This presentation describes Agile development practices as well as the requirements for building secure applications. It examines ways that teams can incorporate security into Agile development projects to successfully meet the goals of both.
DevOps continues to be a buzzword in the software development and operations world, but is it really a paradigm shift? It depends on what lens you view it through.
Roman Garber, an active software security engineering and software team lead thinks so. Ed Adams, Security Innovation CEO, a 20-year software quality veteran and former mechanical engineer, curmudgeonly disagrees.
My talk at PMI Sweden Congress 2013 on Agile and Large Software ProductsSvante Lidman
This is my "Success Factors for Agile Development of Very Large Software Products" as it was presented at the PMI Sweden Congress on March 11 2013. The title of the presentation is in Swedish but the material is almost completely in English.
Agile methods and safety critical software - Peter GardnerAdaCore
This talk surveys Agile methods and formulates a list of features that occur in these methods, then considers whether each of the features can be applied in the field of safety-critical software development. The talk concludes that almost all of the features of Agile methods are applicable to safety-critical software but that existing standards are a problem for Agiles de-emphasis of design and documentation. The talk will also look for quantitative evidence in the published literature for the benefits of Agile methods in software development in general, and surveys various published opinions on Agiles application to safety-critical software development.
How to achieve security, reliability, and productivity in less timeRogue Wave Software
This introductory session lays the foundation for boosting the effectiveness of mission-critical systems testing by covering industry best practices for code security, software reliability, and team productivity. For each area, you will learn how to mitigate the top issues by seeing real examples and understanding the tools and techniques to overcome them. This includes: The value of different testing methods; The importance of standards compliance; and understanding how DevOps and continuous integration fit in.
DevOps continues to be a buzzword in the software development and operations world, but is it really a paradigm shift? It depends on what lens you view it through.
Roman Garber, an active software security engineering and software team lead thinks so. Ed Adams, Security Innovation CEO, a 20-year software quality veteran and former mechanical engineer, curmudgeonly disagrees.
My talk at PMI Sweden Congress 2013 on Agile and Large Software ProductsSvante Lidman
This is my "Success Factors for Agile Development of Very Large Software Products" as it was presented at the PMI Sweden Congress on March 11 2013. The title of the presentation is in Swedish but the material is almost completely in English.
Agile methods and safety critical software - Peter GardnerAdaCore
This talk surveys Agile methods and formulates a list of features that occur in these methods, then considers whether each of the features can be applied in the field of safety-critical software development. The talk concludes that almost all of the features of Agile methods are applicable to safety-critical software but that existing standards are a problem for Agiles de-emphasis of design and documentation. The talk will also look for quantitative evidence in the published literature for the benefits of Agile methods in software development in general, and surveys various published opinions on Agiles application to safety-critical software development.
How to achieve security, reliability, and productivity in less timeRogue Wave Software
This introductory session lays the foundation for boosting the effectiveness of mission-critical systems testing by covering industry best practices for code security, software reliability, and team productivity. For each area, you will learn how to mitigate the top issues by seeing real examples and understanding the tools and techniques to overcome them. This includes: The value of different testing methods; The importance of standards compliance; and understanding how DevOps and continuous integration fit in.
Webinar presented by The Linux Foundation and Rogue Wave Software. Professional open source management addresses many aspects of the software development lifecycle, from technical to operational to legal concerns. Key to success with open source is choosing the right means and methods for obtaining support for the open source in your software portfolio, and understanding how to maintain integrated and embedded open source code over time.
How to extend the shelf life of software and enable long-lived, adaptable software architectures.
Herzliya - July 2015 @
ILTAM - Israeli Users' Association of Advanced Technologies in Hi-Tec Integrated Systems
IASA - International Association of Software Architects
Think future technologies – corporate presentation (public)Tft Us
Think Future Technologies is a leading provider of outsourcing software development, QA & Testing and related services. Based in India and serving clients worldwide, Think Future Technologies delivers a wide variety of comprehensive end-to-end services that combine power, functionality, and reliability with flexibility, agility, and usability.
Our broad portfolio of service offerings includes software development, user interface design, and architecture planning, as well as quality assurance, implementation, deployment, maintenance, and documentation support. Through the efficient execution of these services, we can create robust, cutting-edge custom technology applications that most effectively address the unique business needs of our customers.
Vulnerability Management In An Application Security WorldDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
From the OWASP Washington DC meeting August 5, 2009.
Think Future Technologies is a QA & Testing focused outsourcing company based in India and currently serving clients in United States, Israel and Australia. We, Think Future Technologies, offer expertise in delivering automation testing solutions based on various industry standard automation tools.
This presentation was given for my invited keynote talk entitled "Low Ceremony Processes for Short Lifecycle Projects" in the 2013 International Conference on Software and System Processes in San Francisco. If you reuse any of the material in this presentation, please give an appropriate acknowledgment.
Webinar presented by The Linux Foundation and Rogue Wave Software. Professional open source management addresses many aspects of the software development lifecycle, from technical to operational to legal concerns. Key to success with open source is choosing the right means and methods for obtaining support for the open source in your software portfolio, and understanding how to maintain integrated and embedded open source code over time.
How to extend the shelf life of software and enable long-lived, adaptable software architectures.
Herzliya - July 2015 @
ILTAM - Israeli Users' Association of Advanced Technologies in Hi-Tec Integrated Systems
IASA - International Association of Software Architects
Think future technologies – corporate presentation (public)Tft Us
Think Future Technologies is a leading provider of outsourcing software development, QA & Testing and related services. Based in India and serving clients worldwide, Think Future Technologies delivers a wide variety of comprehensive end-to-end services that combine power, functionality, and reliability with flexibility, agility, and usability.
Our broad portfolio of service offerings includes software development, user interface design, and architecture planning, as well as quality assurance, implementation, deployment, maintenance, and documentation support. Through the efficient execution of these services, we can create robust, cutting-edge custom technology applications that most effectively address the unique business needs of our customers.
Vulnerability Management In An Application Security WorldDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
From the OWASP Washington DC meeting August 5, 2009.
Think Future Technologies is a QA & Testing focused outsourcing company based in India and currently serving clients in United States, Israel and Australia. We, Think Future Technologies, offer expertise in delivering automation testing solutions based on various industry standard automation tools.
This presentation was given for my invited keynote talk entitled "Low Ceremony Processes for Short Lifecycle Projects" in the 2013 International Conference on Software and System Processes in San Francisco. If you reuse any of the material in this presentation, please give an appropriate acknowledgment.
Agile and Automation have been growing up together over the past decade. Neither practice nor toolset evolves in a vacuum. Rather, they inform each-other.
This presentation looks at this history, with an eye towards where the current trends are pushing us.
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.
Enterprise system implementation strategies and phasesJohn Cachat
Implementation Strategies
Full blown
Staggered or Phased
Implementation Phases
Project planning
Application exploration
System design
System testing
System activation – “go live”
johncachat@hotmail.com
www.peproso.com
This presentation by Christopher Grayson covers some lessons learned as a security professional that has made his way into software engineering full time.
SharePoint and Lean Development: Critical Factors for Accelerating Time to Va...Dave Healey
From the lean enterprise to the lean startup, organizations are increasingly turning to lean production practices to create and preserve value with less work. SharePoint’s broad deployment, mature functional capabilities and robust extensibility make it a natural candidate for lean development scenarios, yet realizing the promise of the platform is not without risk.
This session covers the basics of lean production and explores the risks and possibilities in lean development with SharePoint. Through real-world case studies we discuss the seven most important factors for accelerating time-to-value across
- Economic,
- Cultural, and
- Engineering dimensions.
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
DevOps is a revolution starting to deliver. The “shift left” security approach is trying to catch up, but challenges remain. We will go over concrete security approaches and real data that overcome these challenges.
It takes more than adding “hard to find” security talent to your DevOps team to reach DevSecOps benefits. Our discussion focuses on the practical side and lessons-learned from helping organizations gear up for this paradigm shift.
Rolling Out An Enterprise Source Code Review ProgramDenim Group
Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues.
Topic: The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
This presentation focuses on how security officers or development leaders can apply a disciplined approach to building internal consensus to build secure software. A five-step process will be laid out that will enable a manager to characterize the landscape, secure management buy-in, baseline the existing risks, set modest goals and attempt to achieve them, and sustain the initiative. Emphasis will be on actionable steps that successful managers have used to drive the adoption of secure software strategies in large organizations.
Bridging the Gap: from Data Science to ProductionFlorian Wilhelm
A recent but quite common observation in industry is that although there is an overall high adoption of data science, many companies struggle to get it into production. Huge teams of well-payed data scientists often present one fancy model after the other to their managers but their proof of concepts never manifest into something business relevant. The frustration grows on both sides, managers and data scientists.
In my talk I elaborate on the many reasons why data science to production is such a hard nut to crack. I start with a taxonomy of data use cases in order to easier assess technical requirements. Based thereon, my focus lies on overcoming the two-language-problem which is Python/R loved by data scientists vs. the enterprise-established Java/Scala. From my project experiences I present three different solutions, namely 1) migrating to a single language, 2) reimplementation and 3) usage of a framework. The advantages and disadvantages of each approach is presented and general advices based on the introduced taxonomy is given.
Additionally, my talk also addresses organisational as well as problems in quality assurance and deployment. Best practices and further references are presented on a high-level in order to cover all facets of data science to production.
With my talk I hope to convey the message that breakdowns on the road from data science to production are rather the rule than the exception, so you are not alone. At the end of my talk, you will have a better understanding of why your team and you are struggling and what to do about it.
In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
Businesses are driving development teams to build, test and deliver app innovations faster and faster, while attackers continue to grow in sophistication and complexity. To protect the business, dev and security teams are deploying multiple app/network/OSS security testing tools, internal & 3rd party manual assessments, and other processes which in turn drives an exponential spike in volume of issues to analyze, correlate, triage, route and repair. Facing this data deluge, DevSecOps teams are turning to automation of mobile app security testing and orchestration of vulnerability management for speed and scale. Join Brian Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of Denim Group in this best practices session to learn how to drive efficiencies in team and pipeline performance at scale.
Application Asset Management with ThreadFixDenim Group
Too many organizations have an incomplete picture of their application portfolios. Because you are unable to protect attack surfaces that you don’t know about, this leaves them vulnerable. In this webinar, we will cover the capabilities that ThreadFix has to allows security teams to manage their application asset portfolios. We will also take a deeper dive into several tools such as nmap and OWASP Amass that can help security analysts better enumerate all of the applications in their organization’s portfolio.
Title:
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Abstract:
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Speaker:
Dan Cornell
Bio:
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
Vulnerability management - especially application vulnerability management - is a challenging business function because it crosses disciplinary boundaries. Security teams find and adjudicate vulnerabilities, DevOps and server ops teams have to fix them, and GRC teams need to be kept apprised of status and progress. As has always been the case - but especially in a necessarily remote work environment - collaboration is key to making these business functions operate efficiently and effectively. This webinar looks at common bottlenecks that snarl vulnerability remediation workflows and discusses strategies to address these issues via collaboration. Examples are given of implementing these via the ThreadFix platform, but the strategies are universally-applicable for vulnerability management professionals looking to streamline their vulnerability remediation workflows.
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
This webinar takes a dive into the biggest features and benefits in the latest ThreadFix release and the evolving feature set. We will focus on ThreadFix’s new capabilities, including - managing internal penetration testing teams with ThreadFix, tracking vulnerability time to live policies, as well as a host of additional enhancements.
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
Application security teams are outnumbered. Even in security-conscious environments, application developers often exceed application security professionals by a ratio of 100:1. In addition, the push for digital transformation is accelerating the pace of development – exacerbating these challenges. One technique forward-looking security teams have adopted to stay afloat is to deploy security champions into development teams throughout the organization. This webinar looks at different models for standing up security champion initiatives and relates Denim Group’s experiences helping organizations craft and staff these programs.
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
Security assessments are a critical part of any security program. Being able to identify – and communicate about – vulnerabilities systems is required to get vulnerabilities prioritized for remediation. For web and mobile applications, assessment methodologies are reasonably straightforward and established. However, for cloud-native applications, the combination of new technologies and architectural elements has introduced questions about how to scope, plan, and execute security assessments. This presentation looks at how the assessment landscape has changed with the introduction of cloud-native applications and explores how threat modeling is central to testing their security. In addition, the “Four C’s” conceptual model for looking at cloud-native application security is introduced, including a discussion of how both automated and manual testing methodologies can be used to accomplish assessment goals. Finally, vulnerability contextualization and reporting are discussed, so that teams running cloud-native application assessments can properly characterize the results of their efforts to aid in the prioritization and remediation of identified issues.
An Updated Take: Threat Modeling for IoT SystemsDenim Group
The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives, the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device, these devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.
A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture.
This webinar looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
The tempo for software delivery to the warfighter continues to accelerate to meet the goals and demands of their missions. Pressures to rapidly build and deploy mission software drive the need to deliver new capabilities via DevSecOps pipelines. Many of the latest leading-edge DevSecOps practices draw heavily from commercial tech companies and innovative programs across DoD like Kessel Run. What are these latest trends, and how do you take advantage of them? How do you quantify the risk of microservices, new languages and frameworks, and cloud environments and still obtain authority to operate (ATO)?
The ThreadFix platform has built-in automation and orchestration capabilities to enable your teams to provide immediate feedback in the form of policy evaluation, notifications in the form of emails and automated developer defect creation, and decision-making on your CI program as scan results are generated. In addition to built-in automation, plugins and the ThreadFix API enable CI programs to seamlessly integrate security testing into existing build/release pipelines to provide evaluation of code changes directly to your development tools.
These key issue items and other trends will be discussed in this highly interactive briefing, providing critical insights on how to inject agility and responsiveness into environments that have traditionally struggled to keep pace with modern development approaches.
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
Snyk continuously monitors your application’s dependencies and lets you quickly respond when new vulnerabilities are disclosed. Threadfix allows organizations to gain true visibility into a your project’s security posture by cross referencing results on an app from multiple sources (SCA, SAST, DAST, etc.), ultimately enabling better prioritization, while Snyk focuses on remediation at the source with the automated fix pull requests. Join us to see how, together, Snyk and ThreadFix can enhance application security and prevent risks, while preserving development scale and speed.
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
Developers need to move quickly and efficiently. Coverity’s speed, accuracy, ease of use, and scalability meet the needs of even the largest, most complex environments. ThreadFix allows you to centralize all test and vulnerability data in one place so your software security team can spend less time on manually correlating results and more time focusing on higher-level risk decisions. Join us to get a firsthand look at how Coverity and ThreadFix arm development teams with the tools they need to advance security programs in real time.
AppSec in a World of Digital TransformationDenim Group
The mandate for digital transformation is forcing companies to innovate faster in order to provide more value to customers and bring products and services to the market more quickly. Technological innovations such as the cloud, microservice architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements. This upheaval presents both risks and opportunities for security leaders. The successful leaders view this transition as a clean-slate opportunity to “get security right” and will restructure their teams and technologies to deeply-embed security throughout the new tech stack. This session will cover emerging strategies that security leaders are using to ensure they keep up with this massive industry change.
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
Security assessments are a critical part of any security program. Being able to identify – and communicate about – vulnerabilities systems is required to get vulnerabilities prioritized for remediation. For web and mobile applications, assessment methodologies are reasonably straightforward and established. However, for cloud-native applications, the combination of new technologies and architectural elements has introduced questions about how to scope, plan, and execute security assessments. This presentation looks at how the assessment landscape has changed with the introduction of cloud-native applications and explores how threat modeling is central to testing their security. In addition, the “Four C’s” conceptual model for looking at cloud-native application security is introduced, including a discussion of how both automated and manual testing methodologies can be used to accomplish assessment goals. Finally, vulnerability contextualization and reporting are discussed, so that teams running cloud-native application assessments can properly characterize the results of their efforts to aid in the prioritization and remediation of identified issues.
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
Developers need to move quickly and efficiently. Coverity’s speed, accuracy, ease of use, and scalability meet the needs of even the largest, most complex environments. ThreadFix allows you to centralize all test and vulnerability data in one place so your software security team can spend less time on manually correlating results and more time focusing on higher-level risk decisions. Join us to get a firsthand look at how Coverity and ThreadFix arm development teams with the tools they need to advance security programs in real time.
AppSec in a World of Digital TransformationDenim Group
The mandate for digital transformation is forcing companies to innovate faster in order to provide more value to customers and bring products and services to the market more quickly. Technological innovations such as the cloud, microservice architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements. This upheaval presents both risks and opportunities for security leaders. The successful leaders view this transition as a clean-slate opportunity to “get security right” and will restructure their teams and technologies to deeply-embed security throughout the new tech stack. This session will cover emerging strategies that security leaders are using to ensure they keep up with this massive industry change.
Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have an attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Agile and Secure
1. Agile and Secure – Can We Be Both?
San Antonio AITP
August 15th, 2007
2. Agenda
• Background
• Evolution of traditional software development methodologies
• Benefits of Agile development
• Requirement for Secure development
• Agile and Secure
• Questions
1
3. Background
• Programmer b b k
P by background
d
– Both .NET and JEE: MCSD, Java 2 Certified Programmer
– Developer focused on security, not a security professional looking at
development
• Denim Group
– Software Development: .NET and JEE
NET
– Software / Application Security
• Vulnerability Assessments, Penetration Tests, Training, Mentoring
• Basis for this presentation:
– Work with our customers doing SDLC security mentoring
– Challenges facing our own agile development teams
g g g p
• Deliver projects in an economically-responsible manner
• Uphold security goals
2
5. Ad Hoc Software Development
• Early days of computing
– Focus was on hardware
– Software was secondary
• No structure – “cowboy coding”
• Became unacceptable as software systems became larger and
more critical
4
8. Problems with Waterfall Model
• Creating software is different than creating bridges or buildings
– Creativity required throughout the process – not just at the outset
• Very documentation heavy
• Changes are expensive
– Must go back up the waterfall for impact analysis
• Business requirements change over time
– By the time you finish a system, the target has moved
7
9. Enter Agile Methods
Be more responsive to business concerns
Increase the frequency of stable releases
Decrease the time it takes to deploy new features
Do not waste time on “superfluous” documentation and
p
planning
g
8
10. Notable Agile Methods
• eXtreme Programming (XP)
• Feature Driven Development (FDD)
• SCRUM
• MSF for Agile Software Development
• Agile Unified Process (AUP)
• Crystal
9
11. Manifesto for Agile Software
p
Development
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
Source: http://www.agilemanifesto.org/
10
13. Principles of Agile Development
• Rapid Feedback
• The system is appropriate for the
intended audience
audience.
• Simple Design
• The code passes all the tests.
• Incremental Change • Th code communicates everything
The d i hi
it needs to.
• Embracing Change
• The code has the smallest number
of classes and methods.
• Quality Work
12
14. Agile Practices • Customer: scope, priorities
and release dates
• The Planning Game
• Developer: estimates
estimates,
consequences and detailed
• The Driving Metaphor scheduling
• Shared Vision
• On-Site Customer
• Development iterations or
• Small Releases cycles that last 1-4 weeks.
• Release iterations as soon
as possible (weekly, monthly,
quarterly).
13
15. More Agile Practices
• Collective Ownership
• Test Driven
• Continuous Integration
• Coding Standards
g
• Pair Programming
14
16. The Agile Practitioner’s Dilemma
Practitioner s
Agile Forces: Secure Forces:
Be more responsive to Comply with more
business concerns aggressive regulatory
Increase the frequency environment
of stable releases Focus on need for
Decrease the time it security
takes to deploy new Traditional approaches
features to security require
Do not waste time on additional
“superfluous” documentation and
documentation and planning (D’Oh!)
planning
15
17. Definition of Secure
A secure product is one that protects the confidentiality,
p p y,
integrity, and availability of the customers’ information, and the
integrity and availability of processing resources under control of
the s stem’s o ner or administrator
system’s owner administrator.
-- Source: Writing Secure Code (Microsoft com)
(Microsoft.com)
16
18. A Secure Development Process…
• Strives To Be A Repeatable Process
• Requires Team Member Education
• Tracks Metrics and Maintains Accountability
Sources:
“Writing Secure Code” 2nd Ed., Howard & LeBlanc
“The Trustworthy Computing Security Development Lifecycle”
by Lipner & Howard
y p
17
19. Secure Development Principles
• SD3: Secure by Design, Secure by Default, and in Deployment
• Learn From Mistakes
• Minimize Your Attack Surface
• Assume External Systems Are Insecure
• Plan On Failure
• Never Depend on Security Through Obscurity Alone
• Fix Security Issues Correctly
18
20. Secure Development Practices
• Threat Modeling / Architectural Risk Assessment
• Education, Education, Education
• Secure Coding
– Via standards and practitioner knowledge
• Security Reviews
– A hit t
Architecture
– Design
– Code
• Security Testing (Penetration Testing)
19
21. Microsoft s
Microsoft’s Secure Development Lifecycle (SDL)
• Requirements
• Design
• Implementation
• Verification
• Release
• (Waterfall!)
20
22. Dr.
Dr Dobb’s says Agile Methods Are Catching On
41% of organizations have adopted an agile
methodology
Of the 2,611 respondents doing agile…
p g g
• 37% using eXtreme Programming
• 19% using Feature Driven Development (FDD)
• 16% using SCRUM
• 7% using MSF for Agile S ft
i f A il Software DDevelopment
l t
Source: http://www.ddj.com/dept/architect/191800169
21
24. Adoption Rate for Agile Practices
Of the respondents using an agile method…
• 36% have active customer participation
• 61% have adopted common coding guidelines
• 53% perform code regression testing
• 37% utilize pair programming
23
27. Organization Setup
• Education & Training (include Security)
– Developers
– Testers
– Customers
• User Stories / Use Case Driven Processes
• Enterprise Architecture Decisions
• Organizational adoption of Threat Modeling
26
28. Project / Release Planning
• User Stories / Use Cases Drive…
– Acceptance Test Scenarios
– Estimations may affect priorities and thus the composition of the
release
– Inputs for Threat Modeling
p g
– Security Testing Scenarios
– Determine the qualitative “risk budget”
• Keep the customer involved in making risk tradeoffs
p g
• Finalize Architecture & Development Guidelines
– Common Coding Standards (include security)
• Crucial for collective code ownership
p
– Data Classification standards
– Conduct Initial Threat Modeling (assets & threats)
• Agree on STRIDE and DREAD classifications
– Designer’s Security Checklist
27
29. Iteration Planning
• 1-4 Weeks in Length (2 weeks is very common)
• B i with an It ti Pl
Begins ith Iteration Planning M ti
i Meeting
– User Stories are broken down into Development Tasks
– Developers estimate their own tasks
p
– Document the Attack Surface (Story Level)
– Model the threats alongside the user story documentation
• Crucial in documentation-light processes
documentation light
• Capture these and keep them
– Code will tell you what decision was made, threat models will tell
you why decisions were made
– Crucial for “refactoring” in the face of changing security priorities
• Never Slip the Date
– Add or Remove Stories As Necessary
28
30. Executing an Iteration
• Daily Stand-ups
• Continuous Integration
– Code Scanning Tools
– Security Testing Tools
• Adherence to Common Coding Standards and Security
Guidelines
– Crucial for communal code ownership
• Developer’s Checklist
29
31. Closing an Iteration
• Automation of Customer Acceptance Tests
– Include negative testing for identified threats
• Security Code Review
– Some may have happened informally during pair programming
30
32. Stabilizing a Release
• Schedule Defects & Vulnerabilities
– Prioritize vulnerabilities with client input based on agreed-upon STRIDE and
DREAD standards
t d d
• Security Push
– Include traditional penetration testing
31
33. Compromises We’ve Made
• Security Compromises:
– Short term, iterative focus removes “top down” control
– Focus on individual features can blind process to cross-feature security
issues
• Agile Compromises:
– More documentation than is required in pure Agile development
• Security coding standards
• Data classification standards
• Project-specific STRIDE and DREAD standards
• User story threat models
– Additional tasks increase development time
– Forces customers to accept security (isn’t this a good thing?)
32
34. Characteristics of an Agile and
Secure Process
• Customer-focused
C t f d
• Responsive
• Iterative
• Trustworthy
33