Enabling security at speed and scale requires building security as code which is often provided by software defined networks. The cloud offers software defined networks and some challenges to enabling safe workloads.
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Security at the Speed of Software DevelopmentDevOps.com
There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or more faster than human gating can achieve.
What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and coaches and stop thinking of their jobs as gatekeepers.
This webinar will introduce a framework to accomplish this mindset shift. It includes guidance on the characteristics of tools compatible with DevOps. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Security at the Speed of Software DevelopmentDevOps.com
There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or more faster than human gating can achieve.
What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and coaches and stop thinking of their jobs as gatekeepers.
This webinar will introduce a framework to accomplish this mindset shift. It includes guidance on the characteristics of tools compatible with DevOps. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
Whether you’re just beginning to explore cloud computing or adopting it at enterprise-scale, it is important to build security into your architecture. But gone are the days of manual security audits that slow down agile development. Your modern continuous integration and continuous delivery architecture demands continuous security that doesn’t hinder DevOps. In this session, we’ll share tips to help your organization embrace DevSecOps. Presented by RedLock.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Jason Mashak
Your best future-proofing starts now. Discover, manage, audit and remediate across your hybrid cloud – all via one patented platform. Runecast customers report time savings of 75-90%, security compliance audit readiness, and greatly increased uptime. Enable your IT Security and Operations teams with a single platform for discovering and resolving IT problems you don't yet know about. Ask us about the Runecast Challenge!
Runecast enables organizations with immediate proactive results and ROI in the areas of Cloud Security Posture Management (CSPM), Kubernetes Security Posture Management (KSPM), Governance, Risk Management and Compliance (GRC), IT Operations Management (ITOM), Vulnerability Assessment/Management, Configuration Management and more.
Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture.
Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services
Runecast Analyzer uses the VMware Knowledge Base to analyze the vSphere configuration and logs. It exposes potential issues before they cause major outages. Runecast also uses the vSphere Security Hardening guides and Best Practices to scan your VMware infrastructure for compliance.
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Jason Mashak
Take proactive control of security and efficiency in your IT environment. Runecast reveals any misconfigurations to simplify configuration management, hardware compatibility and uptime. Proactive remediation of issues means no longer needing an entire team working overtime to put out fires. And you can scratch 'vulnerability management' off the to-do list via automated real-time best practice and security compliance audits.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
The AWS platform offers a rich set of capabilities that can be leveraged by the customer to better control applications state, configuration, and supporting infrastructure throughout the service lifecycle – all while operating with security best practices such as audit and accountability, access control, change review and governance, and systems integrity. We will showcase and discuss design patterns for using these capabilities in synergy with fast-paced and agile application development methodologies – such as DevOps – to achieve an integrated security operations program.
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
Modern elastic cloud infrastructure is fundamentally breaking traditional security approaches. Public cloud has no natural perimeter and network segmentation leaving individual cloud servers exposed. In private cloud, malicious East-West traffic inside the network is a serious threat. As new workloads are added and retired dynamically, change control is difficult, and updating granular firewall rules and security policies becomes a risky, manual process. Join us and learn the 6 Critical Criteria to secure your public, private or hybrid cloud – on-demand, anywhere, at any scale.
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
Whether you’re just beginning to explore cloud computing or adopting it at enterprise-scale, it is important to build security into your architecture. But gone are the days of manual security audits that slow down agile development. Your modern continuous integration and continuous delivery architecture demands continuous security that doesn’t hinder DevOps. In this session, we’ll share tips to help your organization embrace DevSecOps. Presented by RedLock.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Jason Mashak
Your best future-proofing starts now. Discover, manage, audit and remediate across your hybrid cloud – all via one patented platform. Runecast customers report time savings of 75-90%, security compliance audit readiness, and greatly increased uptime. Enable your IT Security and Operations teams with a single platform for discovering and resolving IT problems you don't yet know about. Ask us about the Runecast Challenge!
Runecast enables organizations with immediate proactive results and ROI in the areas of Cloud Security Posture Management (CSPM), Kubernetes Security Posture Management (KSPM), Governance, Risk Management and Compliance (GRC), IT Operations Management (ITOM), Vulnerability Assessment/Management, Configuration Management and more.
Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture.
Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services
Runecast Analyzer uses the VMware Knowledge Base to analyze the vSphere configuration and logs. It exposes potential issues before they cause major outages. Runecast also uses the vSphere Security Hardening guides and Best Practices to scan your VMware infrastructure for compliance.
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Jason Mashak
Take proactive control of security and efficiency in your IT environment. Runecast reveals any misconfigurations to simplify configuration management, hardware compatibility and uptime. Proactive remediation of issues means no longer needing an entire team working overtime to put out fires. And you can scratch 'vulnerability management' off the to-do list via automated real-time best practice and security compliance audits.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
The AWS platform offers a rich set of capabilities that can be leveraged by the customer to better control applications state, configuration, and supporting infrastructure throughout the service lifecycle – all while operating with security best practices such as audit and accountability, access control, change review and governance, and systems integrity. We will showcase and discuss design patterns for using these capabilities in synergy with fast-paced and agile application development methodologies – such as DevOps – to achieve an integrated security operations program.
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
Modern elastic cloud infrastructure is fundamentally breaking traditional security approaches. Public cloud has no natural perimeter and network segmentation leaving individual cloud servers exposed. In private cloud, malicious East-West traffic inside the network is a serious threat. As new workloads are added and retired dynamically, change control is difficult, and updating granular firewall rules and security policies becomes a risky, manual process. Join us and learn the 6 Critical Criteria to secure your public, private or hybrid cloud – on-demand, anywhere, at any scale.
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
People no longer hesitate when storing highly sensitive documents like health reports, legal papers, enterprise documents and bank details in cloud storage sites and when geotagging personal photos in social networking sites. Even though the cloud is now an integral part of computer users, there are hardly any universal rules or laws that protect users’ privacy, thereby placing that responsibility in the end user’s hands. This session will discuss key threats to end user privacy and what precautions users can take to eliminate or minimize the harm caused by them.
App sec in the time of docker containersAkash Mahajan
A look at how application security needs to evolve to keep up with applications that are containerised. Delivered first at c0c0n 2016, the audience got a ready checklist to go with the talk.
Much has been said about DevOps and SecDevOps for security automation and integration. However, to many in the security community, this is still a buzzword. There are many practical applications of automation in cloud security controls, however, across all security-related disciplines. This talk will delve into concrete examples of security automation in the cloud, with metrics examples, as well.
(Source : RSA Conference USA 2017)
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
Moving critical workloads into the cloud can be unnerving for security professionals. In reality, though, the cloud offers a whole new set of opportunities for the security team to do things even better than in their on-premises environment. Two seasoned cloud experts will explore the latest real-world, practical tools and techniques for becoming demonstrably more secure as you move to the cloud.
(Source: RSA USA 2016-San Francisco)
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
Cloud is a new frontier that requires new architectures, higher velocity processes and crisper business-level metrics—all of which smacks security programs square in the face. This session will leverage the nearly 20 years of the speakers’ combined cloud experience to lay out a complete strategy for building out a cloud-first security program that covers infrastructure and application development.
(Source: RSA Conference USA 2018)
We’ve got more assets in the cloud than ever. Unfortunately, we also have less visibility and control in these environments, as well. Implementing detection and response controls that leverage cloud provider tools and controls, as well as automation strategies and processes, is critical for effective incident detection and response in hybrid cloud environments. This session will get you started!
(Source: RSA Conference USA 2018)
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
Forget the geeky analysis of cloud security; risk is driven by people involved and the approach to adoption. In this RSA Conference 2015 presentation, David Etue, VP of Corporate Strategy, Gemalto, reviews the complex issues around data ownership and control in the cloud. When so many people have access to your data, how do you keep it safe? Unshare it!
RSA 2015 Realities of Private Cloud SecurityScott Carlson
My 2015 Talk at the RSA US Conference on Private Cloud Security and ways that companies need to think about their cloud as they built it within their private data center
Pragmatic Security Automation for CloudPriyanka Aash
Everything in cloud computing is automated and API-enabled, giving security teams a big opportunity to build and embed security into infrastructures. From continuous guardrails to automated "afterburners" to speed up complex processes, this advanced session leverages the latest software-defined security techniques and shows how to integrate automation. Be prepared for demos, design patterns and a little code.
(Source: RSA Conference USA 2018)
You automated your deployment, elasticized your workloads, and dynamically provisioned your fleet. What do you do next?
Tackle automating your security needs using the latest capabilities in the cloud! There’s no single path to building an automated and continuous security architecture that works for every organization, but certain key principles and techniques are used by the early adopter cloud elite that give them distinct advantages. It's time to re-think your organization’s processes and behaviors to demonstrate the latest efficiencies in your security operations. In this webinar, learn how Intuit implements cloud security automation with Evident.io and other innovative cloud technologies.
Join us to learn:
• How security will be integrated into the overall processes of development and deployment.
• How to tie security acceptance tests, a subset of your key security controls, right into the end of your functional testing process to promote builds with confidence at greater speed.
• How to be successful with API-enabled, continuous security tools in the cloud.
• How to operationalize security alarms, enabling world-class incident response and remediation capabilities.
You automated your deployment, elasticized your workloads, and dynamically provisioned your fleet. What do you do next?
Tackle automating your security needs using the latest capabilities in the cloud! There’s no single path to building an automated and continuous security architecture that works for every organization, but certain key principles and techniques are used by the early adopter cloud elite that give them distinct advantages.
It's time to re-think your organization’s processes and behaviors to demonstrate the latest efficiencies in your security operations.
In this webinar, learn how Intuit implements cloud security automation with Evident.io and other innovative cloud technologies.
This slide deck covers:
- How security will be integrated into the overall processes of development and deployment.
- How to tie security acceptance tests, a subset of your key security controls, right into the end of your functional testing process to promote builds with confidence at greater speed.
- How to be successful with API-enabled, continuous security tools in the cloud.
- How to operationalize security alarms, enabling world-class incident response and remediation capabilities.
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecuritySymantec
Nico Popp, Vice President, Information Protection, Symantec explains. As users, infrastructure and applications move to the cloud at a record-breaking pace, the cloud has become a paradox: both a dream and a nightmare. Accessibility, scale, price and elasticity drive high adoption while security is a source of constant concern. This session will focus on a practical four pillar model for enterprise cloud security, all supported by real-world implementation.
Serverless Security: Are you ready for the Future?James Wickett
Talk from RSA 2017 on Serverless Security and the 4 areas of growth for security in the world of serverless. In this talk, there is also the first release of lambhack, an open source, vulnerable lambda-based serverless stack demoing arbitrary code execution in lambda.
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersPriyanka Aash
IaaS clouds transformed datacenter security architecture by enabling programmatic detection of flaws, making the cloud more transparently secure than any legacy architecture. But security practitioners who assume congruence to legacy designs miss where attack surface and visibility has changed. With concrete examples, this talk will explore the practical risks posed by misunderstanding VPC DNS and more.
Learning Objectives:
1: Understand exfil. risks in cloud hosting services due to DNS and VPC endpoints.
2: Understand what mitigations are not available when moving from legacy to cloud.
3: Understand mitigations available for server and serverless (container) designs.
(Source: RSA Conference USA 2018)
The presentation starts with a blank slate for those who have no idea of what cloud and virtualization world is to gradually building up till handling security issues.If any one wants the soft copy,please ask for it at anupam@blumail.org
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsSBWebinars
Addressing public cloud security and compliance is overwhelming given the lack of visibility and monitoring security teams have over their assets in the cloud. This problem is further compounded given the cloud’s benefits of speed and scale and that legacy security tools simply can’t keep pace. Alarmingly, Gartner predicts that through 2022, at least 95 percent of cloud security failures will be the fault of the customer.
Join us for a live webinar with Dan Hubbard, Chief Product Officer at Lacework on how to overcome the challenges of protecting your cloud and how to automate security and compliance across AWS, Azure, and GCP, including:
Where traditional security falls short and common threats start
Why end-to-end visibility is critical across all of your cloud environments
How to scale compliance and audit control as your cloud footprint expands
What to consider when securing workloads and containers
DevOps and the Future of Enterprise SecurityPriyanka Aash
The era of technology as a limiting factor of business innovation is at an end. For years security teams have struggled with basic security hygiene and practices such as asset inventory, secure configurations and secure development. Learn how your security team can operate at the “speed of business” by implementing leading DevOps practices.
Learning Objectives:
1: Learn how to inject security into the DevOps pipeline.
2: Learn how to solve security problems with DevOps.
3: Learn how to lead DevOps change in the enterprise.
(Source: RSA Conference USA 2018)
Why the cloud is more secure than your existing systemsErnest Mueller
Talk presented by Ernest Mueller at LASCON 2010 on cloud computing security and why it's likely that the cloud is more secure than what you're doing right now.
Similar to Cloud Security Essentials 2.0 at RSA (20)
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
12. #RSAC
DevOps brings mega-change!
This collaborative effort can help DevOps-led projects make
IT operational metrics 100 times better, and in so doing
offers “an evolutionary fork in the road” which could lead to
the “end of security as we know it,” added Joshua Corman –
founder of Rugged DevOps and I am the Cavalry.
http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
… And maybe that’s a good thing!
12
13. #RSAC
Top 5 Cloud Security Principles 2.0
The Cloud is not a Datacenter.
Reduce blast radius; play the odds.
Encryption is inconvenient.
Speed & Ease is both Friend & Foe.
Protection is ideal; Detection is a must!
13
16. #RSAC
VPNs that connect to Clouds are evil!
16
CloudProviderNetwork
DataCenter
PUBLIC SUBNET
APP
DATABASE
DATABASE
APP
PUBLIC SUBNET
VPN
Cloud Web Console
API Credentials
“NEW” BOUNDARY HAS ALL THE WEAKNESSES OF BOTH AND MIXES TWO DIFFERENT SECURITY MODELS!
Remote Access
PRIVATE
SOFTWARE VPN
MANAGED VPN
10.0.0.0/8
Connected & Routable?
No IDS?
What do you mean the
IP could change?
Tags? Security
Groups? SDE?
17. #RSAC
Host-Based Controls
17
Shared Responsibility and
Cloud require host-based
controls.
Instrumentation is everything!
Fine-grained controls require
more scrutiny and bigger big
data analysis.
CloudProviderNetwork
InstanceInstance
Tested machine image…
Tested instances...
Tested roles...
Tested passwords...
New instance created…
Instance 12345 changed…
User ABC accessed Instance 12345...
B
18. #RSAC
Lights out…
18
Lights out datacenters have always
been a desired nirvana.
Automation is required to stack and
replace cloud workloads.
Cloud security benefits are derived
from lights out…
Automation & Instrumentation
Ephemeral Bastions
Drift Management
Security Testing
Tested machine image…
Tested instances...
Tested roles...
Tested passwords...
New instance created…
Instance 12345 changed…
User ABC accessed Instance 12345...
B
CloudProviderNetwork
Bastion Instance Instance
19. #RSAC
Long live APIs…
19
Everything in the cloud should be an
API, even Security…
Protocols that are not cloudy should
not span across environments.
If you wouldn’t put it on the Internet
then you should put an API and
Authentication in front of it:
Messaging
Databases
File Transfers
Logging
CloudProviderNetwork
Tested machine image…
Tested instances...
Tested roles...
Tested passwords...
New instance created…
Instance 12345 changed…
User ABC accessed Instance 12345...
B
User Routing
Data
Replication
Application
Gateway
File Transfers
Log Sharing
Messaging
My API
22. #RSAC
Beware of Orchestrators…
22
Orchestration creates blast radius
because it centralizes the
deployment/security for cloud
workloads.
Tools that act on behalf usually
require credentials and create
blindspots.
Non-native tools require
specialized skills and make it
difficult to gain context on what
the right behavior should be.
Cloud Orchestration Platform
CloudProviderNetwork
A B C
CloudAccount
CloudAccount
CloudAccount
secrets
What’s normal?
23. #RSAC
Account Sharding is a new control!
23
Splitting cloud workloads into
many accounts has a benefit.
Accounts should contain less
than 100% of a cloud workload.
Works well with APIs; works
dismal with forklifts.
What is your appetite for risk? Cloud
Workload
Templates
CloudProviderNetwork
33 % 33 % 33 %
CloudAccount
CloudAccount
CloudAccount
attacker
24. #RSAC
MFA is a MUST!
24
Passwords don’t work.
Passwords aren’t enough to
protect infrastructure.
Use MFA to protect User accounts
and API credentials used by
Humans.
On some cloud platforms it is
possible to make roles work only
when MFA is provided and for
certain actions to require MFA.
123456
Implement cloud template…
API Credentials accepted...
Please input your MFA token:
XXXXXX (123456)
Cloud stack 123 has been implemented.
25. #RSAC
50 %
Cloud Disaster Recovery is a different animal…
25
Regional recovery is not enough to
cover security woes.
Security events can quickly escalate
to disasters.
Got a disaster recovery team?
Multi-Account strategies with
separation of duties can help.
Don’t hard code if you can help it.
Encryption is inconvenient, but
necessary…
Cloud
Workload
Templates
CloudProviderNetwork
50 % 50 %
CloudAccount
CloudAccount
Disaster
Templates
50 %
CloudAccounts
27. #RSAC
Encryption is a necessary evil…
It helps with Safe Harbor.
It helps with SQL Injection.
It helps with Data
Ownership.
It helps with Privacy.
It’s not a silver bullet…
27
CloudProviderNetwork
CloudAccount
CloudAccount
CloudAccount
Instance
Secrets Management
Key Management & Encryption
App
DB
Disk
Managed
Service
28. #RSAC
So much inconvenience
It can limit scale and it may
narrow design options.
Scalable Key Management is
really hard in the cloud.
Inconvenience commonly
comes from blue/green
changes, dynamic
environment & sharing secrets
for auto-scale.
28
Instance
Secrets Management
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
Instance
Disk
APP APP
DB DB
CloudAccount
CloudAccount
Phew I’m
exhausted
29. #RSAC
Overcoming Inconvenience
Use built-in transparent encryption
when possible.
Use native cloud key management
and encryption when available.
Develop back up strategies for keys
and secrets.
Apply App Level Encryption to help
with SQL Injection and preserving
Safe Harbor.
Use APIs to exchange data and
rotate encryption.
29
CloudProviderNetwork
CloudAccount
CloudAccount
CloudAccount
Instance
Secrets Management
Key Management & Encryption
App
DB
Disk
Managed
Service
31. #RSAC
Speed & Ease can create problems…
Overloaded terms like “Policy” can
cause confusion for DevOps and
Security teams.
Applying broad controls to narrow
problems can create gaps.
Security reviews are too slow…
Mistakes can and do happen!!
Security scanners and testing tools
are not yet available for solving these
speed & ease challenges.
31
DEVOPS SECURITY
CLOUD SECURITY POLICIESSECURITY AS CODE
Page 3 of 433
How do I?
Did you mean?
What is?
Sigh…It’s like we
aren’t speaking the
same language…
32. #RSAC
Mixed modes don’t work
Forklifts are not a good idea
because the original
controls operate different.
Systems designed for
waterfall don’t have an easy
path to achieve agile.
Fragile applications in the
cloud are easy pickings for
attackers!
32
MAN – THIS SHELL IS HEAVY!
33. #RSAC
Code can solve the divide
Paper-resident policies do not
stand up to constant cloud
evolution and lessons learned.
Translation from paper to code
can lead to mistakes.
Traditional security policies do
not 1:1 translate to Full Stack
deployments.
33
DataCenter
CloudProvider
Network
• LOCK YOUR DOORS
• BADGE IN
• AUTHORIZED PERSONNEL ONLY
• BACKGROUND CHECKS
• CHOOSE STRONG PASSWORDS
• USE MFA
• ROTATE API CREDENTIALS
• CROSS-ACCOUNT ACCESS
EVERYTHING
AS CODE
Page 3 of 433
34. #RSAC
Speed & Ease can increase security!
Fast remediation can remove attack
path quickly.
Resolution can be achieved in
minutes compared to months in a
datacenter environment.
Continuous Delivery has an
advantage of being able to publish
over an attacker.
Built-in forensic snapshots and
blue/green publishing can allow for
systems to be recovered while an
investigation takes place.
34
APP APP
DB DB
APP
DB
ATTACKED FORENSICSRECOVERED
37. #RSAC
Cloud Security is a Big Data Challenge…
DevOps + Security is the
biggest big data challenge
ahead.
Use Attack Models and choose
the right Data Sources to
discover attacks in near real-
time.
Develop a scientific approach
to help DevOps teams get the
security feedback loop they
have been looking for.
37
• Web Access Logs
• Java Instrumentation
• Proxy Logs
• DNS Logs
40. #RSAC
Safe experimentation is critical…
Test possible solutions,
arrive at Good Enough.
Crawl-Walk-Run plans can
save your org from large-
scale incidents.
Keep up with Lessons
Learned!
40
41. #RSAC
10DAYS
Don’t Hug Your Instances…
41
Research suggests that you should
replace your instances at least every 10
days, and that may not be often enough.
Use Blue/Green or Red/Black
deployments to reduce security issues
by baking in patching.
Make sure to keep a snapshot for
forensic and compliance purposes.
Use config management automation to
make changes part of the stack.
Refresh routinely; refresh often!
42. #RSAC
Use Cloud Native Security Features...
42
Cloud native security features are
designed to be cloudy.
Audit is a primary need!
Configuration and baseline checks
baked into a Cloud Provider’s
Platform help with making
decisions and uncovering risks
early in the Continuous Delivery
cycle.
Be deliberate about how to use
built-in security controls and who
has access.
44. #RSAC
Apply what you learned today…
44
Next week you should:
Understand how your organization is or plans to use cloud providers
Identify cloud workloads and virtual blast radius within your organization
In the first 3 months following this presentation you should:
Begin to build Security as Code skills and run cloud security experiments to understand the
issues
Develop Crawl-Walk-Run plans to help your organization build security into cloud workloads
Within 6 months you should:
Cloud workloads have been instrumented for known security issues and flagged during the
Continuous Delivery of software to the cloud
Your group has begun to test using Red Team methods and automation to ensure end-to-end
security for your cloud workloads
Remediation happens in hours to days as a result of automation
45. #RSAC
Get Involved &
Join the Community
devsecops.org
@devsecops on Twitter
DevSecOps on LinkedIn
DevSecOps on Github
RuggedSoftware.org
Compliance at Velocity
Join Us !!!
Spread the word!!!
45