM) framework and illustrates how organizations can use it to give their security program the edge necessary to stay competitive in today's DevOps world and need-for-speed go-to-market strategies. The session includes case studies on how organizations are using comparative data and OpenSAMM benchmarking to realize measurable software security improvement. Originally shared here - https://sessioncatalog.hpglobalevents.com/go/agendabuilder.sessions/?l=19&sid=4026_2744&locale=en_US

Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...

Denim Group

Best Practices for Ensuring SAP ABAP Code Quality and Security

Virtual Forge

Lecture Course Outline and Secure SDLC.ppt

DrBasemMohamedElomda

BsidesMCR_2016-what-can-infosec-learn-from-devops

James '-- Mckinlay

Understanding Technology Stakeholders: Their Progress and Challenges

John Gilligan

Similar to Security in a Continuous Delivery World - 2015 - Sherif Mansour (20)

Digital Product Security

Open Source Security: How to Lay the Groundwork for a Secure Culture

Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt

PCI and Vulnerability Assessments - What’s Missing

PCI and Vulnerability Assessments - What’s Missing?

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...

Дмитро Терещенко, "How to secure your application with Secure SDLC"

Many products-no-security (1)

2013 michael coates-javaone

A journey into Application Security

Cyber security - It starts with the embedded system

Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...

Best Practices for Ensuring SAP ABAP Code Quality and Security

Lecture Course Outline and Secure SDLC.ppt

BsidesMCR_2016-what-can-infosec-learn-from-devops

Understanding Technology Stakeholders: Their Progress and Challenges

Recently uploaded

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Recently uploaded (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Why Teams call analytics are critical to your entire business

🐬 The future of MySQL is Postgres 🐘

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

AWS Community Day CPH - Three problems of Terraform

Artificial Intelligence Chap.5 : Uncertainty

Powerful Google developer tools for immediate impact! (2023-24 C)

Scaling API-first – The story of a global engineering organization

Axa Assurance Maroc - Insurer Innovation Award 2024

Exploring the Future Potential of AI-Enabled Smartphone Processors

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Boost Fertility New Invention Ups Success Rates.pdf

A Domino Admins Adventures (Engage 2024)

Partners Life - Insurer Innovation Award 2024

Data Cloud, More than a CDP by Matt Robison

Artificial Intelligence: Facts and Myths

How to Troubleshoot Apps for the Modern Connected Worker

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Boost PC performance: How more available memory can improve productivity

Security in a Continuous Delivery World - 2015 - Sherif Mansour

1. Security in a Continuous Delivery World Sherif Mansour

2. “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” -Abraham Lincoln

3. Two things about Automation 1. Automation applied to an efficient operation will magnify its efficiency 2. Automation applied to an inefficient operation will magnify its inefficiency -Bill Gates

4. Two things about Web Programming 1. Control-C 2. Control-V

5. Two Things About World Conquest 1. Divide and Conquer.  2. Never invade Russia in the winter.

6. Two Things About Information Security Complete: 1. 2.

7. Overview • Timeline - 1986 • Agile Security • Bug Tracker • Definition of Done • App Sec Radar • Continuous Delivery • Security Testing • How OWASP can help

8. Timeline - 1986 • HBR publishes an article: “The New New Product Development Game” • Computer Fraud and Abuse Act

9. The New New Product Development Game Leading companies show six characteristics in managing their new product development processes: 1. Built-in instability 2. Self-organizing project teams 3. Overlapping development phases 4. “Multilearning” 5. Subtle control 6. Organizational transfer of learning

10. Agile Frameworks • XP • Scrum • Crystal • FDD • Lean and Kanban • DSDM

11. Computer Fraud and Abuse Act • Enacted in 1986 • First Felony in 1988 - Morris Worm • Mr. Robert Morris Sr. (his father) was the Chief Scientist at NSA • Comm-Sec & Compu-Sec merged Info- Sec • CERT was created in CMU

12. Since Then Its Been An Arms Race

13. Stop me of you have seen this before Applying controls without understanding its limitations.

14. Fast Forward to 2001 1.OWASP was formed :-) 2.Agile Manifesto was published :-) :-)

15. OWASP • OWASP Top Ten • OWASP Software Assurance Maturity Model • OWASP Development Guide • OWASP ZAP Project: The Zed Attack Proxy (ZAP)

16. Agile Manifesto • Individuals and Interactions over processes and tools • Working software over comprehensive documentation • Customer collaboration over contract negotiation • Responding to change over following a plan

17. Agile Principles

18. Agile (scrum) Framework

19. Security in an Agile Framework • Communicate Security Recommendations simply and clearly • Identify the biggest risk and which ones you teams are exposed to • When you raise a security issue: • Unique - No duplicates • Useful - Improves the security and quality of the software • Actionable - All necessary information is in the ticket

20. App Sec Issues Tracking and Metrics For every security issue detected raise a Jira bug ticket and include the following attributes to the bug type: 1. Business risk 2. Attack vector 3. Priority 4. Components 5. Testing Method 6. Dev Team

21. Metrics

22. App-Sec Radar The Application Security Radar is a site in forms the technology teams on security technologies they should embrace or move away from. This ensures developers adopt more secure technologies, there are 6 recommendation categories for the app sec radar: • Plan for Removal • No New Use • Evaluate • Trial • Adopt • Hold

23. DoD - Definition of Done • Security should include a reference quick check list for developers on what to avoid, and what to look out for during code review.

24. Continuous Delivery You’re doing continuous delivery when: • Your software is deployable throughout its lifecycle • Your team prioritises keeping the software deployable over working on new features • Anybody can get fast, automated feedback on the production readiness of their systems any time somebody makes a change to them • You can perform push-button deployments of any version of the software to any environment on demand

25. Release Vehicle vs. Pipeline

26. Testing in Continuous Delivery

27. How OWASP Can Help • If you solve a problem and I solve a problem, each of us has two solutions. • Guidance • Security Libraries • Developer tools • Training • etc..

28. Thank you Two More things :-)

29. Interests • Headers reporting back: • Content Security Policy CSP • HTTP Public Key Pinning • DMARC - (Email Standard)

30. Please Welcome Simon Bennetts

Security in a Continuous Delivery World - 2015 - Sherif Mansour

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Security in a Continuous Delivery World - 2015 - Sherif Mansour

Similar to Security in a Continuous Delivery World - 2015 - Sherif Mansour (20)

Recently uploaded

Recently uploaded (20)

Security in a Continuous Delivery World - 2015 - Sherif Mansour