This document provides an overview of a presentation given by Joshua Corman and Gene Kim on the topics of security, DevOps, and Rugged DevOps. Some key points:
- Joshua Corman is the director of security intelligence at Akamai Technologies and Gene Kim is a researcher and author known for his work on IT performance and DevOps.
- They discuss how traditional security models are no longer effective due to increasing development speeds and how Rugged DevOps combines principles of DevOps and security.
- Rugged DevOps focuses on operational discipline, situational awareness, and countermeasures to provide security in a way that does not hinder development workflows and speeds.
- The presentation
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...Gene Kim
In this presentation, I describe why we've decided to pre-record our talks for DevOps Enterprise Summit, and some of the top lessons learned for any speaker who needs to record their presentations.
I cover microphones, standing up, elevating your camera, adjusting your lighting, picking a good background, and record!
To learn more about the awesome DevOps Enterprise Summit programming here: https://itrevolution.com/london-virtual-what-to-expect/
The Unicorn Project and The Five Ideals (Updated Dec 2019)Gene Kim
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
Updated version here (Dec 2019): https://www.slideshare.net/realgenekim/the-unicorn-project-and-the-five-ideals-updated-dec-2019
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...Gene Kim
In this presentation, I describe why we've decided to pre-record our talks for DevOps Enterprise Summit, and some of the top lessons learned for any speaker who needs to record their presentations.
I cover microphones, standing up, elevating your camera, adjusting your lighting, picking a good background, and record!
To learn more about the awesome DevOps Enterprise Summit programming here: https://itrevolution.com/london-virtual-what-to-expect/
The Unicorn Project and The Five Ideals (Updated Dec 2019)Gene Kim
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
Updated version here (Dec 2019): https://www.slideshare.net/realgenekim/the-unicorn-project-and-the-five-ideals-updated-dec-2019
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
GenOrganizations and development teams are moving beyond waterfall models to those embracing a continuous delivery/DevOps-style set of processes. The deployment of doing tens, hundreds, or even thousands of deploys per day as 'normal' does not align to the SDLC, separation of duties, and common controls expected by auditors.
In this presentation, we will describe what auditors look for in a compliance audit, how to develop alternate control procedures that fulfill those reporting requirements, how to avoid “red flags” that indicate inadequate controls, and real world case studies and reporting artifacts.
Gene Kim has been studying high performing IT organizations since 1999 and helped develop the SOX scoping guidelines with the Institute of Internal Auditors in 2005. James DeLuccia IV is the leader for the Ernst & Young Americas Certification Services, James oversees all of the audits against common industry standards, and champions several global program implementation roll-outs. Developing and 'translating' the control environment behaviors of clients, such as Google, Amazon, Workday, and others is difficult. This discussion will bridge the needs of auditors with the community of developers by sharing examples, discussing the assurance expectations, and how to communicate to pass an audit.
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsGene Kim
This presentation describes my interpretation of the Why and How of DevOps, and the key findings from my 15 year study of high-performing IT organizations, and how they simultaneously deliver stellar service levels and rapid implementation of new features into the production environment.
Organizations employing DevOps practices such as Google, Amazon, Facebook, Etsy and Twitter are routinely deploying code into production hundreds, or even thousands, of times per day, while providing world-class availability, reliability and security. In contrast, most organizations struggle to do releases more every nine months.
He will present how these high-performing organizations achieve this fast flow of work through Product Management and Development, through QA and Infosec, and into IT Operations. By doing so, other organizations can now replicate the extraordinary culture and outcomes enabling their organization to win in the marketplace.
2012 Velocity London: DevOps Patterns DistilledGene Kim
2012 Velocity London,
Presentation by Patrick Debois (@patrickdebois), Damon Edwards (@damonedwards), Gene Kim (@realgenekim), John Willis (@botchagalupe)
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
GenOrganizations and development teams are moving beyond waterfall models to those embracing a continuous delivery/DevOps-style set of processes. The deployment of doing tens, hundreds, or even thousands of deploys per day as 'normal' does not align to the SDLC, separation of duties, and common controls expected by auditors.
In this presentation, we will describe what auditors look for in a compliance audit, how to develop alternate control procedures that fulfill those reporting requirements, how to avoid “red flags” that indicate inadequate controls, and real world case studies and reporting artifacts.
Gene Kim has been studying high performing IT organizations since 1999 and helped develop the SOX scoping guidelines with the Institute of Internal Auditors in 2005. James DeLuccia IV is the leader for the Ernst & Young Americas Certification Services, James oversees all of the audits against common industry standards, and champions several global program implementation roll-outs. Developing and 'translating' the control environment behaviors of clients, such as Google, Amazon, Workday, and others is difficult. This discussion will bridge the needs of auditors with the community of developers by sharing examples, discussing the assurance expectations, and how to communicate to pass an audit.
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsGene Kim
This presentation describes my interpretation of the Why and How of DevOps, and the key findings from my 15 year study of high-performing IT organizations, and how they simultaneously deliver stellar service levels and rapid implementation of new features into the production environment.
Organizations employing DevOps practices such as Google, Amazon, Facebook, Etsy and Twitter are routinely deploying code into production hundreds, or even thousands, of times per day, while providing world-class availability, reliability and security. In contrast, most organizations struggle to do releases more every nine months.
He will present how these high-performing organizations achieve this fast flow of work through Product Management and Development, through QA and Infosec, and into IT Operations. By doing so, other organizations can now replicate the extraordinary culture and outcomes enabling their organization to win in the marketplace.
2012 Velocity London: DevOps Patterns DistilledGene Kim
2012 Velocity London,
Presentation by Patrick Debois (@patrickdebois), Damon Edwards (@damonedwards), Gene Kim (@realgenekim), John Willis (@botchagalupe)
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed
1. Security is Dead.
Long Live Rugged DevOps:
IT at Ludicrous Speed…
Joshua Corman & Gene Kim
Session ID: CLD-106
Session Classification: Intermediate
2. About Joshua Corman
Director of Security Intelligence for Akamai Technologies
Former Research Director, Enterprise Security [The 451 Group]
Former Principal Security Strategist [IBM ISS]
Industry:
Expert Faculty: The Institute for Applied Network Security (IANS)
2009 NetworkWorld Top 10 Tech People to Know
Co-Founder of “Rugged Software” www.ruggedsoftware.org
BLOG: www.cognitivedissidents.com
Things I’ve been researching:
Compliance vs Security
Disruptive Security for Disruptive Innovations
Chaotic Actors
Espionage
Security Metrics
2
3. About Gene Kim
Researcher, Author
Industry:
Invented and founded Tripwire, CTO (1997-2010)
Co-author: “Visible Ops Handbook”(2006), “Visible Ops Security” (2008)
Co-author: “When IT Fails: The Novel,” “The DevOps Cookbook” (Coming
May 2012)
Things I’ve been researching:
Benchmarked 1300+ IT organizations to test effectiveness of IT controls vs.
IT performance
DevOps, Rugged DevOps
Scoping PCI Cardholder Data Environment (#FAIL)
3
4. Agenda
Problem statement
What is DevOps?
What is Rugged?
What is Rugged DevOps?
Things you can do right away
4
5. Potentially Unfamiliar Words You Will See
Kanban
Andon cord
Sprints
Rugged
DevOps
Bottleneck
Systems thinking
Controls reliance
5
21. High Performing IT Organizations
High performers maintain a posture of compliance
Fewest number of repeat audit findings
One-third amount of audit preparation effort
High performers find and fix security breaches faster
5 times more likely to detect breaches by automated control
5 times less likely to have breaches result in a loss event
When high performers implement changes…
14 times more changes
One-half the change failure rate
One-quarter the first fix failure rate
10x faster MTTR for Sev 1 outages
When high performers manage IT resources…
One-third the amount of unplanned work
8 times more projects and IT services
6 times more applications
Source: IT Process Institute, 2008
Source: IT Process Institute, 2008
22. 2007: Three Controls Predict 60% Of
Performance
To what extent does an organization define,
monitor and enforce the following?
Standardized configuration strategy
Process discipline
Controlled access to production systems
Source: IT Process Institute, 2008
56. DevOps: It’s A Real Movement
I would never do another startup that didn’t
employ DevOps like principles
It’s not just startups – it’s happening in the
enterprise and in public sector, too
I believe working in DevOps environments will
be a necessary skillset 5 years from now
58. The Prescriptive DevOps Cookbook
“DevOps Cookbook” Authors
Patrick DeBois, Mike Orzen,
John Willis
Goals
Codify how to start and finish
DevOps transformations
How does Development, IT
Operations and Infosec
become dependable partners
Describe in detail how to
replicate the transformations
describe in “When IT Fails: The
Novel”
59. Arc 1: Decrease Cycle Time Of Releases
Create determinism in the release process
Move packaging responsibility to development
Release early and often
Decrease cycle time
Reduce deployment times from 6 hours to 45 minutes
Refactor deployment process that had 1300+ steps spanning 4
weeks
Never again “fix forward,” instead “roll back,” escalating any
deviation from plan to Dev
Ensure environments are properly built before deployment begins
Control code and environments down the preproduction runways
Hold Dev, QA, Int, and Staging owners accountable for integrity
60. Arc 2: Increase Production Resilience
To preserve and increase throughput, elevate preventive
projects and maintenance tasks
Document all work, changes and outcomes so that it is
repeatable
Protect the flow of planned work (e.g., tickets bouncing
around for weeks, causing features to slip into next sprint)
Ops builds Agile standardized deployment stories
Maintains adequate situational awareness so that incidents
could be quickly detected and corrected
Standardize unplanned work and escalations
Continually seek to eradicate unplanned work and increase
throughput
61. Arc 3: Remove Complexity, Attack Surface And
Waste
Elective complexity adds to technical debt
Infosec (and everyone) wins when we take work
out of the system
Understand where controls reliance is placed
and what matters to the business
61
62. Meeting The DevOps Leadership Team
Typically led by Dev, QA, IT Operations and
Product Management
Our ultimate goal is to add value at every step in
the flow of work
See the end-to-end value flow
Shorten and amplify feedback loops
Help break silos (e.g., server, networking, database)
63. Definition: Agile Sprints
The basic unit of development in Agile Scrums,
typically between one week and one month
At the end of each sprint, team should have
potentially deliverable product
Aha Moment: shipping product implies not just code –
it’s the environment, too!
63
64. Help Dev And Ops Build Code And
Environments
Dev and Ops work together in Sprint 0 and 1 to
create code and environments
Create environment that Dev deploys into
Create downstream environments: QA, Staging,
Production
Create testable migration procedures from Dev all the
way to production
Integrate Infosec and QA into daily sprint
activities
66. Integrate Ops Into Dev
Embed Ops person into Dev structure
Describes non-functional requirements, use cases
and stories from Ops
Responsible for improving “quality at the source”
(e.g., reducing technical debt, fix known problems,
etc.)
Has special responsibility for pulling the Andon cord
67. Integrate Dev Into Ops
MobBrowser case study: “Waking up developers
at 3am is a great feedback loop: defects get
fixed very quickly”
Goal is to get Dev closer to the customer
Infosec can help determine when it’s too close (and
when SOD is a requirement)
68. Keep Shrinking Batch Sizes
Waterfall projects often have cycle time of one
year
Sprints have cycle time of 1 or 2 weeks
When IT Operations work is sufficiently fast and
cheap, we may decide to decouple deployments
from sprint boundaries (e.g., Kanbans)
70. IT Operations Increases Process Rigor
Standardize deployment
Standardize unplanned work: make it repeatable
Modify first response: ensure constrained
resources have all data at hand to diagnose
Elevate preventive activities to reduce incidents
71. Help Development…
Help them see downstream effects
Unplanned work comes at the expense of planned
work
Technical debt retards feature throughput
Environment matters as much as the code
Allocate time for fault modeling, asking “what
could go wrong?” and implementing
countermeasures
72. Help QA…
Ensure test plans cover not only code
functionality, but also:
Suitability of the environment the code runs in
The end-to-end deployment process
Help find variance…
Functionality, performance, configuration
Duration, wait time and handoff errors, rework, …
73. Help IT Operations…
“The best way to avoid failure is
to fail constantly”
Harden the production
environment
Have scheduled drills to “crash
the data center”
Create your “chaos monkeys” to
introduce faults into the system
(e.g., randomly kill processes,
take out servers, etc.)
Rehearse and improve
responding to unplanned work
NetFlix: Hardened AWS service
StackOverflow
Amazon firedrills (Jesse Allspaw)
The Monkey (Mac)
79. Case Studies And Early Indicators
Almost every major Internet online services
company
VERACODE Rapid SaaS Fix Blog Post
http://www.veracode.com/blog/2012/01/vulnerability-
response-done-right/
Pervasive Monitoring
Analytics at LinkedIn viewed by CEO daily:
LinkedIn Engineering: “The Birth Of inGraphs: Eric
The Intern”
81. Things To Put Into Practice Tomorrow
Identify your Dev/Ops/QA/PM counterparts
Discuss your mutual interdependence and shared
objectives
Harden and instrument the production builds
Integrate automated security testing into the build
and deploy mechanisms
Create your Evil/Hostile/Fuzzy Chaos Monkey
Cover your untested branches
Enforce the 20% allocation of Dev cycles to non-
functional requirement
82. Resources
From the IT Process Institute
www.itpi.org
Both Visible Ops Handbooks
ITPI IT Controls Performance Study
Rugged Software by Corman, et al:
http://ruggedsoftware.org
“Continuous Delivery: Reliable Software
Releases through Build, Test, and
Deployment Automation” by Humble,
Farley
Follow us…
@JoshCorman, @RealGeneKim
mailto:genek@realgenekim.me
http://realgenekim.me/blog
83. Interested In “The DevOps Cookbook?”
Give Gene your business card, and get exclusive
access to the first 100 pages of "When IT Fails:
The Novel" and "The DevOps Cookbook" for free
We’ll send it to you as soon as it’s ready!
86. Common Traits of High Performers
Culture of…
Change management
Integration of IT operations/security via problem/change management
Processes that serve both organizational needs and business objectives
Highest rate of effective change
Causality
Highest service levels (MTTR, MTBF)
Highest first fix rate (unneeded rework)
Compliance and continual reduction of
operational variance
Production configurations
Highest level of pre-production staffing
Effective pre-production controls
Effective pairing of preventive and detective controls
Source: IT Process Institute
87. Visible Ops: Playbook of High Performers
The IT Process Institute has been
studying high-performing
organizations since 1999
What is common to all the high
performers?
What is different between them and
average and low performers?
How did they become great?
Answers have been codified in the
Visible Ops Methodology
The “Visible Ops Handbook” is
available from the ITPI
www.ITPI.org
89. A Reframed IT Operations Problem Statement
Increase flow from Dev to Production
Increase throughput
Decrease WIP
Our goal is to create a system of operations that allows
Planned work to quickly move to production
Ensure service is quickly restored when things go wrong
Information security built in every stage of Development, Project
Management, and IT Operations
How does this relate to Visible Ops?
We focused much on “unplanned work”
What’s happening to all the planned work?
At any given time, what should IT Ops be working on?
Now we are focusing on the flow of planned work
92. By The Visible Ops Team:
Gene Kim, Kevin Behr, George Spafford
93. The Theory of Constraints Approach To Visible
Ops
Dr. Goldratt wrote The Goal in
1984, describing Alex’s
challenge to fix his plant’s cost
and due date issues within 90
days
Some tenets that went against
common wisdom:
Every flow of work has a
constraint/bottleneck
Any improvement not made at the
bottleneck is merely an illusion
Fallacy of cost accounting as
operational management tool
94. Interested?
If you’re interested in When IT Fails: The Novel or
The DevOps Cookbook, signup for the list at
http://whenitfails.org
Or:
# mail genek@realgenekim.me
Subject: [ slides | research | list ]
Editor's Notes
Tell story of Amazon, Netflix: they care about, availability, securityIt’s not a push, it’s a pull – they’re looking for our help (#1 concern: fear of disintermediation and being marginalized)
At RSA 2009, Josh Corman, Jeff Williams, and David Rice were chatting at the Greylock cocktail party.
So software not only need
…fast, and…
…agile, but it also needs to be…
…rugged. Capable of withstanding…
…the harshest conditions…
…and most unfriendly environments…
[ text ] My personal goal is to prescriptively define 1) what does Dev need to do to become a reliable partner, 2) what does IT Operations need to do to become a realiable partner, and then 3) how do they work together to deliver unbelievable value to the business.Of course, the goal is more than happy coexistence. It’s to replicate the Etsy and LinkedIn stories:Increase the rate of features that we can put into production, while simultaneously maintaining the reliability, stability, security and survivability of the production environment.
[ picture of stock graph ]There are two main characters: Steve the hard-driving CEO, of a $4B/yr manufacturing/retailing company. In an emergency board meeting, the board conveys two messages:You’ve promised us two projects for over years, to close the gap with the competition. It’s now a year late, $10MM over budget. Your competition is Best Buy, and you’re Circuit City. Hold your CIO accountable. Our job is to hire great CEOs, and fire the ones who can’t deliver. If you can’t fix this, we’ll find one who can.
This story is about how Bill, the thoughtful and methodical VP IT Operations, who saves some of the largest problems of the company. It’s a story about a Visible Ops and DevOps style transformation. It’s how Bill saves the company, helping it achieves their project goals, operational goals, security and compliance goals.And Steve the CEO realizes that Bill, the lowly VP of IT Operations, is the person who saved the company.
[ picture of When IT Fails ]But how do we make this an issue that CEOs actually care about, instead of strictly a grass-roots movement?For five years, I’ve been working on a book called “When IT Fails: The Novel.” Which I think can help.The goal of the book is to help bridge the dysfunctional marriage that often exists between the CIO and the CEO.When I told the CIO of Columbia Sportswear about it, he said, “When you finish that book, not only will everyone on my team need to read this, but my boss will need to read this, and my bosses boss will need to read this.”I was so moved by it, that it was one of the main reasons I wrote Tripwire – make completion of the book my sole focus.