Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDevOps.com
Open source code is everywhere, helping developers deliver code quickly and efficiently. But, if those open source components are insecure, the result can be a catastrophic data breach. To prevent this from happening, companies are turning to Software Composition Analysis (SCA) solutions to identify vulnerabilities in the open source libraries they’re using.
Join Veracode to learn how your development teams can easily identify open source libraries in use, their vulnerabilities, licenses, and risks to their applications – helping you protect both your applications and customer data. Want to learn more about the latest solutions?
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon
The document discusses integrating security testing into existing integration tests. It begins by defining Selenium and integration testing. It then outlines how existing tests can be modified to find security bugs without false positives or much change. The presenter provides examples of how penetration testers and security engineers can leverage existing tests to find more bugs. The document then discusses workshops where attendees can modify example tests to detect XSS, SQL injection, authorization bugs, and other issues. The goal is to help testers, managers, and security professionals find security bugs more easily while testing functionality.
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
This document discusses securing the software development lifecycle (SDLC) when using containers. It begins with an introduction to SDLC models like waterfall and agile. It then covers challenges in applying application security with containers, including unclear boundaries and responsibilities. The main body details how to apply security practices at each phase of the SDLC for containers: requirements, design, implementation, testing, and operations. Key practices include threat modeling, secure coding, image validation, and monitoring. It concludes with emphasizing the importance of involving security champions throughout the process.
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceAbdessamad TEMMAR
DevOps and Continuous Delivery has changed how technology operates and how business is run, but security continues to struggle to catch-up with the velocity of change in this new world : it’s almost a cat-and-mouse game when it comes to spot security holes into code before delivering to production, and traditional manual security assessment just continue to be untenable as a way of working with modern agile teams.
The concept of DevSecOps can be the ultimate answer, but unfortunately most articles and vendor pitches about this subject are incredibly superficial, and it’s all about dumping existing/traditional security tools on developers, which adds more complexity and frustration without solving the real problem.
“Modern problems require modern solutions” : this talk explains the evolution of security tooling over the last years, and how they must change (or has changed) to match the macro trends and keep up with the shifting threat.
As an example, this talk demonstrates how modern “lightweight” code analysis techniques, when combined with secure-by-default frameworks/patterns, can be used to easily detect potential holes within a code base, and provide accurate/fast feedbacks to developers.
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon
This document discusses value-driven threat modeling, a lightweight approach to threat modeling that prioritizes security based on business value. It advocates for developers to integrate threat modeling into their workflow by focusing on the core questions of what is being built, what could go wrong, how to address issues, and ensuring quality. Specific techniques discussed include using acceptance criteria, security unit tests, abuser stories, and a threat pyramid. The approach aims to make threat modeling quicker and more natural for developers while still addressing important security risks. Some limitations are that it may miss threats and relies on developer experience, requiring an embedded security champion for complex systems.
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon
This document summarizes a presentation about security testing for containerized applications. It discusses performing static analysis on code, dependencies, and Docker images using open source tools like Bandit, Brakeman, Find Security Bugs, TSLint, OWASP Dependency Track, and Clair. It also covers dynamic analysis using passive and active scanning with OWASP Zap. The presentation demonstrates running these security tests on a sample Lolcode application and integrating the tests into a CI/CD pipeline using OWASP Glue. It provides resources for learning more about security testing of containerized apps.
Robot Framework is a generic test automation framework for keyword-driven testing. It is implemented with Python and runs on Jython and IronPython as well. It supports test data driven development and has built-in support for reporting, logging, libraries, and integration with tools like Jenkins. The framework is open source and has an active community around it.
Real life unit testing tools and practicesGil Zilberfeld
The document discusses the problems with testing legacy code that lacks isolation, such as slow and brittle tests, and recommends using mocking frameworks to isolate dependencies and enable writing effective unit tests that are quick, readable, focused and robust even as code changes over time. It also provides examples of hand-rolled mocks and mocking frameworks, and guidelines for writing good unit tests.
Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDevOps.com
Open source code is everywhere, helping developers deliver code quickly and efficiently. But, if those open source components are insecure, the result can be a catastrophic data breach. To prevent this from happening, companies are turning to Software Composition Analysis (SCA) solutions to identify vulnerabilities in the open source libraries they’re using.
Join Veracode to learn how your development teams can easily identify open source libraries in use, their vulnerabilities, licenses, and risks to their applications – helping you protect both your applications and customer data. Want to learn more about the latest solutions?
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon
The document discusses integrating security testing into existing integration tests. It begins by defining Selenium and integration testing. It then outlines how existing tests can be modified to find security bugs without false positives or much change. The presenter provides examples of how penetration testers and security engineers can leverage existing tests to find more bugs. The document then discusses workshops where attendees can modify example tests to detect XSS, SQL injection, authorization bugs, and other issues. The goal is to help testers, managers, and security professionals find security bugs more easily while testing functionality.
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
This document discusses securing the software development lifecycle (SDLC) when using containers. It begins with an introduction to SDLC models like waterfall and agile. It then covers challenges in applying application security with containers, including unclear boundaries and responsibilities. The main body details how to apply security practices at each phase of the SDLC for containers: requirements, design, implementation, testing, and operations. Key practices include threat modeling, secure coding, image validation, and monitoring. It concludes with emphasizing the importance of involving security champions throughout the process.
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceAbdessamad TEMMAR
DevOps and Continuous Delivery has changed how technology operates and how business is run, but security continues to struggle to catch-up with the velocity of change in this new world : it’s almost a cat-and-mouse game when it comes to spot security holes into code before delivering to production, and traditional manual security assessment just continue to be untenable as a way of working with modern agile teams.
The concept of DevSecOps can be the ultimate answer, but unfortunately most articles and vendor pitches about this subject are incredibly superficial, and it’s all about dumping existing/traditional security tools on developers, which adds more complexity and frustration without solving the real problem.
“Modern problems require modern solutions” : this talk explains the evolution of security tooling over the last years, and how they must change (or has changed) to match the macro trends and keep up with the shifting threat.
As an example, this talk demonstrates how modern “lightweight” code analysis techniques, when combined with secure-by-default frameworks/patterns, can be used to easily detect potential holes within a code base, and provide accurate/fast feedbacks to developers.
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon
This document discusses value-driven threat modeling, a lightweight approach to threat modeling that prioritizes security based on business value. It advocates for developers to integrate threat modeling into their workflow by focusing on the core questions of what is being built, what could go wrong, how to address issues, and ensuring quality. Specific techniques discussed include using acceptance criteria, security unit tests, abuser stories, and a threat pyramid. The approach aims to make threat modeling quicker and more natural for developers while still addressing important security risks. Some limitations are that it may miss threats and relies on developer experience, requiring an embedded security champion for complex systems.
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon
This document summarizes a presentation about security testing for containerized applications. It discusses performing static analysis on code, dependencies, and Docker images using open source tools like Bandit, Brakeman, Find Security Bugs, TSLint, OWASP Dependency Track, and Clair. It also covers dynamic analysis using passive and active scanning with OWASP Zap. The presentation demonstrates running these security tests on a sample Lolcode application and integrating the tests into a CI/CD pipeline using OWASP Glue. It provides resources for learning more about security testing of containerized apps.
Robot Framework is a generic test automation framework for keyword-driven testing. It is implemented with Python and runs on Jython and IronPython as well. It supports test data driven development and has built-in support for reporting, logging, libraries, and integration with tools like Jenkins. The framework is open source and has an active community around it.
Real life unit testing tools and practicesGil Zilberfeld
The document discusses the problems with testing legacy code that lacks isolation, such as slow and brittle tests, and recommends using mocking frameworks to isolate dependencies and enable writing effective unit tests that are quick, readable, focused and robust even as code changes over time. It also provides examples of hand-rolled mocks and mocking frameworks, and guidelines for writing good unit tests.
There are so many tools and tricks for developing Android apps, but which ones actually help when you're building apps day in and day out? Luke Wallace introduces the critical development tools you need and demonstrates how to use them to build real apps. Learn about the six critical tools every developer must have, find out about the key techniques that will help you build masterful Android apps, and discover at least one weird trick to speed up your app development. Luke unearths third party libraries that you may not know about and shows you a simple, powerful guide to continuous integration. Discover new ways to connect with other Android developers in the industry and join this growing community. Explore the future of Android Studio and Eclipse and new tools coming from Google that will make your apps faster, more reliable, more beautiful, and easier to maintain.
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
This document discusses continuous security testing in a DevOps environment. It advocates treating security testing as a form of quality testing that is automated and integrated into continuous delivery pipelines. The author presents the BDD-Security testing framework, which uses behavior-driven development and test automation tools like Selenium to write security tests against applications. The framework wraps security scanning tools like OWASP ZAP and integrates security testing into continuous integration pipelines like Jenkins. This allows security to keep up with DevOps practices like deploying code changes multiple times per day.
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon
Tanya Janca gives a presentation on how to integrate security practices into a developer's sprint cycle to push security left. She recommends automating security tools and processes as much as possible, tuning tools to reduce false positives, and breaking security activities into smaller pieces. She also emphasizes inviting developers and operations teams to participate in security activities and providing them feedback and training on security tools and best practices. The goal is to enable dev and ops teams to develop securely as part of their standard work.
How do you tame a big ball of mud? One test at a time.Matt Eland
A broad and high level overview of .NET unit test libraries that will help you write better tests. Discussions around Scientist .NET, Bogus, AutoFixture, Snapper, and others.
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...FINOS
Pull Requests? Upstream Remotes? Compact Discs? Understanding how to publish code developed inside your organization into the Open Source world can leave you with more questions than answers. In this talk, we will cover key strategies, as well as the workflows and tools that make it possible, for moving past merely consuming open source on GitHub to becoming contributors. Whether you are an IT Manager or Head of Open Source, you will walk away with tips to on how to contribute while staying compliant with legal, technical and security approvals within your organization.
PHPKonf Istanbul 2016 - From development to production with Docker DatacenterKiratech
This document summarizes a presentation about moving applications from development to production using Docker and Docker Datacenter. It introduces the speaker and his background with DevOps. It then provides overviews of Docker concepts like images, containers, volumes and networks. It demonstrates how to run simple PHP applications in Docker containers and with Docker Compose. It also outlines the components of Docker Datacenter, including Docker Universal Control Plane (UCP) for managing applications and Docker Trusted Registry (DTR) for managing images. Monitoring tools that can integrate with these systems are also mentioned.
This document discusses 12 tricks hackers use to compromise continuous integration and continuous delivery (CI/CD) systems. It outlines attacks such as installing malware via libraries, leaking secrets, executing malicious code in pipelines, consuming cloud services to cause outages, zip bombs, memory bombs, fork bombs, and compromising APIs. The document emphasizes the importance of limiting permissions, monitoring systems, and assuming insider attackers when hardening CI/CD pipelines and infrastructure.
Brief introduction to Test Automation Frameworks, Acceptance Testing and ATTD using Testerone – custom made solution based on RobotFramework and it’s extensive libraries for Selenium’s and AutoIT’s support.
Bring the test cases closer to business people, leave the technical stuff to technical staff using simple business-to-tech excel sheet (map) for collaboration. Complete the solution by controlling everything using Jenkins CI server.
Speech of Tetiana Chupryna, Backend developer at GitLab, at Ruby Meditation #26 Kyiv 16.02.2019
Next conference - http://www.rubymeditation.com/
We’ll talk about different types of vulnerabilities, scanning tools and the whole process per se.
Announcements and conference materials https://www.fb.me/RubyMeditation
News https://twitter.com/RubyMeditation
Photos https://www.instagram.com/RubyMeditation
The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation
This document discusses security concerns related to continuous integration and continuous delivery (CI/CD) pipelines. It begins by defining key CI/CD concepts like continuous integration, continuous delivery, pipelines, DevOps, and DevSecOps. It then details several security risks that can occur at different stages of the CI/CD process, including in source code, during building, in deployment, and within infrastructure. Specific attacks mentioned include sensitive information leaks, trojanized artifacts, zip bombs, memory bombs, and more. The document emphasizes the importance of monitoring, limiting permissions, and network isolation to help secure CI/CD systems.
The document provides an overview of Fortify Source Code Analyzer (SCA). It discusses the different analysis phases SCA performs including translation, analysis, and verification. It also describes the various types of analyzers that SCA uses like data flow, control flow, semantic, and structural analyzers. Finally, it outlines the typical commands used to clean, translate, and scan source code with SCA and run an analysis.
Robot Framework is a keyword-based test automation framework suitable for acceptance testing. It requires Python 2.7, pip, Robot Framework, and various libraries like Selenium2 and Requests. The document provides instructions on installing these prerequisites and building sample bots to demonstrate localized and data-driven testing capabilities.
- The author discusses their journey doing source code reviews to find bugs in WordPress plugins and themes. They started with just two people manually reviewing code but then automated the process and expanded their team.
- Through their Phase 1 efforts analyzing over 250 plugins, they found over 250 issues. They are now focusing on authenticated vulnerabilities in Phase 2 like SQL injection, XSS, and CSRF.
- They have created some open source tools to help with the process and are seeking volunteers to help make open source software more secure by joining their Codevigilant platform.
This document contains summaries of various Android tools, libraries, and frameworks. It discusses build tools like Ant and Maven, libraries for dependency injection (RoboGuice), networking (Retrofit), data storage (ORMLite), and testing (Robolectric, Robotium). It also mentions tools for crash reporting (ACRA, Bugsense) and project templates.
This document provides guidance for developers who want to contribute code to the Linux kernel. It emphasizes the importance of the social and technical aspects of upstream development. Socially, developers are advised to release their code early and often to get feedback from the community. They should avoid unnecessary abstraction and re-inventing existing solutions. Technically, developers should follow best practices like using well-designed APIs and solving problems that are common across hardware. The document also provides practical tips for submitting patches, dealing with feedback, and getting help from experienced members of the open source community.
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
This document summarizes Tim Mackey's presentation at DevSecCon. It discusses the importance of security driven development practices like using trusted components, continuous integration processes that include security testing, and digitally signing container images. It warns that while infrastructure teams aim to provide security, vulnerabilities can still exist, and advocates continually evaluating the trust of components used. The document predicts disclosure of security issues will increase and outlines penalties for data breaches under new regulations like GDPR. It emphasizes automating awareness of open source dependencies to keep pace with DevOps.
This document provides guidance on upstreaming code to the Linux kernel community. It emphasizes that upstreaming requires both technical and social skills. Developers should release code early and often to get feedback, iterate on designs, and fix issues. Good code avoids unnecessary abstraction and reinvention, solves common problems, and has well-designed APIs. The community consists of experienced developers who want to help. Upstreamers should be patient, respectful, and ask for help when needed. Releasing code early allows issues to be identified and addressed before formal submissions.
The original files for the code examples and slideshow can be found in my GitHub repos
git@github.com:techwhizbang/sinatra_slideshow_code.git
git@github.com:techwhizbang/sinatra_slideshow_code.git
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
Justin Collins, Brakeman Security
It is not enough to have fast, automated code deployment. We also need some level of assurance the code being deployed is stable and secure. Static analysis tools that operate on source code can be an efficient and reliable method for ensuring properties about the code - such as meeting basic security requirements. Automated static analysis security tools help prevent vulnerabilities from ever reaching production, while avoiding slow, fallible manual code reviews.
This talk will cover the benefits of static analysis and strategies for integrating tools with the development workflow.
The document discusses the evolution of the web from Web 1.0 to Web 2.0. Web 1.0 was mainly a place to find information, while Web 2.0 enables collaboration and user-generated content through features like blogs, wikis, social networking, mashups, and APIs. It provides examples of popular Web 2.0 sites and technologies like Ajax that make applications more interactive and dynamic. Open source development has been a driving force behind the growth and adoption of many Web 2.0 technologies.
The document discusses tools to improve a LAMP web development stack. It recommends source control, development platforms, task tracking, automated testing, static analysis, automated deployment, and continuous integration. These tools enable collaboration, testing, deployment automation, and integration of code changes. Specific open source tools are recommended for each category like Git, PHPUnit, PHP Code Sniffer, and Jenkins. The document argues these tools improve workflow, quality, and speed of development.
There are so many tools and tricks for developing Android apps, but which ones actually help when you're building apps day in and day out? Luke Wallace introduces the critical development tools you need and demonstrates how to use them to build real apps. Learn about the six critical tools every developer must have, find out about the key techniques that will help you build masterful Android apps, and discover at least one weird trick to speed up your app development. Luke unearths third party libraries that you may not know about and shows you a simple, powerful guide to continuous integration. Discover new ways to connect with other Android developers in the industry and join this growing community. Explore the future of Android Studio and Eclipse and new tools coming from Google that will make your apps faster, more reliable, more beautiful, and easier to maintain.
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
This document discusses continuous security testing in a DevOps environment. It advocates treating security testing as a form of quality testing that is automated and integrated into continuous delivery pipelines. The author presents the BDD-Security testing framework, which uses behavior-driven development and test automation tools like Selenium to write security tests against applications. The framework wraps security scanning tools like OWASP ZAP and integrates security testing into continuous integration pipelines like Jenkins. This allows security to keep up with DevOps practices like deploying code changes multiple times per day.
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon
Tanya Janca gives a presentation on how to integrate security practices into a developer's sprint cycle to push security left. She recommends automating security tools and processes as much as possible, tuning tools to reduce false positives, and breaking security activities into smaller pieces. She also emphasizes inviting developers and operations teams to participate in security activities and providing them feedback and training on security tools and best practices. The goal is to enable dev and ops teams to develop securely as part of their standard work.
How do you tame a big ball of mud? One test at a time.Matt Eland
A broad and high level overview of .NET unit test libraries that will help you write better tests. Discussions around Scientist .NET, Bogus, AutoFixture, Snapper, and others.
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...FINOS
Pull Requests? Upstream Remotes? Compact Discs? Understanding how to publish code developed inside your organization into the Open Source world can leave you with more questions than answers. In this talk, we will cover key strategies, as well as the workflows and tools that make it possible, for moving past merely consuming open source on GitHub to becoming contributors. Whether you are an IT Manager or Head of Open Source, you will walk away with tips to on how to contribute while staying compliant with legal, technical and security approvals within your organization.
PHPKonf Istanbul 2016 - From development to production with Docker DatacenterKiratech
This document summarizes a presentation about moving applications from development to production using Docker and Docker Datacenter. It introduces the speaker and his background with DevOps. It then provides overviews of Docker concepts like images, containers, volumes and networks. It demonstrates how to run simple PHP applications in Docker containers and with Docker Compose. It also outlines the components of Docker Datacenter, including Docker Universal Control Plane (UCP) for managing applications and Docker Trusted Registry (DTR) for managing images. Monitoring tools that can integrate with these systems are also mentioned.
This document discusses 12 tricks hackers use to compromise continuous integration and continuous delivery (CI/CD) systems. It outlines attacks such as installing malware via libraries, leaking secrets, executing malicious code in pipelines, consuming cloud services to cause outages, zip bombs, memory bombs, fork bombs, and compromising APIs. The document emphasizes the importance of limiting permissions, monitoring systems, and assuming insider attackers when hardening CI/CD pipelines and infrastructure.
Brief introduction to Test Automation Frameworks, Acceptance Testing and ATTD using Testerone – custom made solution based on RobotFramework and it’s extensive libraries for Selenium’s and AutoIT’s support.
Bring the test cases closer to business people, leave the technical stuff to technical staff using simple business-to-tech excel sheet (map) for collaboration. Complete the solution by controlling everything using Jenkins CI server.
Speech of Tetiana Chupryna, Backend developer at GitLab, at Ruby Meditation #26 Kyiv 16.02.2019
Next conference - http://www.rubymeditation.com/
We’ll talk about different types of vulnerabilities, scanning tools and the whole process per se.
Announcements and conference materials https://www.fb.me/RubyMeditation
News https://twitter.com/RubyMeditation
Photos https://www.instagram.com/RubyMeditation
The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation
This document discusses security concerns related to continuous integration and continuous delivery (CI/CD) pipelines. It begins by defining key CI/CD concepts like continuous integration, continuous delivery, pipelines, DevOps, and DevSecOps. It then details several security risks that can occur at different stages of the CI/CD process, including in source code, during building, in deployment, and within infrastructure. Specific attacks mentioned include sensitive information leaks, trojanized artifacts, zip bombs, memory bombs, and more. The document emphasizes the importance of monitoring, limiting permissions, and network isolation to help secure CI/CD systems.
The document provides an overview of Fortify Source Code Analyzer (SCA). It discusses the different analysis phases SCA performs including translation, analysis, and verification. It also describes the various types of analyzers that SCA uses like data flow, control flow, semantic, and structural analyzers. Finally, it outlines the typical commands used to clean, translate, and scan source code with SCA and run an analysis.
Robot Framework is a keyword-based test automation framework suitable for acceptance testing. It requires Python 2.7, pip, Robot Framework, and various libraries like Selenium2 and Requests. The document provides instructions on installing these prerequisites and building sample bots to demonstrate localized and data-driven testing capabilities.
- The author discusses their journey doing source code reviews to find bugs in WordPress plugins and themes. They started with just two people manually reviewing code but then automated the process and expanded their team.
- Through their Phase 1 efforts analyzing over 250 plugins, they found over 250 issues. They are now focusing on authenticated vulnerabilities in Phase 2 like SQL injection, XSS, and CSRF.
- They have created some open source tools to help with the process and are seeking volunteers to help make open source software more secure by joining their Codevigilant platform.
This document contains summaries of various Android tools, libraries, and frameworks. It discusses build tools like Ant and Maven, libraries for dependency injection (RoboGuice), networking (Retrofit), data storage (ORMLite), and testing (Robolectric, Robotium). It also mentions tools for crash reporting (ACRA, Bugsense) and project templates.
This document provides guidance for developers who want to contribute code to the Linux kernel. It emphasizes the importance of the social and technical aspects of upstream development. Socially, developers are advised to release their code early and often to get feedback from the community. They should avoid unnecessary abstraction and re-inventing existing solutions. Technically, developers should follow best practices like using well-designed APIs and solving problems that are common across hardware. The document also provides practical tips for submitting patches, dealing with feedback, and getting help from experienced members of the open source community.
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
This document summarizes Tim Mackey's presentation at DevSecCon. It discusses the importance of security driven development practices like using trusted components, continuous integration processes that include security testing, and digitally signing container images. It warns that while infrastructure teams aim to provide security, vulnerabilities can still exist, and advocates continually evaluating the trust of components used. The document predicts disclosure of security issues will increase and outlines penalties for data breaches under new regulations like GDPR. It emphasizes automating awareness of open source dependencies to keep pace with DevOps.
This document provides guidance on upstreaming code to the Linux kernel community. It emphasizes that upstreaming requires both technical and social skills. Developers should release code early and often to get feedback, iterate on designs, and fix issues. Good code avoids unnecessary abstraction and reinvention, solves common problems, and has well-designed APIs. The community consists of experienced developers who want to help. Upstreamers should be patient, respectful, and ask for help when needed. Releasing code early allows issues to be identified and addressed before formal submissions.
The original files for the code examples and slideshow can be found in my GitHub repos
git@github.com:techwhizbang/sinatra_slideshow_code.git
git@github.com:techwhizbang/sinatra_slideshow_code.git
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
Justin Collins, Brakeman Security
It is not enough to have fast, automated code deployment. We also need some level of assurance the code being deployed is stable and secure. Static analysis tools that operate on source code can be an efficient and reliable method for ensuring properties about the code - such as meeting basic security requirements. Automated static analysis security tools help prevent vulnerabilities from ever reaching production, while avoiding slow, fallible manual code reviews.
This talk will cover the benefits of static analysis and strategies for integrating tools with the development workflow.
The document discusses the evolution of the web from Web 1.0 to Web 2.0. Web 1.0 was mainly a place to find information, while Web 2.0 enables collaboration and user-generated content through features like blogs, wikis, social networking, mashups, and APIs. It provides examples of popular Web 2.0 sites and technologies like Ajax that make applications more interactive and dynamic. Open source development has been a driving force behind the growth and adoption of many Web 2.0 technologies.
The document discusses tools to improve a LAMP web development stack. It recommends source control, development platforms, task tracking, automated testing, static analysis, automated deployment, and continuous integration. These tools enable collaboration, testing, deployment automation, and integration of code changes. Specific open source tools are recommended for each category like Git, PHPUnit, PHP Code Sniffer, and Jenkins. The document argues these tools improve workflow, quality, and speed of development.
Reuven Lerner's presentation from Open Ruby Day in Herzliya, Israel on June 27th, 2010. I covered a few tools that are not part of Rails, but which help you with deployment,
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Dan Morrill discusses the different ways to code applications for Android, including managed Dalvik code, Ajax/web apps, and native code. He outlines what each approach is capable of and not capable of. He demonstrates k-means clustering implemented in each approach. Morrill concludes that there are benefits to different approaches and developers should choose based on their app's specific needs and the developer's skills.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
An iOS application penetration testing training covers various topics including:
- Setting up an iOS pen testing environment and understanding the iOS filesystem.
- Understanding the Objective-C runtime and performing runtime analysis and manipulation.
- Analyzing insecure data storage in plist files, NSUserDefaults, CoreData, and the keychain.
- Identifying side channel data leakage through device logs, application snapshots, and the pasteboard.
When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.
A presentation given at DeveloperWeek in San Francisco by Zack Argyle. It goes through important concepts in building out reusable React components, releasing it to Github, and publishing it to NPM. There are best practices and suggestions with an example component.
Que nos espera a los ALM Dudes para el 2013?Bruno Capuano
The document discusses challenges with application lifecycle management (ALM) and recommends adopting agile practices like Scrum and Kanban to improve project predictability, lower costs, and increase team responsiveness. It emphasizes establishing continuous integration using automated testing, version control like Git, and configuration management. Adopting practices like test-driven development, behavior-driven development, and continuous integration can help address typical ALM problems like lack of visibility, ineffective communication, undefined requirements, and inadequate testing.
Join us for this interactive event and get your hands dirty with some WildFly 9 hacking!
Our host Kabir Khan will explain how you can contribute to the WildFly project at many different levels, from properly reporting bugs in the forums and issue tracker, to actually being able to submit a pull request.
During this interactive event you will have a chance to play with WildFly 9 and try some of the following:
• Find a JIRA you want to work on.
• See how to check-out the code and setup your IDE.
• Build WildFly
• Code walkthrough - code organisation, jboss-modules etc.
• Debug something from a stack trace in a JIRA issue to nail down the problem.
• Try the testsuite
• And more!
A short introduction to the more advanced python and programming in general. Intended for users that has already learned the basic coding skills but want to have a rapid tour of more in-depth capacities offered by Python and some general programming background.
Execrices are available at: https://github.com/chiffa/Intermediate_Python_programming
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
This document discusses setting up an application security pipeline for continuous integration and delivery (CI/CD). It recommends using static application security testing (SAST) tools, dependency checkers, source code scanners, dynamic application security testing (DAST) tools, and integrating them with Jenkins. It also suggests managing vulnerabilities and results in DefectDojo and notifying stakeholders of new findings through integration with communication tools like Slack. The document stresses the importance of educating developers on security best practices.
This document summarizes a talk on unit testing in JavaScript. It introduces the speaker and their company Third Wave Technology. It then defines unit testing as writing code to test individual units in isolation. The benefits of unit testing are discussed such as speeding up development, providing documentation, and helping write better code. Popular JavaScript unit testing frameworks like QUnit and Jasmine are presented. The document concludes by suggesting factors to consider when choosing a unit testing framework.
- Writing code is important for researchers to validate ideas, understand algorithms, and check work, but code is a means to an end rather than the primary product. Researchers should focus on knowledge gained rather than the code itself.
- Researchers must balance optimizing time with producing trustworthy, reproducible results. Using version control and tracking parameters helps achieve this.
- Testing, especially unit testing, helps researchers have confidence in their results. Creative testing approaches may be needed given the nature of research code.
- Researchers should aim to need as few bespoke tools as possible but not less, reusing existing frameworks and code when reasonable. Shared tools can also help disseminate ideas.
The document provides an overview of free and open source network security tools including Kismet for wireless monitoring, OpenVAS for vulnerability scanning, Metasploit for exploitation, and Nmap for port scanning and service detection. It discusses how these tools can be used both offensively to detect issues and defensively to harden networks, and highlights advantages like cost but also challenges like potential instability. The presentation focuses on demonstrating these tools and educating administrators about network security risks and defenses.
This document introduces EMBA, a free and open-source firmware analysis tool. It describes EMBA's extraction and analysis modules that can extract firmware components like Linux filesystems, decrypt images, and analyze the firmware using tools like binwalk and Yara rules. EMBA aims to automate common firmware analysis tasks and identify security issues like outdated components, weak configurations, and potential 0-day vulnerabilities through static and dynamic analysis techniques.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
2. What is Lint?
• lint, or a linter, is a tool that analyzes source code to flag
programming errors, bugs, stylistic errors, and suspicious
constructs. The term originates from a Unix utility that
examined C language source code.
Source: https://en.wikipedia.org/wiki/Lint_%28software%29
@snnkzk
4. Default lint checks for Android
• MissingPermission
• MissingSuperCall
• ScrollViewCount
• DuplicateIds
• AppCompatMethod
• ApplySharedPref
• VectorDrawableCompat
And many more…
Sources:
http://tools.android.com/tips/lint-checks
https://android.googlesource.com/platform/tools/base/+/studio-master-dev/lint/libs/lint-
checks/src/main/java/com/android/tools/lint/checks @snnkzk
5. How to run
Android lint
• ./gradlew lint
• ./gradlew lintDebug
With gradle task
• lint [flags] <project directory>
With CLI tool – “android_sdk/tools”
@snnkzk
6. Lint result
• It can fail the build
• abortOnError true
• Print command line
• Create xml and html reports
• Configure warnings as error
to fail build
• warningsAsErrors true
@snnkzk
7. How to configure
You can specify your lint checking
preferences in the ”lint.xml” file
@snnkzk
9. Integrating to
existing
codebase
After first lint run for a old project, there will
be thousands of issues. Android lint supports
baseline file for ignoring existing issues
You can focus on new code
Lint can be integrated anytime
We run Lint with every pull request
11. Different
ways to setup
Run for modules individually
Run for app module while
checing dependent module
@snnkzk
12. Unused resources
Lint can find unused resources
• Resources need to be used in same module
If you run lint on every module individually
• Use ”checkDependencies true”
• It is slower but checks lint from root persfective
• More suggestion at
• https://groups.google.com/forum/#!msg/lint-dev/RGTvK_uHQGQ/FjJA12aGBAAJ
If you have modules with just resources
@snnkzk
13. Beyond default rules
• You can;
• write custom rule
• integrate libraries with custom rules
• publish library with custom lint rules
15. Using TDD for
lint
development
Android lint has nice testing framework
You can create virtual files (java, kotlin, xml…)
It is way faster than running lint on project
You can create edge cases
You can even test codes with error
@snnkzk
16. Publishing library
with lint
• Libraries can pack their own lints rules
• By default, they are added to customer project
• Enforce best practices
• Check wrong usage of library
• Guided migration
@snnkzk
18. There are problems
• Android Studio does not care about custom lint setup
• https://issuetracker.google.com/issues/153521705
• Android Studio does not care about baseline file
• https://issuetracker.google.com/issues/153521704
• Lint task is not cacheable or incremental
• https://issuetracker.google.com/issues/64323422
@snnkzk