2019 Infosec World Keynote

•Download as PPTX, PDF•

0 likes•75 views

This document discusses how containers can improve security posture through automation and visibility. It notes that as applications are containerized, security must also automate to keep up with the volume of new images and containers. The document advocates rebuilding containers rather than patching them when vulnerabilities are found. It emphasizes gaining visibility into what applications are doing and where they are running. The document argues that security should recommend containers, not just react when developers ask to use them. Automation is needed for building, testing, delivery and security activities like vulnerability scanning across the application lifecycle.

Technology

John Kinsella
VP Engineering, Container Security
Removing the Burden of Securing Microservices
Through Automation and Visibility

Containers Improve your
Security Posture
Infosec World 20192

What Contributes to a Security Posture?
Infosec World 20193

Everything Contributes to a Security
Posture!!!!
Infosec World 20194

Security Posture
Information security status of an organization
based on information assurance resources
and defense capabilities
Infosec World 20195

How do Applications Contribute to a
Security Posture?
• Provide information about environment and usage
• Defense in depth
• Confidentiality, Integrity, Availability
Infosec World 20196

Containers Improve your
Application Security
• Improved application management
• Improved application scalability
• Improved application monitoring
Infosec World 20197

Why are Developers Excited
about Containers?
• Additive collaboration
• Repeatability
Infosec World 20198

When Have you Heard a
Developer ask..
“Can you run this VM image I built?”
Infosec World 20199

Are Containers for
Everyone?
Infosec World 201910

What’s the Difference Between
Containers and Microservices?
Infosec World 201911

You cannot
underestimate how
much legacy
environments are
slowing your
organization down.
Infosec World 201912
• Increase speed to market
• Enhance efficiency
• Improve quality
• Lower TCO

Tools Landscape
SW
DEV
QA/Test INFR OPS
Application Lifecycle
Infosec World 201914

How do we secure this??
Infosec World 201917

What’s Dangerous
about Containers?
The volume of new images and containers each day
is impossible for a traditional infosec team to handle.

Visibility Problems
What is the application doing?
Where is the application?
Infosec World 201919

So Security Must
Automate, Too
Infosec World 201920
…not just to survive,
but to allow
developers to flourish

Vulnerability Scanning
Infosec World 201921

Vulnerability Scanning
Infosec World 201922
Filter alerts down to
• Worthy of Attention
• Actionable

Do not Patch
Containers.
Rebuild.
Infosec World 201923

Cat Herding, 2019
Infosec World 201924
Containers aren’t only in a
cluster.
What tools are in use?
How to provide/enforce
standards

Runtime Security
Infosec World 201926
Least privilege
Newfound control capabilities
Is this your app, or downloaded?
Is the app doing what is expected?

Security Should be
Recommending
Containers
…Not waiting for
developers to ask if
they can use them.
Infosec World 201928

Container Security Workflow
Container Registry
S t a t i c A n a l y s i s R u n t i m e A n a l y s i s R u n t i m e P r o t e c t i o n
Instrument
Container
Sec
Behavior
Templates
Security
Policies
Security Policy
Enforcement
SecOpsDevOps
Notifications
Alerts Insight
Instrumented
Container
Instrumented Container runs in observation
mode on premise or in cloud
A s s e s s m e n t / I n s t r u m e n t a t i o n T e s t / S t a g i n g P r o d u c t i o n
Validate
Container
Scan
Container
Automated enforcement of Secured Container
on premise or in cloud
Secured
Container
Inject security
probes for N/W,
I/O, and App tiers
Compliance
Enforcement
Pass/Fail
SW Composition
Security
Vulnerability Scan
Instrumented
Container
Instrumented Container
inserted into registry
Insecure Container
posted to registry
Insecure
Container
Dev
git commit
git push
New
container
build with
basic unit test
New
Container
Any failed containers
are returned to DevOps
Failed
Container
<< FAIL PASS >>

Qualys Container Security
BUILD HOSTRUNTIMEREGISTRY
PRE-DEPLOYMENT PHASE
POST-DEPLOYMENT PHASE
Container
Container Sensor Layered-In Sensor or
Container Sensor
Cloud Agent or
Scanner Appliances
Infosec World 201931

How do we Leverage Excitement
to Improve Security?

People Want to Learn
jlk@qualys.com
@johnlkinsella

In the software engineering world, change is the only constant. And in the course of the last decades, the frequency of that change has exploded. What Agile has brought to software teams, DevOps is now bringing to the entire organization. And the results speak for themselves. The DevOps high-performers are killing it. Insane deploy frequencies of features, high reliability of applications, and high productivity of cross-functional teams have amplified the speed at which ideas become a reality. In parallel, Application Security was doing its own thing and to a large part remained oblivious to all the impressive improvements that were happening in software engineering. Because breaking an application doesn’t need any knowledge of how it was created in the first place. This talk will cover anti-patterns that are preventing application security from being adopted by development teams, such as: * Issues Overload * Acronym Overuse * Sales team Wall

Integrating of security activates in agile process

Zubair Rahim

This document discusses integrating security activities into agile development processes. It outlines common security practices from frameworks like Microsoft SDL, Cigital Touchpoints, Common Criteria, and CLASP. The document presents a flow chart for integrating security into each stage of agile development, from planning and requirements to implementation and release. The goal is to leverage security best practices while maintaining agility.

Removing the Burden of Securing Microservices Through Automation and Visibility

John Kinsella

This document summarizes John Kinsella's presentation on securing microservices through automation and visibility. Some key points include: - Developers are excited about containers because they enable speed, repeatability, and additive collaboration. However, the volume of new container images poses security challenges. - Security must automate processes like vulnerability scanning, access control, and runtime protection to keep up with the pace of development and container usage. - Visibility into what applications are doing, where they are running, and which tools are in use is important but difficult with containers. Instrumentation and monitoring help provide this visibility. - The container security workflow involves securing images at build time, when stored, during execution requests, and

The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers

DevOps.com

DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they? In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights. Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about: The current challenges of the security and development teams when it comes to AppSec The contradicting views and gaps between the teams on DevSecOps maturity How to break the silos and advance toward DevSecOps maturity

Security at the Speed of Software - Twistlock

Amazon Web Services

by Twistlock With containers, teams worldwide are deploying faster than ever before. But traditional security practices are slow and manual - leaving many users a choice between strong security or DevOps speed. In this talk, we'll outline how adopting a new 'cloud native' approach to security lets you recognize all the benefits of containerized deployment - and enjoy stronger protection than ever before.

Safety reliability and security lessons from defense for IoT

IoT613

Introducing a Security Feedback Loop to your CI Pipelines

Codefresh

Watch the webinar here: https://codefresh.io/security-feedback-loop-lp/ Sign up for a FREE Codefresh account today: https://codefresh.io/codefresh-signup/ We're all looking at ways to prevent vulnerabilities from escaping into our production environments. Why not require scans of your Docker images before they're even uploaded to your production Docker registry? SHIFT LEFT! Codefresh has worked with Twistlock to run Twist CLI using a Docker image as a build step in CI pipelines. Join Codefresh, Twistlock, and Steelcase as we demonstrate setting up vulnerability and compliance thresholds in a CI pipeline. We will show you how to give your teams access to your Docker images' security reports & trace back to your report from your production Kubernetes cluster using Codefresh.

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

WhiteSource

Your organization has already embraced the DevOps methodology? That’s a great start. But what about security? It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case. Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss: - Why traditional DevOps has shifted, and what this will mean - Who should own security in the age of DevOps - Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline

DevSecOps aims to define success, assign responsibilities and milestones, discover the code pipeline by treating code as infrastructure and implementing quality control, inventory security tools by understanding what is owned and the costs, assess gaps by picking frameworks and balancing controls with complexity, and iterate quickly by continuously improving and focusing on platforms over individual tools. The presentation outlines steps for organizations to implement DevSecOps practices by defining objectives, understanding code movement, taking inventory of security tools, assessing gaps, and iterating processes.

Bankinfonews

Vikram Kalkat

Vikram Kalkat of Kaspersky Lab argues that cybersecurity strategies developed for information technology (IT) are not necessarily the best fit for protecting operational technology (OT) due to differences in security needs and requirements. While IT security focuses on data confidentiality, OT security prioritizes system availability. Customized security solutions are needed for industrial controls and OT systems, as IT security alone will not meet their requirements. Kalkat believes responsibility for OT cybersecurity should remain with business units rather than IT, and recommends breaking down OT security into its components - people, processes, and technologies - to properly assess risks.

DevOps Indonesia - DevSecOps - Application Security on Production Environment

Adhitya Hartowo

Building secure cloud apps – lessons learned from Microsoft’s internal securi...

Microsoft Tech Community

DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018

Adhitya Hartowo

Leveraging Osquery for DFIR @ Scale _BSidesSF_2020

Sohini Mukherjee

The document discusses using the open-source Osquery tool for digital forensics and incident response at scale. Osquery allows querying operating systems to retrieve information about running processes, network connections, user accounts, file changes and other artifacts through SQLite. It can help with rapid incident response, fast forensics and proactive threat hunting. The document provides examples of how Osquery can detect techniques like reverse shells and crypto mining and gather evidence about potential attacks. It also discusses using Osquery to detect privileged container exploits and escapes.

Shifting Security Left from the Lean+Agile 2019 Conference

Tom Stiehm

Shifting security all day dev ops

Tom Stiehm

5 things about os sharon webinar final

DevOps.com

Open Source has become the key building block for application development in today's market, where companies are under constant pressure to accelerate time to market. However, the increasing adoption of open source components has introduced new security challenges that most teams are not prepared to mitigate in their current posture. Join Sharon Sharlin, Product Marketing Manager at WhiteSource, as she presents best practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising security.

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon

Tom Stiehm

The State of Open Source Vulnerabilities - A WhiteSource Webinar

WhiteSource

Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges. In this webinar Learn how open source security vulnerabilities are found, how to address any open source security concerns within your organization and understand the difference between securing your open source components and your proprietary code.

Arnaud Thiercelin at AI Frontiers : AI in the Sky

AI Frontiers

AI can help address challenges in integrating drones into society by providing opportunities in mission planning, coordination, control systems, and automation. AI has a role to play in every step of the drone data capture, processing, and execution pipeline. This includes tasks like vertical domain knowledge, real-time and post-processing analytics, decision making, and integrating insights into existing systems. By leveraging AI, drones can operate at scale and provide end-to-end solutions for industries.

DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...

DevSecCon

Julian Berton Preventing a company from becoming the newest data breach statistic can be a daunting prospect. Especially working within a company that employs hundreds of engineers pushing code to production daily, it often feels like everything is on fire and the holy grail of producing a security inspired product is but a dim light growing further and further away. The same feeling is true for security aware engineers being pushed to develop products quickly but also expected to consider quality assurance, operations, security and the reliability of their application or service. To help reduce the bleeding and build more security aware applications at scale, a balance of firefighting, preventative initiatives, automation and "JIT" education is required. So strap yourself in while we take you on a journey through 4 years of security successes and epic failures: * Automation - Implementing a secure-by-default build system (Buildkite) that makes detecting vulnerable dependencies (Snyk), storing secrets (AWS Secrets Manager) and scanning Docker containers, an effortless process. * Prevention - Eradicate several classes of bugs by selecting secure architectural patterns and using automated scripts to detect operational misconfigurations like dangling DNS entries, open S3 buckets, secrets checked into source code and repositories that have been made accidentally public. * "JIT” Education - Changing a companies security culture with RFC's for security standards, security integrated PIR via bug bounty program reports, visibility through security maturity frameworks (BSIMM).

How to Protect Mobile Banking Users from BankBot

Zimperium

Speaker0 session7874 1

Shaveta Datta

AI tools and machine learning can help security teams address challenges around escalating alert volumes, resource shortages, and slow detection and response times. Splunk's AI-powered User Behavior Analytics (UBA) uses unsupervised machine learning to detect unknown threats and anomalous user behavior across devices and applications. It analyzes data from various sources and classifies anomalies and threats to help security teams solve advanced use cases and stay ahead of insider and external attacks. Splunk's security orchestration, automation and response (SOAR) tool, Phantom, further helps teams respond faster by automating incident response workflows and reducing manual tasks.

Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...

Kaspersky

For several years now, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been monitoring more than 60 threat actors responsible for cyber-attacks worldwide. By closely observing these organizations, which appear to be fluent in many languages, including Russian, Chinese, German, Spanish, Arabic and Persian, we have put together a list of what seem to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention. As a participant of the webinar, you will be the first to hear our detailed analysis of the trends. The webinar was hosted by Costin Raiu, Director of GReAT at Kaspersky Lab, on December 11. “If we can call 2014‘sophisticated’, then the word for 2015 will be ‘elusive’. We believe that APT groups will evolve to become stealthier and sneakier, in order to better avoid exposure. This year we’ve already discovered APT players using several zero-days, and we’ve observed new persistence and stealth techniques. We have used this to develop and deploy several new defense mechanisms for our users,” comments Costin Raiu. Listen to the presentation https://kas.pr/aptwebinar Read the full report https://kas.pr/ksb

Managing Compliance in Container Environments

Twistlock

Container Security: What Enterprises Need to Know

DevOps.com

This document discusses container security and summarizes the perspectives of several industry experts on practical steps for securing containers. It notes that the container market is growing rapidly and security needs to extend to all layers of the technology stack. Panelists recommend minimizing privileges, practicing basic hygiene, treating development environments like production, and designing containers to run anywhere. The document also outlines security capabilities like automated DevSecOps, vulnerability management, and runtime defense that are purpose-built for containers and cloud-native applications.

Cybersecurity for Field IIoT Networks

Yokogawa1

IIoT solutions are providing operators with massive volumes of data while making it easier to apply them to improvements in quality and efficiency. However, the cybersecurity risk to IIoT solutions is often overlooked. Many IIoT devices reside on networks that use open connections such as Wi-Fi, cellular, or satellite. Those could inadvertently increase an ICS threat surface. Participants in this session will learn how to configure new and existing IIoT devices in a manner that will continue providing the value of the IIoT solution while reducing the exposure to cyberattacks. Guidelines will also be provided in cases of IIoT devices, which do provide inherent security configuration options.

.conf Go Zurich 2022 - Security Session

Splunk

The document appears to be a presentation from Splunk on security topics. It includes sections on cyber security resilience, the data-centric modern SOC, application monitoring at scale, threat modeling, security monitoring journeys, self-service Splunk infrastructure, the top 3 CISO priorities of risk based alerting, use case development, a security content repository, security PVP (posture, vision, and planning) and maturity assessment, and concludes with an overview of how Splunk can provide end-to-end visibility across an organization.

Security Teams & Tech In A Cloud World

Mark Nunnikhoven

This document discusses security teams and technology in a cloud world. It notes that security is now everyone's responsibility rather than isolated to one team. Modern security requires new skills from specialists like basic coding knowledge and a user-focused perspective. The document advocates distributing security specialists throughout teams rather than keeping them isolated. It also presents opportunities that cloud infrastructure provides for faster deployment times and continuous monitoring through automation and aggregation of security data.

What's hot

Practical DevSecOps Using Security Instrumentation

VMware Tanzu

DevSecOps outline

Nickleus Jimenez

Bankinfonews

Vikram Kalkat

DevOps Indonesia - DevSecOps - Application Security on Production Environment

Adhitya Hartowo

Building secure cloud apps – lessons learned from Microsoft’s internal securi...

Microsoft Tech Community

DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018

Adhitya Hartowo

Leveraging Osquery for DFIR @ Scale _BSidesSF_2020

Sohini Mukherjee

Shifting Security Left from the Lean+Agile 2019 Conference

Tom Stiehm

Shifting security all day dev ops

Tom Stiehm

5 things about os sharon webinar final

DevOps.com

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon

Tom Stiehm

The State of Open Source Vulnerabilities - A WhiteSource Webinar

WhiteSource

Arnaud Thiercelin at AI Frontiers : AI in the Sky

AI Frontiers

DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...

DevSecCon

How to Protect Mobile Banking Users from BankBot

Zimperium

Speaker0 session7874 1

Shaveta Datta

Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...

Kaspersky

Managing Compliance in Container Environments

Twistlock

Container Security: What Enterprises Need to Know

DevOps.com

Cybersecurity for Field IIoT Networks

Yokogawa1

What's hot (20)

Practical DevSecOps Using Security Instrumentation

DevSecOps outline

Bankinfonews

DevOps Indonesia - DevSecOps - Application Security on Production Environment

Building secure cloud apps – lessons learned from Microsoft’s internal securi...

DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018

Leveraging Osquery for DFIR @ Scale _BSidesSF_2020

Shifting Security Left from the Lean+Agile 2019 Conference

Shifting security all day dev ops

5 things about os sharon webinar final

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon

The State of Open Source Vulnerabilities - A WhiteSource Webinar

Arnaud Thiercelin at AI Frontiers : AI in the Sky

DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...

How to Protect Mobile Banking Users from BankBot

Speaker0 session7874 1

Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...

Managing Compliance in Container Environments

Container Security: What Enterprises Need to Know

Cybersecurity for Field IIoT Networks

Similar to 2019 Infosec World Keynote

.conf Go Zurich 2022 - Security Session

Splunk

Security Teams & Tech In A Cloud World

Mark Nunnikhoven

How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration

IBM Security

This document discusses intelligent orchestration for security operations centers. It begins with an overview of the challenges facing SOCs and how intelligent orchestration can help by combining human and machine intelligence with automation. It then provides an example use case of how intelligent orchestration allows a SOC to quickly investigate and remediate a phishing incident through automated tools and dynamic playbooks. The document emphasizes that intelligent orchestration acts as a force multiplier for analysts by automating repetitive tasks and providing greater visibility into security tools. It estimates the example incident response was completed in around 65 minutes faster due to intelligent orchestration capabilities.

Why and how are containers the foundation for a hybrid cloud future

Stefan van Oirschot

Containers provide a standardized and portable way to develop, deploy and run applications. They allow applications to be easily accessed and shared across different computing environments from development to production. Containers are lightweight compared to virtual machines and allow applications and their dependencies to be packaged together for true portability. A container platform combined with DevOps practices allows for continuous integration and deployment, automated operations and security, and a consistent hybrid cloud experience.

Bridging the Security Testing Gap in Your CI/CD Pipeline

DevOps.com

Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can: Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities. Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence. Fully automate secure app delivery and deployment, without the need for extra security scans or processes. Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.

Simplifying IoT App Development - A Whitepaper by RapidValue

RapidValue

This whitepaper provides a step by step guide to build IoT application on Azure without using complex hardware.This paper also illustrates a detailed approach on building an IoT application without using complex hardware. This paper is a guide for technical and non- technical professionals to get started on IoT development. It explains how you can build and try out a basic solution using a simulator device on your PC that can send trigger events to the Azure IoT Hub rather than having a need to buy or build an actual hardware device.

Make things come alive in a secure way - Sigfox

Sigfox

Trustworthiness, which encompasses security, privacy, reliability and reliance, is a key challenge for the IoT. Firstly, this is because the IoT is intimately linked to business-critical processes, and secondly because the IoT significantly broadens the surface of attack of business intelligence systems. Sigfox addresses this challenge through a systematic process that assumes that security is relative and will be adapted to the level of threat faced by the application at hand. Sigfox has gathered a team with lengthy experience in the security industry that deals with all relevant aspects, from security by design to active operational measures. This addresses data protection in motion via measures built in to the protocol (authentication, integrity, encryption, anti-replay, anti-jamming), data protection at rest via cryptographic storage of data and credentials in devices, base stations, and Sigfox Core Network. Reliability and reliance are both native in Sigfox data centers and intrinsic to the Sigfox network architecture to protect against attacks such as DDoS or massive device cloning. In an effort to support its ecosystem, Sigfox has developed partnerships with internationally recognized security experts to facilitate the introduction of hardware security in devices and provide security assessment schemes for the IoT.

(SEC202) Best Practices for Securely Leveraging the Cloud

Amazon Web Services

Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continual. As with any paradigm shift, cloud computing requires different rules and a different way of thinking. This presentation will highlight best practices to build and secure scalable systems in the cloud and capitalize on the cloud with confidence and clarity. In this session we will cover: Key market drivers and advantages for leveraging cloud architectures. Foundational design principles to guide strategy for securely leveraging the cloud. The “Defense in Depth” approach to building secure services in the cloud, whether it’s private, public, or hybrid. Real-world customer insights from organizations who have successfully adopted the ""Defense in Depth"" approach. Session sponsored by Sumo Logic.

The New Security Practitioner

Adrian Sanabria

System Containers and Application Containers: Who Cares?

Virtuozzo

What is needed to start trusting the security of your applications in the cloud?

PECB

This document discusses how ISO/IEC 27034 can help verify the security of operational applications hosted in the cloud. It introduces key concepts like understanding the scope of an application versus its security scope. It outlines a three-layer cloud application architecture and examines existing cloud security certifications. ISO/IEC 27034 improves upon these by providing elements like Application Security Controls (ASCs), an ASC Library, and an Application Security Life Cycle Reference Model to make security implementation, validation, and auditing more measurable and repeatable.

Broucher Soft copy

evsrao

The document discusses KiwiSecurity's automated video surveillance technology. It describes how KiwiSecurity uses intelligent algorithms to analyze camera images in real-time, allowing humans to act immediately on relevant events. Considerable investments have been made installing thousands of KiwiSecurity cameras and systems. The technology can easily integrate into existing video surveillance systems to protect investments. KiwiSecurity develops highly specialized software to achieve the best video analysis algorithms on an unlimitedly scalable, high-security platform for automated video surveillance. Certified partners exclusively market KiwiVision products and design and realize individual projects.

Web Application Security for Continuous Delivery Pipelines

Avi Networks

Watch on-demand webinar: https://info.avinetworks.com/webinars/web-application-security-continuous-delivery-pipelines Applications today have evolved into containers and microservices deployed in fully automated and distributed environments across data centers and clouds. Application services such as load balancing, security, and analytics become critical for continuous delivery. To secure modern web applications, security policies including SSL/TLS, ACLs, IP Reputation, and WAF need to be applied quickly. We will share a reference implementation from Avi Networks. Join this webinar to learn: - CI/CD in the web application security context - Challenges and solutions integrating a modern web application firewall (WAF) into the application development pipeline - How to create processes that support both security and development requirements

Automating Your Tools: How to Free Up Your Security Professionals for Actual ...

Kevin Fealey

Kevin Fealey of Aspect Security will present on automating application security tools to free up security professionals for more important tasks. He will discuss how integrating both open source and commercial security tools into the software development lifecycle as automated "sensors" can provide continuous visibility and real-time intelligence. By automating simple security checks, teams can focus on real security challenges rather than low-hanging fruit. Examples and lessons learned will be shared. The presentation aims to bridge the gap between how development has adopted DevOps practices while security still relies on outdated paradigms.

Ten security product categories you've (probably) never heard of

Adrian Sanabria

2017-07-12 GovLoop: New Era of Digital Security

Shawn Wells

This document discusses the new era of digital security in light of emerging technologies like cloud computing, software-defined infrastructure, and the increased use of applications and devices outside of IT's control. It argues that traditional network-based defenses are no longer enough and that security must evolve to be continuous and integrated throughout the IT lifecycle. It presents containers and container platforms like Kubernetes as an approach that can help achieve both agility and improved security by allowing for easy and secure application deployment across hybrid environments.

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...

Manoj Purandare ☁

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...

Manoj Purandare ☁

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...

Manoj Purandare ☁

Webinar–AppSec: Hype or Reality

Synopsys Software Integrity Group

This document discusses interactive application security testing (IAST) and introduces Seeker, an IAST tool from Synopsys. It provides an overview of trends in digital transformation and challenges in application security. It then compares different application security testing approaches and positions IAST as a solution. The remainder describes how Seeker works, how it integrates into the development process, and demonstrates its capabilities like vulnerability detection, data leak prevention, and software composition analysis.

Similar to 2019 Infosec World Keynote (20)

.conf Go Zurich 2022 - Security Session

Security Teams & Tech In A Cloud World

How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration

Why and how are containers the foundation for a hybrid cloud future

Bridging the Security Testing Gap in Your CI/CD Pipeline

Simplifying IoT App Development - A Whitepaper by RapidValue

Make things come alive in a secure way - Sigfox

(SEC202) Best Practices for Securely Leveraging the Cloud

The New Security Practitioner

System Containers and Application Containers: Who Cares?

What is needed to start trusting the security of your applications in the cloud?

Broucher Soft copy

Web Application Security for Continuous Delivery Pipelines

Automating Your Tools: How to Free Up Your Security Professionals for Actual ...

Ten security product categories you've (probably) never heard of

2017-07-12 GovLoop: New Era of Digital Security

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...

Webinar–AppSec: Hype or Reality

More from John Kinsella

An In-depth look at application containers

John Kinsella

Understanding container security

John Kinsella

This document discusses container security, providing a brief history of containers, security benefits and challenges of containers, and approaches to container vulnerability management and responding to attacks. It notes that while containers are not new, their adoption has increased rapidly in recent years. The document outlines security advantages like smaller surface areas but also challenges like managing vulnerabilities across many moving parts. It recommends strategies like using official images, hardening hosts, scanning for vulnerabilities, and practicing incident response for containers.

Docker security configuration

John Kinsella

A (fun!) Comparison of Docker Vulnerability Scanners

John Kinsella

The document is an introduction to a talk on information security scanning and vulnerability management. It provides biographical information about the speaker, an overview of the topics to be covered including scanning tools and minimizing vulnerabilities in container images. It also includes examples of security product logos and discusses challenges in assessing vulnerabilities across image layers and databases tailored to specific operating systems.

CloudStack and the HeartBleed vulnerability

John Kinsella

Dont break the glass

John Kinsella

CloudStack Secured

John Kinsella

John Kinsella discusses security efforts around Apache CloudStack. He details manual code reviews and static analysis that were performed to search for weaknesses. No critical findings were discovered. Incident response procedures are outlined. Additional security measures offered by Stratosec like SSL, VPNs, firewalls, and testing are described. Future work may include two-factor authentication, SELinux, and improved logging. Community help with further security frameworks and plugins is welcomed.

Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...

John Kinsella

Securing the Cloud

John Kinsella

What is Cloud Security, and Can I Have Some?

John Kinsella

This document discusses cloud security and deployment models. It defines cloud computing according to NIST and describes the three main types: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). The document also covers legal issues around discovery, governance, and compliance in cloud environments. Best practices for cloud security include encrypting data at rest and in transit, implementing strong identity management and access controls, ensuring portability between cloud providers, and understanding data locations.

More from John Kinsella (10)

An In-depth look at application containers

Understanding container security

Docker security configuration

A (fun!) Comparison of Docker Vulnerability Scanners

CloudStack and the HeartBleed vulnerability

Dont break the glass

CloudStack Secured

Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...

Securing the Cloud

What is Cloud Security, and Can I Have Some?

Recently uploaded

Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels

Northern Engraving

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Tosin Akinosho

Monitoring and Managing Anomaly Detection on OpenShift Overview Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices. Key Topics Covered 1. Introduction to Anomaly Detection - Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems. 2. Understanding Edge (IoT) - Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source. 3. What is ArgoCD? - Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices. 4. Deployment Using ArgoCD for Edge Devices - Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD. 5. Introduction to Apache Kafka and S3 - Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions. 6. Viewing Kafka Messages in the Data Lake - Learn how to view and analyze Kafka messages stored in a data lake for better insights. 7. What is Prometheus? - Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices. 8. Monitoring Application Metrics with Prometheus - Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system. 9. What is Camel K? - Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes. 10. Configuring Camel K Integrations for Data Pipelines - Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow. 11. What is a Jupyter Notebook? - Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text. 12. Jupyter Notebooks with Code Examples - Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...

saastr

"Scaling RAG Applications to serve millions of users", Kevin Goedecke

Fwdays

"Choosing proper type of scaling", Olena Syrota

Fwdays

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

Dandelion Hashtable: beyond billion requests per second on a commodity server

Antonios Katsarakis

This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

Astute Business Solutions | Oracle Cloud Partner |

AstuteBusiness

Leveraging the Graph for Clinical Trials and Standards

Neo4j

GNSS spoofing via SDR (Criptored Talks 2024)

Javier Junquera

In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security. This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing. The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.

A Deep Dive into ScyllaDB's Architecture

ScyllaDB

Must Know Postgres Extension for DBA and Developer during Migration

Mydbops

Mydbops Opensource Database Meetup 16 Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting Date & Time: 8th June | 10 AM - 1 PM IST Venue: Bangalore International Centre, Bangalore Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle. Key Takeaways: * Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities. * Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom. * Discover how these key extensions can empower both developers and DBAs during the migration process. * Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends. Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL. Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability. Contact us: info@mydbops.com Visit: https://www.mydbops.com/ Follow us on LinkedIn: https://in.linkedin.com/company/mydbops For more details and updates, please follow up the below links. Meetup Page : https://www.meetup.com/mydbops-databa... Twitter: https://twitter.com/mydbopsofficial Blogs: https://www.mydbops.com/blog/ Facebook(Meta): https://www.facebook.com/mydbops/

"$10 thousand per minute of downtime: architecture, queues, streaming and fin...

Fwdays

Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless. As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency. We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.

inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill

LizaNolte

HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable. In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed: Key Takeaways: Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement. Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers. Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.

Main news related to the CCS TSI 2023 (2023/1695)

Jakub Marek

An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers. The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 . The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .

Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors

DianaGray10

Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more. The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications. We’ll discuss and demo the benefits of UiPath Apps and connectors including: Creating a compelling user experience for any software, without the limitations of APIs. Accelerating the app creation process, saving time and effort Enjoying high-performance CRUD (create, read, update, delete) operations, for seamless data management. Speakers: Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP Charlie Greenberg, host

Northern Engraving | Nameplate Manufacturing Process - 2024

Northern Engraving

Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!

Apps Break Data

Ivo Velitchkov

How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph

Neo4j

Recently uploaded (20)

Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...

"Scaling RAG Applications to serve millions of users", Kevin Goedecke

"Choosing proper type of scaling", Olena Syrota

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Dandelion Hashtable: beyond billion requests per second on a commodity server

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Astute Business Solutions | Oracle Cloud Partner |

Leveraging the Graph for Clinical Trials and Standards

GNSS spoofing via SDR (Criptored Talks 2024)

A Deep Dive into ScyllaDB's Architecture

Must Know Postgres Extension for DBA and Developer during Migration

"$10 thousand per minute of downtime: architecture, queues, streaming and fin...

inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill

Main news related to the CCS TSI 2023 (2023/1695)

Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors

Northern Engraving | Nameplate Manufacturing Process - 2024

Apps Break Data

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph

2019 Infosec World Keynote

1. John Kinsella VP Engineering, Container Security Removing the Burden of Securing Microservices Through Automation and Visibility

2. Containers Improve your Security Posture Infosec World 20192

3. What Contributes to a Security Posture? Infosec World 20193

4. Everything Contributes to a Security Posture!!!! Infosec World 20194

5. Security Posture Information security status of an organization based on information assurance resources and defense capabilities Infosec World 20195

6. How do Applications Contribute to a Security Posture? • Provide information about environment and usage • Defense in depth • Confidentiality, Integrity, Availability Infosec World 20196

7. Containers Improve your Application Security • Improved application management • Improved application scalability • Improved application monitoring Infosec World 20197

8. Why are Developers Excited about Containers? • Additive collaboration • Repeatability Infosec World 20198

9. When Have you Heard a Developer ask.. “Can you run this VM image I built?” Infosec World 20199

10. Are Containers for Everyone? Infosec World 201910

11. What’s the Difference Between Containers and Microservices? Infosec World 201911

12. You cannot underestimate how much legacy environments are slowing your organization down. Infosec World 201912 • Increase speed to market • Enhance efficiency • Improve quality • Lower TCO

13. Automation Infosec World 201913

14. Tools Landscape SW DEV QA/Test INFR OPS Application Lifecycle Infosec World 201914

15. Automation: Build and Test

16. Automation: Continuous Delivery

17. How do we secure this?? Infosec World 201917

18. What’s Dangerous about Containers? The volume of new images and containers each day is impossible for a traditional infosec team to handle.

19. Visibility Problems What is the application doing? Where is the application? Infosec World 201919

20. So Security Must Automate, Too Infosec World 201920 …not just to survive, but to allow developers to flourish

21. Vulnerability Scanning Infosec World 201921

22. Vulnerability Scanning Infosec World 201922 Filter alerts down to • Worthy of Attention • Actionable

23. Do not Patch Containers. Rebuild. Infosec World 201923

24. Cat Herding, 2019 Infosec World 201924 Containers aren’t only in a cluster. What tools are in use? How to provide/enforce standards

25. Cat Herding, 2019 Infosec World 201925

26. Runtime Security Infosec World 201926 Least privilege Newfound control capabilities Is this your app, or downloaded? Is the app doing what is expected?

27. Visibility Infosec World 201927

28. Security Should be Recommending Containers …Not waiting for developers to ask if they can use them. Infosec World 201928

29. The Results Infosec World 201929

30. Container Security Workflow Container Registry S t a t i c A n a l y s i s R u n t i m e A n a l y s i s R u n t i m e P r o t e c t i o n Instrument Container Sec Behavior Templates Security Policies Security Policy Enforcement SecOpsDevOps Notifications Alerts Insight Instrumented Container Instrumented Container runs in observation mode on premise or in cloud A s s e s s m e n t / I n s t r u m e n t a t i o n T e s t / S t a g i n g P r o d u c t i o n Validate Container Scan Container Automated enforcement of Secured Container on premise or in cloud Secured Container Inject security probes for N/W, I/O, and App tiers Compliance Enforcement Pass/Fail SW Composition Security Vulnerability Scan Instrumented Container Instrumented Container inserted into registry Insecure Container posted to registry Insecure Container Dev git commit git push New container build with basic unit test New Container Any failed containers are returned to DevOps Failed Container << FAIL PASS >>

31. Qualys Container Security BUILD HOSTRUNTIMEREGISTRY PRE-DEPLOYMENT PHASE POST-DEPLOYMENT PHASE Container Container Sensor Layered-In Sensor or Container Sensor Cloud Agent or Scanner Appliances Infosec World 201931

32. How do we Leverage Excitement to Improve Security?

33. People Want to Learn jlk@qualys.com @johnlkinsella

Editor's Notes

I’m starting day two of Infosec World hard here. There may be strong feelings on this statement, maybe some eye rolling I’m going to ask you to keep an open mind.
Obvious – vulnerabilities This is an appsec viewpoint, yeah? Folks will realize that container security, while it can be about infrastructure security, is very relevant to appsec.
Improved control over deployments Easier scalability Update your apps easier Reconfigure on the fly to disable features which may be vulnerable or resource intensive Better understanding of where your data is and who accesses it Automate health checks and recovery All through automation.
Is this a container security talk, or an application security talk? Unikernels I had a VC recently ask me this…
There once was a bank not feeling they needed to use containers as they didn’t need to deploy so quickly Recent examples: Data volumes accidently deleted Taking 3 days to release new versions of software to production Certificate mismatches Hours to provision a new VM Weeks to acquire new hardware
These screenshots are from Layered Insight’s Gitlab installation. This is how we rolled features to production with a single click. Don’t have to use Gitlab – there’s Jenkins, CircleCI, Bamboo, etc
CI is good, but let’s not stop now! Let’s automate deployment, too And rollback. Pair this with Cloud Providers like AWS and Azure, or container orchestration systems like Kubernetes and Docker Swarm If you have to wait for somebody to do something other than click a button to deploy, there’s space for improvement.
A level of automation has been introduced, frequently without more than a drive-by question to the security team, than can easily overwhelm their capabilities.
A modern application can be made up of tens or hundreds of microservices. Something must be put in place to manage the security signal
Screenshots from Qualys container security product. I’ve heard companies say they want to just scan and save the results in case something happens because they don’t have staff to review and process.
Screenshot from Qualys Jenkins plugin for Container Security. Allows the ability to specify triggers as to when an image scan “fails” the build
Commercial from 2000 superbowl
Policy based runtime security Ability to control in ways which previously were very difficult
We have some great speakers here this week…

2019 Infosec World Keynote

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2019 Infosec World Keynote

Similar to 2019 Infosec World Keynote (20)

More from John Kinsella

More from John Kinsella (10)

Recently uploaded

Recently uploaded (20)

2019 Infosec World Keynote

Editor's Notes