This document discusses Azure Secure DevOps Kit, which is a tool that helps address security challenges in DevOps. It summarizes the key components of the kit, including subscription security tools, security verification tests, security intellisense, and Azure Automation runbooks. It also describes how the kit provides benefits like reduced development time and money, higher security awareness, and easier transition to DevOps through features like continuous assurance checks and problem resolution. A demo is provided on setting up the security verification tests through an Azure DevOps release pipeline.
Vulnerabilities are bugs, Let's Test For Them!VAddy
The document introduces VAddy, a continuous security testing service that allows development teams to easily integrate automated vulnerability scans into their development workflows. It highlights issues with existing security testing tools, such as difficulty of setup and maintenance. VAddy aims to simplify continuous security testing through a SaaS model that requires no installation and supports various integration methods. It uses machine learning to scan applications automatically without extensive configuration.
Testing with Microsoft Technologies - Kick Off SessionMoataz Nabil
The document provides an overview and agenda for a session on Microsoft testing tools. The session will cover manual testing and test case management using Microsoft Test Manager 2012, automated testing using coded UI tests in Visual Studio 2012, web performance testing in Visual Studio 2012, cloud-based load testing in Visual Studio 2013, application lifecycle management using Visual Studio Online 2013, and working with Team Foundation Server 2012.
This document discusses how to implement security checks using the Secure DevOps Kit (AzSK) in a CI/CD pipeline for Azure deployments. It provides steps to configure a release pipeline in Azure DevOps with AzSK tasks to run security verification tests on Azure resources during deployment. The tasks will check for compliance with security best practices and policies and provide results to identify any issues or vulnerabilities.
ScriptRock is the easiest to use configuration testing platform. Used as a mechanism to test the underlying configuration state of applications and infrastructure, ScriptRock allows administrators the ability to guarantee the configuration state of complex enterprise systems easily.
HTML5 is one of the hottest technologies around right now because HTML5 apps are beautiful, engaging, and can perform important and entertaining functions. With the wide range of devices and platforms to support, the promise of multi-platform support is appealing. But HTML5 apps present their own range of security issues. So, what do you do about security? How do you test HTML5 applications to ensure their security? Alexander Andelkovic works at Spotify where their streaming music player desktop client applications are all HTML5-based. Alexander explains how manual testers can get the most out of HTML5 app security testing and manifest of HTML5 apps. He covers these common security testing issues and more: cross-site scripting (script inclusion), privacy-related issues, data leakage, and permissions. Discover how, by being proactive, you can avoid having to search for security issues late in a development project.
Are you looking to build Cloud-based application using DevOps methodlogy but worried that the traditional security methods may not adapt to the modern development techniques? Azure Secure DevOps Kit
Automating security tests for Continuous IntegrationStephen de Vries
Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests
Integration depends on the level of cultural integration of security into DevOps.
3 Models of test ownership:
1. Owned by Security team - least desirable
2. Owned by DevOps, overseen by security - better
3. Owned by SecDevOps, look Ma, no silos.
Overview of BDD-Security
Configuring Jenkins with BDD-Security as inline tests
Vulnerabilities are bugs, Let's Test For Them!VAddy
The document introduces VAddy, a continuous security testing service that allows development teams to easily integrate automated vulnerability scans into their development workflows. It highlights issues with existing security testing tools, such as difficulty of setup and maintenance. VAddy aims to simplify continuous security testing through a SaaS model that requires no installation and supports various integration methods. It uses machine learning to scan applications automatically without extensive configuration.
Testing with Microsoft Technologies - Kick Off SessionMoataz Nabil
The document provides an overview and agenda for a session on Microsoft testing tools. The session will cover manual testing and test case management using Microsoft Test Manager 2012, automated testing using coded UI tests in Visual Studio 2012, web performance testing in Visual Studio 2012, cloud-based load testing in Visual Studio 2013, application lifecycle management using Visual Studio Online 2013, and working with Team Foundation Server 2012.
This document discusses how to implement security checks using the Secure DevOps Kit (AzSK) in a CI/CD pipeline for Azure deployments. It provides steps to configure a release pipeline in Azure DevOps with AzSK tasks to run security verification tests on Azure resources during deployment. The tasks will check for compliance with security best practices and policies and provide results to identify any issues or vulnerabilities.
ScriptRock is the easiest to use configuration testing platform. Used as a mechanism to test the underlying configuration state of applications and infrastructure, ScriptRock allows administrators the ability to guarantee the configuration state of complex enterprise systems easily.
HTML5 is one of the hottest technologies around right now because HTML5 apps are beautiful, engaging, and can perform important and entertaining functions. With the wide range of devices and platforms to support, the promise of multi-platform support is appealing. But HTML5 apps present their own range of security issues. So, what do you do about security? How do you test HTML5 applications to ensure their security? Alexander Andelkovic works at Spotify where their streaming music player desktop client applications are all HTML5-based. Alexander explains how manual testers can get the most out of HTML5 app security testing and manifest of HTML5 apps. He covers these common security testing issues and more: cross-site scripting (script inclusion), privacy-related issues, data leakage, and permissions. Discover how, by being proactive, you can avoid having to search for security issues late in a development project.
Are you looking to build Cloud-based application using DevOps methodlogy but worried that the traditional security methods may not adapt to the modern development techniques? Azure Secure DevOps Kit
Automating security tests for Continuous IntegrationStephen de Vries
Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests
Integration depends on the level of cultural integration of security into DevOps.
3 Models of test ownership:
1. Owned by Security team - least desirable
2. Owned by DevOps, overseen by security - better
3. Owned by SecDevOps, look Ma, no silos.
Overview of BDD-Security
Configuring Jenkins with BDD-Security as inline tests
Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:
Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle.
Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.
This document discusses integrating security testing into continuous delivery pipelines. It argues that security testing should be performed continuously and automated like other tests, rather than as a separate process. The document recommends that development, operations, and security teams work together in a "SecDevOps" model where security testing is integrated into regular testing workflows and everyone shares responsibility. It presents the BDD-Security framework as an example of how behavior-driven development can be used to automate continuous security testing that runs with each code change.
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
This document discusses continuous security testing in a DevOps environment. It advocates treating security testing as a form of quality testing that is automated and integrated into continuous delivery pipelines. The author presents the BDD-Security testing framework, which uses behavior-driven development and test automation tools like Selenium to write security tests against applications. The framework wraps security scanning tools like OWASP ZAP and integrates security testing into continuous integration pipelines like Jenkins. This allows security to keep up with DevOps practices like deploying code changes multiple times per day.
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
s its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority:
- Integrate effective threat modeling into Agile development practices
- Introduce Security Automation into Continuous Integration
- Integrate Security Automation into Continuous Deployment
While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic:
- The talk will be replete with anecdotes from personal consulting and penetration testing experiences.
- I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle.
- I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app.
- My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools.
- Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
Agile & DevOps - It's all about project successAdam Stephensen
The document provides information on DevOps practices and tools from Microsoft. It discusses how DevOps enables continuous delivery of value through integrating people, processes, and tools. Benefits of DevOps include more frequent and stable releases, lower change failure rates, and empowered development teams. The document provides examples of DevOps scenarios and recommends discussing solutions and migration plans with Microsoft.
we45 - Infrastructure Penetration Testing with LeanBeast Case StudyAbhay Bhargav
The document summarizes a security assessment conducted by we45 for a cloud-based email encryption company. we45 used their "Leanbeast" appliance to conduct reconnaissance, vulnerability scanning, and penetration testing of the client's AWS infrastructure. Several major vulnerabilities were found, including remote code execution on an ElasticSearch server and authentication flaws exposing customer data. we45 provided a detailed report of findings prioritized by risk level and recommended remediation strategies to improve the client's security posture.
An Introduction to Enterprise Design PatternsAdam Stephensen
This document provides an overview of several enterprise design patterns, including dependency injection, the onion architecture, the repository pattern, unit of work pattern, and view models. It discusses the benefits of each pattern such as loose coupling, increased testability and code reuse. It also provides examples of implementing the repository and unit of work patterns when accessing data with Entity Framework.
#DOAW16 - DevOps@work Roma 2016 - Databases under source controlAlessandro Alpi
This document discusses putting databases under source control as part of a DevOps workflow. It begins with defining DevOps and its goals of collaboration, automation, and rapid software delivery. It then discusses using a source control manager and continuous integration practices for databases. This allows development teams to work on database code in separate environments, track changes, automate testing and deployment, and maintain different versions of the database. The document recommends tools like SQL Source Control and Visual Studio Team Services and argues that source control can help development and operations teams work together more efficiently on database changes and releases.
10 Things You Might Not Know: Continuous IntegrationCoveros, Inc.
Continuous integration (CI) is a software development practice where developers regularly merge their code changes into a central repository after which automated builds and tests are run. This process catches bugs early and prevents integration issues. CI builds quality in by automating testing and moving it earlier in the development process. Agile development relies on CI to reduce the costs of changes by dealing with issues as soon as they arise. While often associated with agile methods, CI benefits all projects by integrating and testing code more frequently. Open source tools have matured to support CI at low cost. CI also increases accountability, security, visibility into projects, and facilitates collaboration between development and testing teams.
The document provides an overview and primer on SecDevOps. It discusses how traditional development, operations, and security roles often work in silos, which SecDevOps seeks to improve by integrating security automation into the development process. Key aspects of SecDevOps covered include defining it as security automation and discussing security at scale. The document also discusses why security automation is important to reduce human error, provides typical enterprise staffing ratios of developers, operations, and security professionals, and how appointing security champions from development teams can help integrate security practices.
The document discusses introductory concepts and best practices for unit testing, including:
1. Why unit tests are important for reducing bugs, improving design, and making development faster.
2. The different types of tests like unit tests, integration tests, and functional tests.
3. What constitutes a unit test, including that it is small, repeatable, consistent, and fast.
4. An example of writing a "Hello World" unit test in C#.
#DOAW16 - DevOps@work Roma 2016 - Testing your databasesAlessandro Alpi
In these slides we will speak about how to unit test our programmability in SQL Server and how to move from a manual process to an automated one in order to achieve the goals of DevOps
Reliability (R)evolution: Turning the DevOps World Upside Down (Again).Hannes Lenke
Join Mirko Novakovic, Co-founder and CEO of Instana and Hannes Lenke, CEO of Checkly as they discuss the Reliability (R)evolution. Hear how freeing DevOps teams from complexity, empowers them to scale and accelerate with end-to-end testing and monitoring. Testing and monitoring was previously seen as slow, flaky, and costly, but this is no longer the case. Technologies like Headless, Puppeteer, and Jamstack are changing the way we ensure reliability. Combined with the ability to integrate APM into testing, you can also monitor the transactions simulated. This enables DevOps teams to push into production quicker with more reliability.
These slides accompanied a talk given by Christopher Grayson at QCon NYC 2017 by the same name. The talk discusses how unit testing can be used to help address security regression in codebases.
A blog post detailing the contents of this talk can be found here:
https://l.avala.mp/?p=169
- Introduction to DevOps.
- Glossary.
- Continuous testing.
- The DevOps lifecycle.
- Where does QA fit in DevOps.
- Test-Driven Development (TDD).
- References.
This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.
Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:
Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle.
Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.
This document discusses integrating security testing into continuous delivery pipelines. It argues that security testing should be performed continuously and automated like other tests, rather than as a separate process. The document recommends that development, operations, and security teams work together in a "SecDevOps" model where security testing is integrated into regular testing workflows and everyone shares responsibility. It presents the BDD-Security framework as an example of how behavior-driven development can be used to automate continuous security testing that runs with each code change.
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
This document discusses continuous security testing in a DevOps environment. It advocates treating security testing as a form of quality testing that is automated and integrated into continuous delivery pipelines. The author presents the BDD-Security testing framework, which uses behavior-driven development and test automation tools like Selenium to write security tests against applications. The framework wraps security scanning tools like OWASP ZAP and integrates security testing into continuous integration pipelines like Jenkins. This allows security to keep up with DevOps practices like deploying code changes multiple times per day.
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
s its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority:
- Integrate effective threat modeling into Agile development practices
- Introduce Security Automation into Continuous Integration
- Integrate Security Automation into Continuous Deployment
While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic:
- The talk will be replete with anecdotes from personal consulting and penetration testing experiences.
- I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle.
- I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app.
- My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools.
- Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
Agile & DevOps - It's all about project successAdam Stephensen
The document provides information on DevOps practices and tools from Microsoft. It discusses how DevOps enables continuous delivery of value through integrating people, processes, and tools. Benefits of DevOps include more frequent and stable releases, lower change failure rates, and empowered development teams. The document provides examples of DevOps scenarios and recommends discussing solutions and migration plans with Microsoft.
we45 - Infrastructure Penetration Testing with LeanBeast Case StudyAbhay Bhargav
The document summarizes a security assessment conducted by we45 for a cloud-based email encryption company. we45 used their "Leanbeast" appliance to conduct reconnaissance, vulnerability scanning, and penetration testing of the client's AWS infrastructure. Several major vulnerabilities were found, including remote code execution on an ElasticSearch server and authentication flaws exposing customer data. we45 provided a detailed report of findings prioritized by risk level and recommended remediation strategies to improve the client's security posture.
An Introduction to Enterprise Design PatternsAdam Stephensen
This document provides an overview of several enterprise design patterns, including dependency injection, the onion architecture, the repository pattern, unit of work pattern, and view models. It discusses the benefits of each pattern such as loose coupling, increased testability and code reuse. It also provides examples of implementing the repository and unit of work patterns when accessing data with Entity Framework.
#DOAW16 - DevOps@work Roma 2016 - Databases under source controlAlessandro Alpi
This document discusses putting databases under source control as part of a DevOps workflow. It begins with defining DevOps and its goals of collaboration, automation, and rapid software delivery. It then discusses using a source control manager and continuous integration practices for databases. This allows development teams to work on database code in separate environments, track changes, automate testing and deployment, and maintain different versions of the database. The document recommends tools like SQL Source Control and Visual Studio Team Services and argues that source control can help development and operations teams work together more efficiently on database changes and releases.
10 Things You Might Not Know: Continuous IntegrationCoveros, Inc.
Continuous integration (CI) is a software development practice where developers regularly merge their code changes into a central repository after which automated builds and tests are run. This process catches bugs early and prevents integration issues. CI builds quality in by automating testing and moving it earlier in the development process. Agile development relies on CI to reduce the costs of changes by dealing with issues as soon as they arise. While often associated with agile methods, CI benefits all projects by integrating and testing code more frequently. Open source tools have matured to support CI at low cost. CI also increases accountability, security, visibility into projects, and facilitates collaboration between development and testing teams.
The document provides an overview and primer on SecDevOps. It discusses how traditional development, operations, and security roles often work in silos, which SecDevOps seeks to improve by integrating security automation into the development process. Key aspects of SecDevOps covered include defining it as security automation and discussing security at scale. The document also discusses why security automation is important to reduce human error, provides typical enterprise staffing ratios of developers, operations, and security professionals, and how appointing security champions from development teams can help integrate security practices.
The document discusses introductory concepts and best practices for unit testing, including:
1. Why unit tests are important for reducing bugs, improving design, and making development faster.
2. The different types of tests like unit tests, integration tests, and functional tests.
3. What constitutes a unit test, including that it is small, repeatable, consistent, and fast.
4. An example of writing a "Hello World" unit test in C#.
#DOAW16 - DevOps@work Roma 2016 - Testing your databasesAlessandro Alpi
In these slides we will speak about how to unit test our programmability in SQL Server and how to move from a manual process to an automated one in order to achieve the goals of DevOps
Reliability (R)evolution: Turning the DevOps World Upside Down (Again).Hannes Lenke
Join Mirko Novakovic, Co-founder and CEO of Instana and Hannes Lenke, CEO of Checkly as they discuss the Reliability (R)evolution. Hear how freeing DevOps teams from complexity, empowers them to scale and accelerate with end-to-end testing and monitoring. Testing and monitoring was previously seen as slow, flaky, and costly, but this is no longer the case. Technologies like Headless, Puppeteer, and Jamstack are changing the way we ensure reliability. Combined with the ability to integrate APM into testing, you can also monitor the transactions simulated. This enables DevOps teams to push into production quicker with more reliability.
These slides accompanied a talk given by Christopher Grayson at QCon NYC 2017 by the same name. The talk discusses how unit testing can be used to help address security regression in codebases.
A blog post detailing the contents of this talk can be found here:
https://l.avala.mp/?p=169
- Introduction to DevOps.
- Glossary.
- Continuous testing.
- The DevOps lifecycle.
- Where does QA fit in DevOps.
- Test-Driven Development (TDD).
- References.
This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree AnikeyRoy
Mindtree's DevOps service helps clients build an in-house DevOps model platforms within an organisation using open-source DevOps tools. Click here to know more.
DevSecOps applies security checks and controls into the DevOps pipeline automatically and transparently, without slowing the development & release process. It relies on continuous learning instead of security gates and takes a "shift-left" strategy where security issues are discovered and dealt with earlier in the build and release cycles. Some DevSecOps best practices include training developers on secure coding, checking code dependencies, encrypting data in motion, using secrets management tools, and implementing role-based access control.
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
DevSecOps means integrating security practices into the DevOps workflow from the beginning. The goal is to make everyone responsible for security and implement security decisions at the same speed as development and operations. This helps find vulnerabilities early and improve overall security. Implementing DevSecOps requires planning, building, deploying, monitoring and improving security continuously. It provides benefits like improved compliance and identifying issues earlier.
Shaun Allen presented on security best practices for Azure DevOps pipelines. He discussed:
1) Using external property files to securely manage secrets and configurations. The files are tokenised and secrets are encrypted.
2) Implementing continuous integration to build and test applications using the external files. This finds errors before deployment.
3) Setting up continuous deployment conditions to trigger deployments based on branch names, with additional controls over which users can deploy to certain environments.
4) Demonstrated how to securely manage secrets using Azure Key Vault and the secure configuration encryption tool.
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
The document discusses various topics related to data security and privacy including:
1. International standards for data de-identification techniques and privacy models such as ISO 20889.
2. A comparison of different data de-identification techniques in terms of their ability to reduce risks like singling out, linking, and inference.
3. Examples of mapping de-identification techniques like tokenization and encryption to different data deployment models including centralized/distributed data warehouses and public/private/on-premises clouds.
DevOps Training in Ameerpet - Visualpath is the Leading and Best Software Online Training institute in Ameerpet. Avail complete job oriented DevOps Training Course by simply enrolling in our institute in Ameerpet. Call on - +91-9989971070.
Ensuring Secure and Efficient Operations with DevOps SecurityDev Software
In this guide we've explored some of the key concepts behind these disciplines and how they can be used together to help you get started on your journey towards a more secure organization. We hope you were able to learn something new about how DevSecOps can benefit your organization!
What is DevOps? It’s a fairly hot term in today’s application development and operations space,but there are many different definitions as to what DevOps really is. Ultimately, DevOps is abouthow teams build software, deploy software and maintain it throughout its lifecycle. There is nosingle, right answer to the question, but there are a number of tools and strategies that can helpcustomers adopt a winning DevOps process that allows dev and operations teams to moreproductive together.In this session, the audience will learn what DevOps is at a high level, provide strategies for howto implement a DevOps process that fits their organization’s needs and how the MicrosoftApplication Lifecycle Management (ALM) tooling can help with this. As part of the session,attendees can expect to learn how to set up the Microsoft ALM stack for their teams and how touse it effectively in their software development lifecycle, regardless of the role each individual plays on the team.
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Amazon Web Services
AWS serverless architecture components such as Amazon S3, Amazon SQS, Amazon SNS, CloudWatch Logs, DynamoDB, Amazon Kinesis, and Lambda can be tightly constrained in their operation. However, it may still be possible to use some of them to propagate payloads that could be used to exploit vulnerabilities in some consuming endpoints or user-generated code. This session explores techniques for enhancing the security of these services, from assessing and tightening permissions in IAM to integrating further tools and mechanisms for inline and out-of-band payload analysis that are more typically applied to traditional server-based architectures, and generalising these techniques to APIs for all AWS services.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
AWS is hosting the first FSI Cloud Symposium in Hong Kong, which will take place on Thursday, March 23, 2017 at Grand Hyatt Hotel. The event will bring together FSI customers, industry professional and AWS experts, to explore how to turn the dream of transformation, innovation and acceleration into reality by exploiting Cloud, Voice to Text and IoT technologies. The packed agenda includes expert sessions on a host of pressing issues, such as security and compliance, as well as customer experience sharing on how cloud computing is benefiting the industry.
Speaker: Iolaire Mckinnon, Senior Consultant - Security, Risk & Compliance, Professional Services, AWS
Zure Azure PaaS Zero to Hero - DevOps training dayOkko Oulasvirta
This document provides an overview of Azure DevOps and related Azure services for continuous integration, delivery, and monitoring. It discusses DevOps practices including source control with Azure Repos, work tracking with Azure Boards, continuous integration and deployment pipelines with Azure Pipelines, infrastructure as code with ARM templates, and application monitoring with Application Insights. It also covers security practices like role-based access control and use of Azure Key Vault for secrets management. Live demos are provided for many of the Azure DevOps features and services discussed.
This document discusses the DevOps philosophy and how it can increase producibility. It defines DevOps as combining cultural philosophies, practices, and tools to increase an organization's ability to deliver applications and services at high velocity. Key aspects of DevOps include breaking down silos between development, QA, security and operations teams; continuous integration and delivery pipelines; automation; and real-time feedback to enable rapid, reliable, and secure delivery of updates. Many DevOps tools are available as managed services on AWS, including CodeCommit, CodeBuild, CodeDeploy, CodePipeline, CloudFormation, and CodeStar, which can help implement DevOps practices.
What is DevOps?
Why DevOps?
How DevOps works?
DevOps impacts in testing.
Continuous Delivery.
Continuous Integration.
Continuous Testing and Automated Deployment.
Microsoft recently released Azure DevOps, a set of services that help developers and IT ship software faster, and with higher quality. These services cover planning, source code, builds, deployments, and artifacts. One of the great things about Azure DevOps is that it works great for any app and on any platform regardless of frameworks.
In this session, I will provide a hands on workshop guiding you through getting started with Azure Pipelines to build your application. Using continuous integration and deployment processes, you will leave with clear understanding and skills to get your applications up and running quickly in Azure DevOps and see the full benefits that CI/CD can bring to your organization.
1. Overview of DevOps
2. Infrastructure as Code (IaC) and Configuration as code
3. Identity and Security protection in CI CD environment
4. Monitor Health of the Infrastructure/Application
5. Open Source Software (OSS) and third-party tools, such as Chef, Puppet, Ansible, and Terraform to achieve DevOps.
6. Future of DevOps Application
This document discusses automating Dynamics 365 CE and PowerApps build and release processes using Azure DevOps and PowerApps build tools. It covers application lifecycle management (ALM), source control, solutions and layering in Dynamics 365, and using Azure DevOps for continuous integration and deployment with PowerApps build tools to import, export, publish and automate other deployment tasks. A demo is shown of creating a build/release pipeline with PowerApps build tools.
The document discusses DevOps, which combines development (Dev) and operations (Ops). It describes the software development lifecycle (SDLC) and compares the waterfall and agile methodologies. The document then discusses using version control systems like Git and code repositories like GitHub for managing source code changes by large development teams. It also covers using containers and container orchestration with Docker to deploy and manage applications. Finally, it discusses using configuration management to define and control an application's environment and dependencies throughout its lifecycle.
Similar to aOS Singapore 2019-Azure Secure DevOps Kit (20)
Azure Active Directory - Secure and GovernCheah Eng Soon
Azure Active Directory helps secure and govern authentication with features like conditional access and privileged identity management. It allows organizations to mitigate admin risk, govern identities, and set terms of use policies for authentication and access across cloud and on-premises environments.
Zero Trust is a security concept that requires strict identity verification for anyone or anything trying to access applications, data, and infrastructure inside or outside the network. It assumes there is no implicit trust granted to assets and users inside the network, and that verification is required for every access. The goal of Zero Trust is to minimize risk from both external and internal threats by preventing lateral movement and only allowing access based on least-privilege user roles and asset usage.
Microsoft Endpoint Manager provides comprehensive device management capabilities for on-premises environments. It allows IT administrators to deploy, update, protect and monitor Windows, macOS, Linux and IoT devices from a single console. Endpoint Manager combines the capabilities of Configuration Manager and Intune to help businesses securely manage all types of devices across locations.
Microsoft Threat Protection Automated Incident Response Cheah Eng Soon
Microsoft Defender provides automated threat protection including zero-hour and auto purge features to respond to incidents. It also has automated incident response capabilities for user reported phishing attacks and URL verdict changes that help address threats.
The document discusses Azure penetration testing. It provides an agenda that covers an overview of common Azure services attacked, tools used for testing, and guidelines. It describes how Microsoft's blue and red teams work together on testing. Policies prohibit attacks on other customers or social engineering. Encouraged tests include using trial accounts and informing Microsoft of any vulnerabilities found. Steps outlined include identifying attack surfaces, data collection, vulnerability scanning, and penetration testing public-facing Azure services using tools like MicroBurst. Securing databases and using encryption are also addressed. A demo of vulnerability identification is promised.
You'll understand how hackers can attack resources hosted in the Azure and protect Azure infrastructure by identifying vulnerabilities, along with extending your pentesting tools and capabilities.
Microsoft Threat Protection Automated Incident Response DemoCheah Eng Soon
A user reported a phishing attack in their Office 365 organization. The Office 365 Threat Protection service investigated the report and found a malicious URL distributing malware. The URL was blocked for all users in the organization to prevent further infection from this phishing attempt.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive functioning. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
This document outlines demo scenarios for Microsoft Cloud App Security including discovering cloud apps used by an organization, protecting information from connected apps, detecting anomalous user behavior and threats across applications, and automating alert management with Power Automate. The scenarios cover exploring snapshot and continuous reports of discovered apps and risk scores, investigating connected apps and activity logs, detecting anonymous access, and integrating Microsoft Cloud App Security with Microsoft Threat Protection and Power Automate.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive functioning. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
This document summarizes three Microsoft cloud security products: Azure Security Center, Azure Defender, and Microsoft Cloud App Security. Azure Security Center strengthens multi-cloud security posture through dashboards, connectors, secure scores, recommendations, and inventory. Azure Defender protects cloud workloads through vulnerability assessment and security for SQL, storage, and Kubernetes. Microsoft Cloud App Security discovers cloud apps, protects access to connected apps, and detects anomalous user behavior and threats.
Azure Active Directory - External Identities Demo Cheah Eng Soon
The document discusses configuring external identities in Azure Active Directory. It mentions partner authentication with Azure AD and consumer identity providers. It also discusses verifying identities with IDology and lists several organization names, addresses, and contact emails.
Azure WAF is a cloud-native web application firewall service that provides powerful protection for web apps with simple deployment, low maintenance costs, and automatic updates. It acts as a content delivery network and can defend against common attacks like command execution, SQL injection, cross-site scripting, and more, as demonstrated in a presentation where custom rules were set up to create an Azure WAF.
Azure Weekend 2020 Build Malaysia Bus Uncle ChatbotCheah Eng Soon
Thank you for the informative presentation on conversational AI and natural language processing. I learned about key concepts like QnA Maker, Azure Bot Service, and various NLP capabilities in Azure Cognitive Services like text analytics, speech, and translation. The demo was very helpful to see these services in action.
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
This document outlines 20 common security vulnerabilities and misconfigurations in Microsoft Azure. It discusses issues such as storage accounts being publicly accessible, lack of multi-factor authentication, insecure guest user settings, and features like Azure Security Center and Network Watcher being disabled by default. The document is intended to educate users on important security best practices for securing resources and configurations in Azure.
Integrate Microsoft Graph with Azure Bot ServicesCheah Eng Soon
The document discusses 4 steps to integrate Microsoft Graph with Azure Bot Services by registering an application in Azure AD, making queries to Microsoft Graph to retrieve data like documents from SharePoint, implementing code snippets to retrieve the data, and extending the bot to Microsoft Teams. It provides an overview of conversational AI and Azure Bot Services and demonstrates using Microsoft Graph Explorer.
This document provides an overview of Azure Sentinel and how it can be used with Office 365. It discusses the challenges of security operations and how Azure Sentinel uses AI and automation to help. It then summarizes Azure Sentinel's key capabilities including visibility, analytics, hunting, incidents, and automation. It also includes demonstrations of these capabilities and steps to set up Azure Sentinel with an Office 365 connection.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
2. Who am I ?
Microsoft MVP
Blog : www.techconnect.io
Twitter : @CheahEngSoon
YouTube Channel
:http://bit.ly/engsoonyoutube
3. Understanding the security challenges of
DevOps
Engineering teams have
increased autonomy
More development
technologies are
available.
Constant change is the
norm.
DevOps has wide-ranging
operational
responsibilities.
4. Addressing DevOps security challenges
AUTOMATE SECURITY EMPOWER
ENGINEERING TEAMS
MAINTAIN CONTINUOUS
ASSURANCE
SET UP OPERATIONAL
HYGIENE
13. The tools in this section include:
• Azure Automation runbooks that identify and correct security
configuration drift.
• A set of PowerShell scripts to create the Automation account, apply
the templates, and install and configure the Runbooks.
14.
15. The OMS views include:
• Summary views of critical tasks that need immediate attention.
• Outcomes of the most recent continuous assurance scans.
• Summary of recent role-based access control activity (important role
assignments, access revocation, and others).
• Trends of various security metrics and activity over time.
• Common useful queries for alerting, and other activities.
• Pre-configured alerts in OMS.
• Runbooks for auto-healing when certain alerts are triggered.
16.
17.
18. Cloud risk governance focuses on three primary views:
• We can see adoption and usage of the DevOps Kit across the enterprise.
These views give us a picture of the company’s secure DevOps maturity in
the cloud.
• We can view aggregate cloud-related risks across service lines. Aggregation
of control failures for different cloud resource types helps us understand
which areas of cloud use are leading to higher risk exposure for the
company due to vulnerable configuration. This information can be used to
target risk reduction.
• We get visibility into common errors and challenges that developers face
while using the kit. Information about errors and exceptions helps the
Secure DevOps Kit team improve features and the user experience.
19.
20. Benefits of using Azure Secure DevOps Kit
• Reduced development time and money.
• Higher awareness of security.
• Easier transition to DevOps.
• Simple processes for checking existing solutions.
• Convenient assurance checks and problem resolution.
35. 1. Select your AzureRM Subscription.
2. Select “ResourceGroupName” as Parameter Set.
3. Enter your ResourceGroup Names that you had
created in Azure Portal.
4. Enter your Azure Subscription ID.
36. 1. In Control Options, Check [ / ] Continue on
error.
2. Select “Even if a previous task has failed,unles
the deployment was canceled”.
3. Select “Save”.
Engineering teams have increased autonomy. In the past, engineering teams waited weeks or months for development resources. Now that IT no longer provisions development environments, we don’t have a significant impact on scheduling or capital expense. With DevOps in the cloud, autonomy and decentralization allows engineering teams to work end to end with almost complete independence from IT. Engineering teams can instantly provision test environments, and solutions can be deployed and published with an Azure subscription at whatever pace suits the team and business stakeholders. Traditional security methods hinder this agility.
• More development technologies are available. Developing in the cloud opens up a huge opportunity for connecting different platforms and frameworks, but as flexibility has increased, so has the number of APIs and services used to make those connections. The cloud app development environment is more complex, and maintaining security in that environment using traditional methods is also more complex—and sometimes isn’t possible.
• Constant change is the norm. With the shift to agile sprints and DevOps, constant change is the norm. The platform components on which applications run keeps changing, improving, and growing—often at a cadence dictated by individual Azure service teams. On top of that, dedicated business unit application teams regularly add new functionality and improve existing functionality following the agile philosophy of incremental but continuous improvement. Traditional security and the associated tollgate procedures aren’t designed for such continuous change.
• DevOps has wide-ranging operational responsibilities. In the DevOps era, there isn’t a hard boundary between development and operations. The engineer who developed a feature is also responsible for the operational aspects of the feature. Operational considerations, including security, are a high priority for the development team in a DevOps culture.
Faced with these DevOps security challenges, we set out to determine how security could be managed in a DevOps ecosystem. We wanted to change our thinking, methods, and tools to adapt to a development environment and culture that was in harmony with the nuances inherent in cloud DevOps. To do this, we adopted a number of imperatives.
Automate security
Automation gives us a chance to keep pace with the constantly changing cloud environment. DevOps is heavily centered on end-to-end automation, and we need to complement it with automated security. Automated security saves significant time and cost for apps that update much more often than their traditional counterparts, and it allows us to ensure that security configuration and deployment in DevOps can be achieved quickly and consistently.
Empower engineering teams
In an environment where change is constant, we want to empower our engineering teams to make meaningful, consistent changes without a tedious approval process. Our engineers need to be able to build security into their applications from the start. We need security integrated into the DevOps workflow. Developers don’t have to take extra measures to be secure, nor do they need to wait for a central security team to approve an app.
Maintain continuous assurance
When development and deployment are continuous, everything that goes with them needs to follow suit, including security assurance. The age-old requirements for sign-offs or compliance checks create tension in the modern engineering environment. We want to define a security state and track drift from that state to maintain a consistent level of security assurance across the entire environment. This helps ensure that builds and deployments that are secure at the time they are delivered, stay secure from one release iteration to the next and beyond.
Set up operational hygiene
We need to have a clear view of our DevOps environment to ensure that operational hygiene is in place. In addition to understanding operational risks in the cloud, DevOps operational hygiene in the cloud requires a different perspective than the traditional development environment. We need to create the ability to see the security state across DevOps stages and establish capabilities to receive security alerts and reminders for important periodic activities.
What do you want to use the secure devops kit for?
As you can see from the summary description above, the "Secure DevOps Kit for Azure" (we will call it AzSK to be brief hereafter), can be used by many different stakeholders. So depending on your role in the DevOps ecosystem, one or more of the below scenarios may apply to you. The skillset needed to use the capabilities of the kit and the prerequisites you need to have on your machine will vary based on your scenario. Here are a few sample stakeholders and some points about how they may try to use the AzSK:
A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline.
Health check script. The subscription health check script runs automated steps to examine a subscription and flag conditions that indicate your subscription may be at risk due to security issues, misconfigurations, or obsolete settings.
Provisioning script. The provisioning script is a master script, which coordinates several smaller components that work together to provision a DevOps Kit environment. These components include:
• Mandatory role-based access control accounts for important functions.
• High-level alerts for critical or severe security events.
• Azure Resource Manager policies that help secure otherwise insecure actions
. • Default enterprise policy settings for Azure Security Center.
• Security contact information
During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure.
Security Verification Tests. These tests automatically verify most built-in security controls for common Azure services such as App Services, Azure Storage, Azure SQL Database, Azure Key Vault, or Azure Virtual Machines.
Security IntelliSense. This feature augments traditional IntelliSense with secure coding best practices and offers corrections, tips, and guidelines while a developer writes code. The secure coding rules covered vary from Azure platform as a service (PaaS) APIs to traditional web application security and cryptography best practices.
Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner.
Build/Release Tasks for CI/CD workflows allow us to check subscription and resource security during automated build/deployment flows. These workflows integrate security coverage within the Visual Studio Team Services (VSTS) CI/CD pipeline via VSTS build/release extensions for security verification tests and other security tools.
In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
Continuous assurance prevents security state drift, helps to stay current with Azure security feature improvements. It also encourages adherence to security best practices such as key rotation and separation of duties. The tools in this section include:
• Azure Automation runbooks that identify and correct security configuration drift.
• A set of PowerShell scripts to create the Automation account, apply the templates, and install and configure the Runbooks.
Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates.
The alerting and monitoring solution for the DevOps Kit uses Operations Management Suite (OMS) to offer a central dashboard where teams can view the security state and trends for their Azure subscriptions and applications, as reported by the different components of the kit. The OMS solution is created from an Azure Resource Manager template that builds all the necessary components needed for security state monitoring.
Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.
The Secure DevOps Kit generates telemetry events from all stages that use automation, scripts, or extensions. The telemetry is routed to an Application Insights account where it’s processed through web jobs that integrate organization mapping information and then viewed on a Power BI dashboard. The telemetry supports a data-driven approach to agile development and DevOps by allowing us to make measured and accurate security improvement decisions in a continuous fashion.
Fetch information about various AzSDK components
Overview
Subscription information
Control information
Attestation information
Host information
This command provides overall information about the AzSDK which includes subscription information (alert/policies/ASC/CA version etc.), security controls information (severity, description, rationale etc.), attestation information (statistics, attestation justification, expiry etc.), host information (AzSDK settings/configuration, AzureRM Context etc.). ‘Get-AzSDKInfo’ command can be used with ‘InfoType’ parameter to fetch information.
Reduced development time and money. The Secure DevOps Kit puts security best practices and tools at our fingertips. It saves our developers the time and effort of researching, cataloging, and implementing Azure security practices manually, and it provides a set of consistent security practices for them to follow.
• Higher awareness of security. Because the Secure DevOps Kit builds security automation and best practices into the development process, our engineers are aware of security requirements and capabilities from the beginning of a project. Security has become an integral piece of the development process, rather than something that’s scrutinized near the end of the development cycle and might require significant re-work of solution components.
• Easier transition to DevOps. FMCS is in the midst of transitioning to DevOps, and the Secure DevOps Kit has simplified that transition. By incorporating security automation in our toolset, we know that security is built in to the entire life cycle.
• Simple processes for checking existing solutions. We’ve used the manual Service Validation and Testing (SVT) processes several times with existing projects to confirm that Azure security configuration is correct.
• Convenient assurance checks and problem resolution. The OMS dashboards in the Secure DevOps Kit enable us to view security assurance across our app portfolio and see where attention is needed. The alert package helps us ensure that Azure resources security configuration drift is kept in check.