The document discusses why container security is important for developers. It notes that containers add security concerns at the operating system level that were previously handled by other teams. This increases developers' scope of responsibility while they are also expected to maintain pipeline velocity. It demonstrates how to integrate security checks into the development workflow without slowing down developers. It advocates for implementing known secure practices for building and running containers to mitigate vulnerabilities and adopting a defense-in-depth approach.
GDG SLK - Why should devs care about container security.pdfJames Anderson
Title: Why should developers care about container security?
Abstract: Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests (i.e. Kubernetes config's) before you commit your code.
Speaker: Eric is a 30+ year enterprise software developer, architect, and consultant with a focus on CI/CD, DevOps, and container-based solutions over the last decade. He is a Docker Captain, is certified in Kubernetes (CKA, CKAD, CKS), and has been a Docker user since 2013. As a Senior Developer Advocate at Snyk, Eric helps developers implement proactive and scalable security practices with a focus on container and cloud-native technologies.
Catch the video: https://youtu.be/lBNcUBdY-VM
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...Eric Smalling
Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests before you commit your code.
Presented at KubeHuddle NA 2023 in Toronto, ON May 18th 2023
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
GDG SLK - Why should devs care about container security.pdfJames Anderson
Title: Why should developers care about container security?
Abstract: Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests (i.e. Kubernetes config's) before you commit your code.
Speaker: Eric is a 30+ year enterprise software developer, architect, and consultant with a focus on CI/CD, DevOps, and container-based solutions over the last decade. He is a Docker Captain, is certified in Kubernetes (CKA, CKAD, CKS), and has been a Docker user since 2013. As a Senior Developer Advocate at Snyk, Eric helps developers implement proactive and scalable security practices with a focus on container and cloud-native technologies.
Catch the video: https://youtu.be/lBNcUBdY-VM
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...Eric Smalling
Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests before you commit your code.
Presented at KubeHuddle NA 2023 in Toronto, ON May 18th 2023
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free.
More details here - https://www.practical-devsecops.com/
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
Watch the webinar here: https://codefresh.io/security-feedback-loop-lp/
Sign up for a FREE Codefresh account today: https://codefresh.io/codefresh-signup/
We're all looking at ways to prevent vulnerabilities from escaping into our production environments. Why not require scans of your Docker images before they're even uploaded to your production Docker registry? SHIFT LEFT!
Codefresh has worked with Twistlock to run Twist CLI using a Docker image as a build step in CI pipelines.
Join Codefresh, Twistlock, and Steelcase as we demonstrate setting up vulnerability and compliance thresholds in a CI pipeline. We will show you how to give your teams access to your Docker images' security reports & trace back to your report from your production Kubernetes cluster using Codefresh.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
A list of action items you want to keep in mind when you're devsecops'ing for your cloudnative environments. Given as a part of a talk on the Modern Security series (
https://info.signalsciences.com/securing-cloud-native-ten-tips-better-container-security).
From Zero to Hero: Continuous Container Security in 4 Simple StepsDevOps.com
Containers are shaping the way organizations are developing and managing applications nowadays. However, many are not always fully aware of the measures that need to be taken across the entire software development lifecycle, especially when it comes to open source security aspects. The mindset of securing our applications needs to be shifted – to continuous security. In this session, Shiri Ivstan, Product Manager at WhiteSource, will discuss:
1) the main security challenges organizations face when using containers;
2) the most common layers in a typical container deployment; and
3) 4 simple steps to build security into each layer.
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
In Collaboration with DevOps.com, WhiteSource's Shiri Ivtsan discussed in this webinar the main security challenges organizations face when using containers.
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
Have you ever needed to wrestle a legacy application onto a modern, scalable cloud platform, while increasing security test coverage? Sometimes real applications are not easily stuffed into a Docker container and deployed in a container orchestration system. In this talk, Modus Create Principal Architect Richard Bullington-McGuire will show how to compose Jenkins, Docker, Terraform, Packer, Ansible, Packer, Vagrant, Gauntlt, OpenSCAP, the CIS Benchmark for Linux, AWS CodeDeploy, Auto Scaling Groups, Application Load Balancers, and other AWS services to create a performant and scalable solution for deploying applications. A local development environment using Vagrant mirrors the cloud deployment environment to minimize surprises upon deployment.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
Practical tips and heroic war stories on how to secure a large, modern, fast software delivery platform. From building a team to building cool stuff, dealing with organisational setups to dealing with security incidents.
Zero Buzzwords Guaranteed.
Chris Rutter has spent the last few years obsessed with making security, engineering and the business work together. Starting his career as an engineer, he uses a deep understanding of Agile, Devops, and product delivery to solve security problems in a way that enables teams, rather than hitting them with bricks.
This talk explains what what Pod Security Policy is and it's importance in Kubernetes Security. The talk also takes a look at the current situation of docker hub's popular images and helm charts repository.
This talk stresses on the fact that having PSP enabled the right way is absolutely necessary for the real security of the cluster.
Link to the demos:
What is Pod Security Policy? https://www.youtube.com/watch?v=nrWRMP94vqc
Kubernetes Hostpath exploit thrawted with Pod Security Policy https://www.youtube.com/watch?v=APS0CfD6DsE
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdfEric Smalling
Vulnerability exploits too often seem like empty threats that our security teams warn us about, but not something that would ever happen to my code! Join me in this hands-on workshop, where we will walk through a remote code execution exploit and how it can be used to expand to take over an entire Kubernetes cluster along with steps you can employ that would mitigate the attack.
Slides from live presentation at DockerCon, October 4, 2023
Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free.
More details here - https://www.practical-devsecops.com/
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
Watch the webinar here: https://codefresh.io/security-feedback-loop-lp/
Sign up for a FREE Codefresh account today: https://codefresh.io/codefresh-signup/
We're all looking at ways to prevent vulnerabilities from escaping into our production environments. Why not require scans of your Docker images before they're even uploaded to your production Docker registry? SHIFT LEFT!
Codefresh has worked with Twistlock to run Twist CLI using a Docker image as a build step in CI pipelines.
Join Codefresh, Twistlock, and Steelcase as we demonstrate setting up vulnerability and compliance thresholds in a CI pipeline. We will show you how to give your teams access to your Docker images' security reports & trace back to your report from your production Kubernetes cluster using Codefresh.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
A list of action items you want to keep in mind when you're devsecops'ing for your cloudnative environments. Given as a part of a talk on the Modern Security series (
https://info.signalsciences.com/securing-cloud-native-ten-tips-better-container-security).
From Zero to Hero: Continuous Container Security in 4 Simple StepsDevOps.com
Containers are shaping the way organizations are developing and managing applications nowadays. However, many are not always fully aware of the measures that need to be taken across the entire software development lifecycle, especially when it comes to open source security aspects. The mindset of securing our applications needs to be shifted – to continuous security. In this session, Shiri Ivstan, Product Manager at WhiteSource, will discuss:
1) the main security challenges organizations face when using containers;
2) the most common layers in a typical container deployment; and
3) 4 simple steps to build security into each layer.
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
In Collaboration with DevOps.com, WhiteSource's Shiri Ivtsan discussed in this webinar the main security challenges organizations face when using containers.
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
Have you ever needed to wrestle a legacy application onto a modern, scalable cloud platform, while increasing security test coverage? Sometimes real applications are not easily stuffed into a Docker container and deployed in a container orchestration system. In this talk, Modus Create Principal Architect Richard Bullington-McGuire will show how to compose Jenkins, Docker, Terraform, Packer, Ansible, Packer, Vagrant, Gauntlt, OpenSCAP, the CIS Benchmark for Linux, AWS CodeDeploy, Auto Scaling Groups, Application Load Balancers, and other AWS services to create a performant and scalable solution for deploying applications. A local development environment using Vagrant mirrors the cloud deployment environment to minimize surprises upon deployment.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
Practical tips and heroic war stories on how to secure a large, modern, fast software delivery platform. From building a team to building cool stuff, dealing with organisational setups to dealing with security incidents.
Zero Buzzwords Guaranteed.
Chris Rutter has spent the last few years obsessed with making security, engineering and the business work together. Starting his career as an engineer, he uses a deep understanding of Agile, Devops, and product delivery to solve security problems in a way that enables teams, rather than hitting them with bricks.
This talk explains what what Pod Security Policy is and it's importance in Kubernetes Security. The talk also takes a look at the current situation of docker hub's popular images and helm charts repository.
This talk stresses on the fact that having PSP enabled the right way is absolutely necessary for the real security of the cluster.
Link to the demos:
What is Pod Security Policy? https://www.youtube.com/watch?v=nrWRMP94vqc
Kubernetes Hostpath exploit thrawted with Pod Security Policy https://www.youtube.com/watch?v=APS0CfD6DsE
Similar to Container Stranger Danger - Why should devs care about container security (20)
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdfEric Smalling
Vulnerability exploits too often seem like empty threats that our security teams warn us about, but not something that would ever happen to my code! Join me in this hands-on workshop, where we will walk through a remote code execution exploit and how it can be used to expand to take over an entire Kubernetes cluster along with steps you can employ that would mitigate the attack.
Slides from live presentation at DockerCon, October 4, 2023
Look Ma' - Building Java and Go based container images without DockerfilesEric Smalling
As a developer, learning to write well-formed Dockerfiles can be challenging, especially for those new to containers. These builds can also can require specific build tools or container runtime access that might not be available in your build environments. Architects also often face the challenges of providing governance on image standards across their organization’s teams and the various applications they support. In this lightning talk, you will see a couple of open-source tools in action that can make it easier to meet all of these challenges as well as references to other tools and techniques for varying requirements.
SCaLE 19x - Eric Smalling - Hardening against Kubernetes HacksEric Smalling
Presented at SCaLE 19x, Los Angeles 2022
Misconfigurations in your Kubernetes deployments can create unforeseen security vulnerabilities that can give bad actors leverage to exploit containers, nodes or even the entire control plane of your cluster. In this talk I'll show how easy it can be to break into a cluster and why using tools to find issues and enforce governance around them can make your clusters a less attractive target.
DockerCon 2022 - From legacy to Kubernetes, securely & quicklyEric Smalling
You’ve been developing software for years and now your team is ready to take the plunge into orchestrated containers and Kubernetes. You’ve learned about containers, images, and Dockerfiles, but standing up a Kubernetes cluster and actually running your app in it seems like a daunting task.
In this session, we’ll go over the basics to get your app up and running in Kubernetes right on your own workstation using Docker Desktop. On the way, we’ll cover some of the security aspects you need to keep in mind and show you how to implement them in your Kubernetes manifests.
We’ll go over:
1.) Kubernetes basics, including pods, deployments, and services
2.) Moving a legacy app into a container and running it in Kubernetes
3.) Some security best practices to watch out for — and what can happen if you don’t
4.) Implementing those best practices to defend against and limit the blast radius of an attack
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
https://2022.pythonwebconf.com/presentations/why-should-developers-care-about-container-security
Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don't have an appsec background to fully understand why they are important.
In this session, we will:
go over several of the most common practices to best containerize Python applications
show examples of how your application can be exploited in a container
and most importantly, how to easily spot issues and fix your Dockerfiles and deployment manifests before you commit your code
So. many. vulnerabilities. Why are containers such a mess and what to do abou...Eric Smalling
What’s with all of these container image vulnerabilities? I’m a developer, not a security analyst! Whether you’re a solo dev or a large team embracing DevSecOps, join me to learn practices I’ve seen successful teams using to build safer container images & avoid the mistakes they made along the way.
If you’ve even run a vulnerability scan on a container you’ve probably seen it: the dreaded list with 100s, maybe even 1000s of issues on it. Containers have made life simpler in so many ways, but security sometimes doesn’t feel like one of them. So what can we do about it?
In this talk, I’ll share what I’ve learned working with users and companies and the best practices I’ve picked up along the way to builds safer container images. I’ll also share what not to do, because there are many rabbit holes you can go down that end up wasting time and energy.
I’ll share the processes and patterns that you can use whether you’re working on an individual project, or you’re part of a bigger team embracing DevSecOps.
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...Eric Smalling
Slides from my 2.5 hour hands-on workshop covering Docker basics, the Docker MTA program and how it applies to legacy Java applications and some tips on running those apps in containers in production.
Simply your Jenkins Projects with Docker Multi-Stage BuildsEric Smalling
This is a a talk I presented at Jenkins World 2017.
Abstract:
When building Docker images we often use multiple build steps and Dockerfiles to keep the image size down. Using multi-stage Docker builds we can eliminate this complexity, bringing all of the instructions back into a single Dockerfile while still keeping those images nice and small.
One of the most challenging things about building images is keeping the image size down. Each instruction in the Dockerfile adds a layer to the image, and you need to remember to clean up any artifacts you don’t need before moving on to the next layer. To write a really efficient Dockerfile, you have traditionally needed to employ shell tricks and other logic to keep the layers as small as possible and to ensure that each layer has the artifacts it needs from the previous layer and nothing else. It was actually very common to have multiple Jenkins pipeline steps and/or projects with unique Dockerfiles for different elements of the final build. Maintaining multiple sets of instructions to build your image is complicated and hard to maintain.
With multi-stage builds, you use multiple FROM statements in your Dockerfile. Each FROM instruction can use a different base, and each of them begins a new stage of the build. You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want in the final image and simplifying the both the Dockerfile and Jenkins configurations needed to produce your images.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
5. Coding
Test & Fix
Branch Repo
Test, Fix
Monitor
CI/CD
Test & Fix
Production
Test, Fix
Monitor
Test
Registry
Build Deploy
Get artifacts
Get public & private artifacts
SDLC Pipeline
7. Container Challenges
Historically, developers have owned
the security posture of their own
code and the libraries used.
Containers add security concerns
at the operating-system level such
as base-image selection, package
installation, user and file
permissions, and more.
Increased Scope of
Responsibility
These additional technologies used
to be owned by other teams such
as system engineers or middleware
teams. Many developers have
never had to deal with securing
these layers of the stack.
Lack of Expertise
While shifting security left adds
responsibilities to developer teams,
the business owners have
expectations that pipeline velocity
will not be negatively impacted.
Maintaining Velocity
8. Ownership of
developers
What does my service contain?
● Source code of my app
● 3rd party dependencies
● Dockerfile
● IaC files (eg. Terraform)
● K8s files
9. The financial giant said the
intruder exploited a
configuration vulnerability
“
“
-- https://www.theregister.com/2019/07/30/capital_one_hacked/
Configuration is a security risk
11. Coding
Test & Fix
Branch Repo
Test, Fix
Monitor
CI/CD
Test & Fix
Production
Test, Fix
Monitor
Test
Registry
Build Deploy
Get artifacts
Get public & private artifacts
SDLC Pipeline
14. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Minimize Footprint
Don’t give hackers more tools to expand their exploits
Layer Housekeeping
Understand how layers work at build and run-time
Build strategies
Multi-Stage, repeatable builds, standardized labeling,
alternative tools
Secure Supply Chain
Know where images come from.
Only CI should push to registries.
15. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Don’t run as root
You probably don’t need it.
Privileged Containers
You almost definitely don’t need it.
Drop capabilities
Most apps don’t need even Linux capabilities;
dropping all and allow only what’s needed.
Read Only Root Filesystem
Immutability makes exploiting your container harder.
Deploy from known sources
Pull from known registries only.
16. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Secrets
Use them but make sure they’re encrypted and have
RBAC applied
RBAC
Hopefully everybody is using this.
SecurityContext
Much of the Runtime practices mentioned can be
enforced via SC
Network Policy
Start with zero-trust and add allow rules only as
necessary.
Enforcement
Use OPA (Gatekeeper), Kyverno, etc
17. Key Takeaways
Just like unit tests, fast, actionable
security feedback is critical.
Working security into a developer’s
workflow without slowing them
down drives adoption.
Feedback Loop
Giving developers tools that
provide actionable information can
allow them to deal with security
issues as they are introduced.
Empower developers
to be proactive
Implementing known secure
practices for building and running
your container images and IaC
configurations can mitigate
vulnerabilities that slip into
deployments as well as zero-day
vulnerabilities that may exist.
Defence in depth
