Enabling security at speed and scale requires building security as code which is often provided by software defined networks. The cloud offers software defined networks and some challenges to enabling safe workloads.
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Security at the Speed of Software DevelopmentDevOps.com
There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or more faster than human gating can achieve.
What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and coaches and stop thinking of their jobs as gatekeepers.
This webinar will introduce a framework to accomplish this mindset shift. It includes guidance on the characteristics of tools compatible with DevOps. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
Enabling security at speed and scale requires building security as code which is often provided by software defined networks. The cloud offers software defined networks and some challenges to enabling safe workloads.
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Security at the Speed of Software DevelopmentDevOps.com
There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or more faster than human gating can achieve.
What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and coaches and stop thinking of their jobs as gatekeepers.
This webinar will introduce a framework to accomplish this mindset shift. It includes guidance on the characteristics of tools compatible with DevOps. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Jason Mashak
Your best future-proofing starts now. Discover, manage, audit and remediate across your hybrid cloud – all via one patented platform. Runecast customers report time savings of 75-90%, security compliance audit readiness, and greatly increased uptime. Enable your IT Security and Operations teams with a single platform for discovering and resolving IT problems you don't yet know about. Ask us about the Runecast Challenge!
Runecast enables organizations with immediate proactive results and ROI in the areas of Cloud Security Posture Management (CSPM), Kubernetes Security Posture Management (KSPM), Governance, Risk Management and Compliance (GRC), IT Operations Management (ITOM), Vulnerability Assessment/Management, Configuration Management and more.
Runecast Analyzer uses the VMware Knowledge Base to analyze the vSphere configuration and logs. It exposes potential issues before they cause major outages. Runecast also uses the vSphere Security Hardening guides and Best Practices to scan your VMware infrastructure for compliance.
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Jason Mashak
Take proactive control of security and efficiency in your IT environment. Runecast reveals any misconfigurations to simplify configuration management, hardware compatibility and uptime. Proactive remediation of issues means no longer needing an entire team working overtime to put out fires. And you can scratch 'vulnerability management' off the to-do list via automated real-time best practice and security compliance audits.
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
This is an introduction to Chaos Engineering - the Art of Breaking things in Production. This is conducted by two Site Reliability Engineers which explains the concepts, history, principles along with a demonstration of Chaos Engineering
The technical talk is given in this video: https://youtu.be/GMwtQYFlojU
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckAmazon Web Services
Splunk® offers a leading platform for Operational Intelligence, enabling AWS users to look closely at machine data and gain actionable insights that can help make your organization more productive, profitable, competitive, and secure. Join us to learn how Splunk and AWS together can provide the end-to-end visibility needed to respond proactively and as quickly as possible to rapidly evolving security environments.
Learn how Splunk and AWS together can provide the end-to-end visibility needed to respond proactively and as quickly as possible to rapidly evolving security environments.
Speakers:
David Wall, Country Manager ANZ & Head of Asia Pacific & Japan & Arup Chakrabarti, Director of Engineering - Pager Duty
Myles Hosford, Security Solution Architect - AWS
Richard Smith, Strategic Alliances - Splunk
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
Modern elastic cloud infrastructure is fundamentally breaking traditional security approaches. Public cloud has no natural perimeter and network segmentation leaving individual cloud servers exposed. In private cloud, malicious East-West traffic inside the network is a serious threat. As new workloads are added and retired dynamically, change control is difficult, and updating granular firewall rules and security policies becomes a risky, manual process. Join us and learn the 6 Critical Criteria to secure your public, private or hybrid cloud – on-demand, anywhere, at any scale.
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Jason Mashak
Your best future-proofing starts now. Discover, manage, audit and remediate across your hybrid cloud – all via one patented platform. Runecast customers report time savings of 75-90%, security compliance audit readiness, and greatly increased uptime. Enable your IT Security and Operations teams with a single platform for discovering and resolving IT problems you don't yet know about. Ask us about the Runecast Challenge!
Runecast enables organizations with immediate proactive results and ROI in the areas of Cloud Security Posture Management (CSPM), Kubernetes Security Posture Management (KSPM), Governance, Risk Management and Compliance (GRC), IT Operations Management (ITOM), Vulnerability Assessment/Management, Configuration Management and more.
Runecast Analyzer uses the VMware Knowledge Base to analyze the vSphere configuration and logs. It exposes potential issues before they cause major outages. Runecast also uses the vSphere Security Hardening guides and Best Practices to scan your VMware infrastructure for compliance.
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Jason Mashak
Take proactive control of security and efficiency in your IT environment. Runecast reveals any misconfigurations to simplify configuration management, hardware compatibility and uptime. Proactive remediation of issues means no longer needing an entire team working overtime to put out fires. And you can scratch 'vulnerability management' off the to-do list via automated real-time best practice and security compliance audits.
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
This is an introduction to Chaos Engineering - the Art of Breaking things in Production. This is conducted by two Site Reliability Engineers which explains the concepts, history, principles along with a demonstration of Chaos Engineering
The technical talk is given in this video: https://youtu.be/GMwtQYFlojU
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckAmazon Web Services
Splunk® offers a leading platform for Operational Intelligence, enabling AWS users to look closely at machine data and gain actionable insights that can help make your organization more productive, profitable, competitive, and secure. Join us to learn how Splunk and AWS together can provide the end-to-end visibility needed to respond proactively and as quickly as possible to rapidly evolving security environments.
Learn how Splunk and AWS together can provide the end-to-end visibility needed to respond proactively and as quickly as possible to rapidly evolving security environments.
Speakers:
David Wall, Country Manager ANZ & Head of Asia Pacific & Japan & Arup Chakrabarti, Director of Engineering - Pager Duty
Myles Hosford, Security Solution Architect - AWS
Richard Smith, Strategic Alliances - Splunk
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
Modern elastic cloud infrastructure is fundamentally breaking traditional security approaches. Public cloud has no natural perimeter and network segmentation leaving individual cloud servers exposed. In private cloud, malicious East-West traffic inside the network is a serious threat. As new workloads are added and retired dynamically, change control is difficult, and updating granular firewall rules and security policies becomes a risky, manual process. Join us and learn the 6 Critical Criteria to secure your public, private or hybrid cloud – on-demand, anywhere, at any scale.
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
People no longer hesitate when storing highly sensitive documents like health reports, legal papers, enterprise documents and bank details in cloud storage sites and when geotagging personal photos in social networking sites. Even though the cloud is now an integral part of computer users, there are hardly any universal rules or laws that protect users’ privacy, thereby placing that responsibility in the end user’s hands. This session will discuss key threats to end user privacy and what precautions users can take to eliminate or minimize the harm caused by them.
In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dominic Tancredi
On May 4, Dom & Tom cofounder Dominic Tancredi spoke to the NYC Healthcare Cloud Meetup group about DevSecOps. Here, he outlines a case study from Dignity Health Group and discusses DevSecOps at D&T.
Security in the cloud Workshop HSTC 2014Akash Mahajan
A broad overview of what it takes to be secure. This is more of an introduction where we introduce the basic terms around Cloud Computing and how do we go about securing our information assets(Data, Applications and Infrastructure)
The workshop was fun because all the slides were paired with real world examples of security breaches and attacks.
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
Introduction to Cloud Technology slide was prepared for Linux/Unix class lecture at Department of Computer Engineering, Chulalongkorn University in Jan 2013.
Scaling Databricks to Run Data and ML Workloads on Millions of VMsMatei Zaharia
Keynote at Scale By The Bay 2020.
Cloud service developers need to handle massive scale workloads from thousands of customers with no downtime or regressions. In this talk, I’ll present our experience building a very large-scale cloud service at Databricks, which provides a data and ML platform service used by many of the largest enterprises in the world. Databricks manages millions of cloud VMs that process exabytes of data per day for interactive, streaming and batch production applications. This means that our control plane has to handle a wide range of workload patterns and cloud issues such as outages. We will describe how we built our control plane for Databricks using Scala services and open source infrastructure such as Kubernetes, Envoy, and Prometheus, and various design patterns and engineering processes that we learned along the way. In addition, I’ll describe how we have adapted data analytics systems themselves to improve reliability and manageability in the cloud, such as creating an ACID storage system that is as reliable as the underlying cloud object store (Delta Lake) and adding autoscaling and auto-shutdown features for Apache Spark.
General discussions
Why cloud?
The terminology: relating virtualization and cloud
Types of Virtualization and Cloud deployment model
Decisive factors in migration
Hands-on cloud deployment
Cloud for banks
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Codit
While working on several Internet of Things projects with different customers in Europe, it became clear that Integration matters more than ever. Building an overall IoT solution requires many different technologies and skills. The Architect role is crucial to combining different services into one solid solution. Integration skills are extremely important in building robust and scalable IoT solutions. Every phase of the IoT value chain requires integration, since IoT solutions are distributed and decoupled by nature. Retro-fitting existing devices? Routing of telemetry data? Or even exposing analytics results through secured APIs? All these challenges require integration skills. Skills that are very familiar to specialists in the Integration business. This presentation will explain why these are great times to be an Integration expert and how we can help tackling current challenges.
AWS April Webianr Series - How Willbros Builds Securely in AWS with Trend MicroAmazon Web Services
Willbros, a leading infrastructure contractor serving the oil and gas industry, leverages Amazon Web Services (AWS) and Trend Micro Deep Security to quickly design and deploy agile, secure cloud solutions to protect their vital data. Moving to AWS allows organizations to leave their infrastructure behind and start fresh – architecting for flexibility and scalability. However, bottlenecks are created when traditional on-premises security approaches and tools are used. Learn how Willbros unleashed innovation in the energy industry by taking a greenfield approach to security in AWS. Attend this practical webinar by AWS, Trend Micro and Willbros to learn how you can design a flexible, agile architecture that meets compliance requirements and protects your most valuable asset – your data. Jason Cradit from Willbros will share their experience on how they achieved building robust and secure pipeline management systems in the cloud.
Topics will include:
• Identify and select the AWS services and configurations required to build secure applications in the AWS Cloud
• Identify and select the Trend Micro services that complement AWS' broad set of security features
• Architect a secure application using a combination of AWS services, Trend Micro services, and configurations
• How to protect workloads from attacks, without hampering performance
Who Should Attend:
• Solutions Architects, IT Operations Professionals, Dev-Ops Engineers, and System Integrators
Maturing IoT solutions with Microsoft Azure (Sam Vanhoutte & Glenn Colpaert a...Codit
“Internet of Things” is changing our world and today the Internet of Things knows almost as many applications as there are types of devices connected. In this session, Sam and Glenn will give an overview of the latest IoT solutions, the different learnings from the field and explain which key components are instrumental to integrating your solutions to the Azure IoT platform to ensure they are robust, future-proof and secure.
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
AWS, Azure and Google Cloud have disrupted the traditional infrastructure market. After realizing that security is a major roadblock to cloud adoption, they are putting money and effort to built-in security features. But hybrid setups remain a challenge for companies and there is a learning curve for security teams to be proficient on cloud. Find out how to choose the best toolset to secure your data in the cloud.
The presentation starts with a blank slate for those who have no idea of what cloud and virtualization world is to gradually building up till handling security issues.If any one wants the soft copy,please ask for it at anupam@blumail.org
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...Amazon Web Services
Sumo Logic offers a powerful cloud-native analytics solution that supports all types of machine data. Our platform integrates easily with your AWS infrastructure supporting fast, accurate and secure analysis and monitoring of enormous amounts of data—giving you clear and direct visibility into its operations.
In this webinar, you’ll learn how organizations such as Greenhouse Software harness cloud-native machine data analytics to optimize the internal and external process lifecycles, monitor the health of all AWS application and services and deliver a WOW application to their end users.
Cloud computing transforms the way we can store, process and share our data. New applications and workloads are growing rapidly, which brings every day more sensitive data into the conversation about risk and what constitutes natural targets for bad actors. This presentation reflects on current best practices to address the most significant security concerns for sensitive data in the cloud, and offers participants a list of steps to achieve enterprise-grade safety with MongoDB deployments among the expanding service provider options.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
12. This collaborative effort can help DevOps-led projects make
IT operational metrics 100 times better, and in so doing
offers “an evolutionary fork in the road” which could lead to
the “end of security as we know it,” added Joshua Corman –
founder of Rugged DevOps and I am the Cavalry.
DevOps brings mega-change!
12
http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
… And maybe that’s a good thing!
13. Top 5 Cloud Security Principles 2.0
• The Cloud is not a Datacenter.
• Reduce blast radius; play the odds.
• Encryption is inconvenient.
• Speed & Ease is both Friend & Foe.
• Protection is ideal; Detection is a must!
13
16. Direct Connections/VPNs to Clouds are evil!
16
CloudProviderNetwork
DataCenter
PUBLIC SUBNET
APP
DATABASE
DATABASE
APP
PUBLIC SUBNET
VPN
Cloud Web Console
API Credentials
“NEW” BOUNDARY HAS ALL THE WEAKNESSES OF BOTH AND MIXES TWO DIFFERENT SECURITY MODELS!
Remote Access
PRIVATE
SOFTWARE VPN
MANAGED VPN
10.0.0.0/8
Connected & Routable?
No IDS?
What do you mean the
IP could change?
Tags? Security
Groups? SDE?
17. Host-Based Controls
17
• Shared Responsibility and
Cloud require host-based
controls.
• Instrumentation is
everything!
• Fine-grained controls
require more scrutiny and
bigger big data analysis.
CloudProviderNetwork
InstanceInstance
Tested machine image…
Tested instances...
Tested roles...
Tested passwords...
New instance created…
Instance 12345 changed…
User ABC accessed Instance 12345...
B
18. Lights out…
18
• Lights out datacenters have
always been a desired nirvana.
• Automation is required to stack
and replace cloud workloads.
• Cloud security benefits are
derived from lights out…
• Automation & Instrumentation
• Ephemeral Bastions
• Drift Management
• Security Testing
Tested machine image…
Tested instances...
Tested roles...
Tested passwords...
New instance created…
Instance 12345 changed…
User ABC accessed Instance 12345...
B
CloudProviderNetwork
Bastion Instance Instance
19. Long live APIs…
19
• Everything in the cloud should
be an API, even Security…
• Protocols that are not cloudy
should not span across
environments.
• If you wouldn’t put it on the
Internet then you should put an
API and Authentication in front
of it:
• Messaging
• Databases
• File Transfers
• Logging
CloudProviderNetwork
Tested machine image…
Tested instances...
Tested roles...
Tested passwords...
New instance created…
Instance 12345 changed…
User ABC accessed Instance 12345...
B
User Routing
Data
Replication
Application
Gateway
File Transfers
Log Sharing
Messaging
My API
22. Beware of Orchestrators…
22
• Orchestration creates blast
radius because it centralizes
the deployment/security for
cloud workloads.
• Tools that act on behalf usually
require credentials and create
blindspots.
• Non-native tools require
specialized skills and make it
difficult to gain context on
what the right behavior should
be.
Cloud Orchestration Platform
CloudProviderNetwork
A B C
CloudAccount
CloudAccount
CloudAccount
secrets
What’s normal?
23. Account Sharding is a new control!
23
• Splitting cloud workloads
into many accounts has a
benefit.
• Accounts should contain
less than 100% of a cloud
workload.
• Works well with APIs; works
dismal with forklifts.
• What is your appetite for
risk?
Cloud
Workload
Templates
CloudProviderNetwork
33 % 33 % 33 %
CloudAccount
CloudAccount
CloudAccount
attacker
24. MFA is a MUST!
24
• Passwords don’t work.
• Passwords aren’t enough to
protect infrastructure.
• Use MFA to protect User
accounts and API credentials
used by Humans.
• On some cloud platforms it is
possible to make roles work
only when MFA is provided
and for certain actions to
require MFA.
123456
Implement cloud template…
API Credentials accepted...
Please input your MFA token:
XXXXXX (123456)
Cloud stack 123 has been implemented.
25. 50 %
Cloud Disaster Recovery is a different animal…
25
• Regional recovery is not enough
to cover security woes.
• Security events can quickly
escalate to disasters.
• Got a disaster recovery team?
• Multi-Account strategies with
separation of duties can help.
• Don’t hard code if you can help
it.
• Encryption is inconvenient, but
necessary…
Cloud
Workload
Templates
CloudProviderNetwork
50 % 50 %
CloudAccount
CloudAccount
Disaster
Templates
50 %
CloudAccounts
27. Encryption is a necessary evil…
• It helps with Safe Harbor.
• It helps with SQL Injection.
• It helps with Data
Ownership.
• It helps with Privacy.
It’s not a silver bullet…
27
CloudProviderNetwork
CloudAccount
CloudAccount
CloudAccount
Instance
Secrets Management
Key Management & Encryption
App
DB
Disk
Managed
Service
28. So much inconvenience
• It can limit scale and it may
narrow design options.
• Scalable Key Management
is really hard in the cloud.
• Inconvenience commonly
comes from blue/green
changes, dynamic
environment & sharing
secrets for auto-scale.
28
Instance
Secrets Management
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
APP APP
DB DB
CloudAccount
CloudAccount
Phew I’m
exhausted
29. Overcoming Inconvenience
• Use built-in transparent
encryption when possible.
• Use native cloud key
management and encryption
when available.
• Develop back up strategies for
keys and secrets.
• Apply App Level Encryption to
help with SQL Injection and
preserving Safe Harbor.
• Use APIs to exchange data and
rotate encryption.
29
CloudProviderNetwork
CloudAccount
CloudAccount
CloudAccount
Instance
Secrets Management
Key Management & Encryption
App
DB
Disk
Managed
Service
31. Speed & Ease can create problems…
• Overloaded terms like “Policy”
can cause confusion for DevOps
and Security teams.
• Applying broad controls to
narrow problems can create
gaps.
• Security reviews are too slow…
• Mistakes can and do happen!!
• Security scanners and testing
tools are not yet available for
solving these speed & ease
challenges.
31
DEVOPS SECURITY
CLOUD SECURITY POLICIESSECURITY AS CODE
Page 3 of 433
How do I?
Did you mean?
What is?
Sigh…It’s like we
aren’t speaking the
same language…
32. Mixed modes don’t work
• Forklifts are not a good
idea because the original
controls operate
different.
• Systems designed for
waterfall don’t have an
easy path to achieve
agile.
• Fragile applications in the
cloud are easy pickings
for attackers!
32
MAN – THIS SHELL IS HEAVY!
33. Code can solve the divide
• Paper-resident policies do
not stand up to constant
cloud evolution and lessons
learned.
• Translation from paper to
code can lead to mistakes.
• Traditional security policies
do not 1:1 translate to Full
Stack deployments.
33
DataCenter
CloudProvider
Network
• LOCK YOUR DOORS
• BADGE IN
• AUTHORIZED PERSONNEL ONLY
• BACKGROUND CHECKS
• CHOOSE STRONG PASSWORDS
• USE MFA
• ROTATE API CREDENTIALS
• CROSS-ACCOUNT ACCESS
EVERYTHING
AS CODE
Page 3 of 433
34. Speed & Ease can increase security!
• Fast remediation can remove
attack path quickly.
• Resolution can be achieved in
minutes compared to months
in a datacenter environment.
• Continuous Delivery has an
advantage of being able to
publish over an attacker.
• Built-in forensic snapshots and
blue/green publishing can
allow for systems to be
recovered while an
investigation takes place.
34
APP APP
DB DB
APP
DB
ATTACKED FORENSICSRECOVERED
37. Cloud Security is a Big Data Challenge…
• DevOps + Security is the
biggest big data challenge
ahead.
• Use Attack Models and
choose the right Data
Sources to discover attacks
in near real-time.
• Develop a scientific
approach to help DevOps
teams get the security
feedback loop they have
been looking for.
37
• Web Access Logs
• Java Instrumentation
• Proxy Logs
• DNS Logs
40. Safe experimentation is critical…
• Test possible solutions,
arrive at Good Enough.
• Crawl-Walk-Run plans
can save your org from
large-scale incidents.
• Keep up with Lessons
Learned!
40
41. 10DAYS
Don’t Hug Your Instances…
41
• Research suggests that you should
replace your instances at least every
10 days, and that may not be often
enough.
• Use Blue/Green or Red/Black
deployments to reduce security
issues by baking in patching.
• Make sure to keep a snapshot for
forensic and compliance purposes.
• Use config management automation
to make changes part of the stack.
• Refresh routinely; refresh often!
42. Use Cloud Native Security Features...
42
• Cloud native security features
are designed to be cloudy.
• Audit is a primary need!
• Configuration and baseline
checks baked into a Cloud
Provider’s Platform help with
making decisions and
uncovering risks early in the
Continuous Delivery cycle.
• Be deliberate about how to use
built-in security controls and
who has access.
44. Apply what you learned today…
44
• Next week you should:
• Understand how your organization is or plans to use cloud providers
• Identify cloud workloads and virtual blast radius within your organization
• In the first 3 months following this presentation you should:
• Begin to build Security as Code skills and run cloud security experiments
to understand the issues
• Develop Crawl-Walk-Run plans to help your organization build security
into cloud workloads
• Within 6 months you should:
• Cloud workloads have been instrumented for known security issues and
flagged during the Continuous Delivery of software to the cloud
• Your group has begun to test using Red Team methods and automation to
ensure end-to-end security for your cloud workloads
• Remediation happens in hours to days as a result of automation
45. Get Involved &
Join the Community
• devsecops.org
• @devsecops on Twitter
• DevSecOps on LinkedIn
• DevSecOps on Github
• RuggedSoftware.org
• Compliance at Velocity
Join Us !!!
Spread the word!!!
45