This document discusses integrating security into DevOps practices through continuous delivery. It proposes including security automation and monitoring at each stage of the software development pipeline from development through production. Specific techniques mentioned include performing continuous security scanning, integrating security testing with other testing stages, automating security tasks using tools like Ansible, and sharing security data and lessons learned across teams to improve processes over time. The overall message is that security should be built into delivery rather than treated separately to avoid slowing software releases while still maintaining quality.
A Survey of Container Security in 2016: A Security Update on Container PlatformsSalman Baset
This talk is an update of container security in 2016. It describes the security measures that containers provide, shows how containers provide security measures out of box that are prone to configuration errors when running applications directly on host, and finally lists the ongoing in container security in the community.
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
This is a talk about managing your software and infrastructure-as-code that walks through a real-world example of deploying microservices on AWS using Docker, Terraform, and ECS.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
True microservices are more than simply bolting a REST interface on your legacy application, packing it in a Docker container and hoping for the best. Security is a key component when designing and building out any new architecture, and it must be considered from top to bottom. Umpa Lumpas might not be considered "real" microservices, but Willy Wonka still has them locked down tight!
In this talk, Aaron will briefly touch on the idea and security benefits of microservices before diving into practical and real world examples of creating a secure microservices architecture. We'll start with designing and building high security Docker containers, using and examining the latest security features in Docker (such as User Namespaces and seccomp-bpf) as well as examine some typically forgotten security principals. Aaron will end on exploring related challenges and solutions in the areas of network security, secrets management and application hardening. Finally, while this talk is geared towards Microservices, it should prove informational for all Docker users, building a PaaS or otherwise.
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...Codemotion
Containers, and the tooling around them, make some parts of application security that much easier. There are some simple things you can do to make a substantial difference to the security of your applications without making any big changes to what you do. This talk will give you some small changes you can make in a few hours that will make it that much more difficult to hack your applications.
A Survey of Container Security in 2016: A Security Update on Container PlatformsSalman Baset
This talk is an update of container security in 2016. It describes the security measures that containers provide, shows how containers provide security measures out of box that are prone to configuration errors when running applications directly on host, and finally lists the ongoing in container security in the community.
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
This is a talk about managing your software and infrastructure-as-code that walks through a real-world example of deploying microservices on AWS using Docker, Terraform, and ECS.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
True microservices are more than simply bolting a REST interface on your legacy application, packing it in a Docker container and hoping for the best. Security is a key component when designing and building out any new architecture, and it must be considered from top to bottom. Umpa Lumpas might not be considered "real" microservices, but Willy Wonka still has them locked down tight!
In this talk, Aaron will briefly touch on the idea and security benefits of microservices before diving into practical and real world examples of creating a secure microservices architecture. We'll start with designing and building high security Docker containers, using and examining the latest security features in Docker (such as User Namespaces and seccomp-bpf) as well as examine some typically forgotten security principals. Aaron will end on exploring related challenges and solutions in the areas of network security, secrets management and application hardening. Finally, while this talk is geared towards Microservices, it should prove informational for all Docker users, building a PaaS or otherwise.
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...Codemotion
Containers, and the tooling around them, make some parts of application security that much easier. There are some simple things you can do to make a substantial difference to the security of your applications without making any big changes to what you do. This talk will give you some small changes you can make in a few hours that will make it that much more difficult to hack your applications.
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
Built-in security is one of the most important features in Docker. But to build a secure app, you have to understand how to take advantage of these features. Security begins with the platform, but also requires conscious secure design at all stages of app development. In this session, we'll cover the latest features in Docker security, and how you can leverage them. You'll learn how to add them to your existing development pipeline, as well as how you can and streamline your workflow while making it more secure.
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
Data and policy driven approach for container security and compliance using open-source Anchore. Presented at Docker Meetup LA 2/13/2017 including demos
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Cohesive Networks
CohesiveFT's Director of Products & Marketing, Ryan Koop, presented on how CohesiveFT is incorporating Docker containers in our latest version of the virtual networking appliance, VNS3.
Docker Meetup #2 was held on March 12, 2014 at Mediafly
Introduction to deployment with Ruby on Rails presented at JAX09 in Mainz by Jonathan Weiss.
Learn about the deployment architectures and setups (web and app tier) and using Capistrano/Webistrano.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Docker Security - Secure Container Deployment on LinuxMichael Boelen
How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis.
Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now.
With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them.
In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.
DockerCon EU 2015: Stop Being Lazy and Test Your Software!Docker, Inc.
Presented by Laura Frank, Engineer, Codeship
Testing software is necessary, no matter the size or status of your company. Introducing Docker to your development workflow can help you write and run your testing frameworks more efficiently, so that you can always deliver your best product to your customers and there are no excuses for not writing tests anymore. You’ll walk away from this talk with practical advice for using Docker to run your test frameworks more efficiently, as well as some solid knowledge of software testing principles.
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
Lee Calcote, Solar Winds
Running a few containers? No problem. Running hundreds or thousands? Enter the container orchestrator. Let’s take a look at the characteristics of the four most popular container orchestrators and what makes them alike, yet unique.
Swarm
Nomad
Kubernetes
Mesos+Marathon
We’ll take a structured looked at these container orchestrators, contrasting them across these categories:
Genesis & Purpose
Support & Momentum
Host & Service Discovery
Scheduling
Modularity & Extensibility
Updates & Maintenance
Health Monitoring
Networking & Load-Balancing
High Availability & Scale
What’s New in Docker - Victor Vieux, DockerDocker, Inc.
It’s the first breakout after the keynote and you need to know more about all the latest and greatest Docker announcements. We've got you covered! In this session, Victor Vieux, will go deeper looking into what's new with Docker, demo the latest features and answer your questions.
CI / CD / CS - Continuous Security in KubernetesSysdig
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great at reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose.
In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How can we prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
Chris Swan ONUG Academy - Container Networks TutorialCohesive Networks
Slides from Chris Swan's ONUG Academy "Hands-On Container Networks" on May 12, 2015
This hands on session will begin by looking at how Docker modifies a Linux host to enable containers to be connected to a network. It will then go through how applications running in containers can be connected together, and the different options for interconnectivity on a host and between hosts. Finally we will take a look at running network application services inside of containers.
Syllabus
Learn what Docker does to your Linux host on installation.
Connect applications running across multiple containers using configuration metadata and compositing tools.
Understand the different Docker networking modes (host, container, none).
Using Pipework to customise network configuration.
Connecting containers across VMs using Open vSwitch.
Using containers for application network services sush as proxies, load balancers and for TLS termination
Learning Objective 1: Understand how containers relate to the host network, and the consequences that has for services running within containers
Learning Objective 2: Understand the different ways that containers can be networked and internetworked.
Learning Objective 3: Use containers to run network application services.
About the topic:
Containers aren’t a new thing, but the Docker project has made them a hot topic as organisations look at new ways to build, ship and run their applications. This brings new challenges for the network as containers are likely to be ten times as numerous as virtual machines. At the same time there is regulatory pressure to move away from the flat LAN model and deliver greater separation and segregation. This presentation will look at how these two forces are coming together, firstly by examining how containers are networked and some of the new approaches and challenges that come with that. This will be followed by a look at how overlay networks are being deployed to achieve ‘microsegmentation’, and ultimately drive a shift towards application centric networking. Of course these forces will collide, bringing us to contained networks of containers.
Docker - Demo on PHP Application deployment Arun prasath
Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more.
In this demo, I will show how to build a Apache image from a Dockerfile and deploy a PHP application which is present in an external folder using custom configuration files.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
The full value of DevOps cannot be achieved without the business first transforming itself according to the principles represented by Agile, Lean, and TDD. Applying principles from these disciplines will produce a lean, agile, and secure organization, while improving overall business performance.
DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)ZeroTurnaround
This is a 5-min version of RebelLabs IT Ops / DevOps Productivity Report" (http://zeroturnaround.com/rebellabs/rebel-labs-release-it-ops-devops-productivity-report-2013/) presented at DevOps Days in Paris, Austin, Berlin and Silicon Valley by Oliver White (@TheOTown).
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
Built-in security is one of the most important features in Docker. But to build a secure app, you have to understand how to take advantage of these features. Security begins with the platform, but also requires conscious secure design at all stages of app development. In this session, we'll cover the latest features in Docker security, and how you can leverage them. You'll learn how to add them to your existing development pipeline, as well as how you can and streamline your workflow while making it more secure.
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
Data and policy driven approach for container security and compliance using open-source Anchore. Presented at Docker Meetup LA 2/13/2017 including demos
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Cohesive Networks
CohesiveFT's Director of Products & Marketing, Ryan Koop, presented on how CohesiveFT is incorporating Docker containers in our latest version of the virtual networking appliance, VNS3.
Docker Meetup #2 was held on March 12, 2014 at Mediafly
Introduction to deployment with Ruby on Rails presented at JAX09 in Mainz by Jonathan Weiss.
Learn about the deployment architectures and setups (web and app tier) and using Capistrano/Webistrano.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Docker Security - Secure Container Deployment on LinuxMichael Boelen
How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis.
Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now.
With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them.
In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.
DockerCon EU 2015: Stop Being Lazy and Test Your Software!Docker, Inc.
Presented by Laura Frank, Engineer, Codeship
Testing software is necessary, no matter the size or status of your company. Introducing Docker to your development workflow can help you write and run your testing frameworks more efficiently, so that you can always deliver your best product to your customers and there are no excuses for not writing tests anymore. You’ll walk away from this talk with practical advice for using Docker to run your test frameworks more efficiently, as well as some solid knowledge of software testing principles.
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
Lee Calcote, Solar Winds
Running a few containers? No problem. Running hundreds or thousands? Enter the container orchestrator. Let’s take a look at the characteristics of the four most popular container orchestrators and what makes them alike, yet unique.
Swarm
Nomad
Kubernetes
Mesos+Marathon
We’ll take a structured looked at these container orchestrators, contrasting them across these categories:
Genesis & Purpose
Support & Momentum
Host & Service Discovery
Scheduling
Modularity & Extensibility
Updates & Maintenance
Health Monitoring
Networking & Load-Balancing
High Availability & Scale
What’s New in Docker - Victor Vieux, DockerDocker, Inc.
It’s the first breakout after the keynote and you need to know more about all the latest and greatest Docker announcements. We've got you covered! In this session, Victor Vieux, will go deeper looking into what's new with Docker, demo the latest features and answer your questions.
CI / CD / CS - Continuous Security in KubernetesSysdig
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great at reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose.
In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How can we prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
Chris Swan ONUG Academy - Container Networks TutorialCohesive Networks
Slides from Chris Swan's ONUG Academy "Hands-On Container Networks" on May 12, 2015
This hands on session will begin by looking at how Docker modifies a Linux host to enable containers to be connected to a network. It will then go through how applications running in containers can be connected together, and the different options for interconnectivity on a host and between hosts. Finally we will take a look at running network application services inside of containers.
Syllabus
Learn what Docker does to your Linux host on installation.
Connect applications running across multiple containers using configuration metadata and compositing tools.
Understand the different Docker networking modes (host, container, none).
Using Pipework to customise network configuration.
Connecting containers across VMs using Open vSwitch.
Using containers for application network services sush as proxies, load balancers and for TLS termination
Learning Objective 1: Understand how containers relate to the host network, and the consequences that has for services running within containers
Learning Objective 2: Understand the different ways that containers can be networked and internetworked.
Learning Objective 3: Use containers to run network application services.
About the topic:
Containers aren’t a new thing, but the Docker project has made them a hot topic as organisations look at new ways to build, ship and run their applications. This brings new challenges for the network as containers are likely to be ten times as numerous as virtual machines. At the same time there is regulatory pressure to move away from the flat LAN model and deliver greater separation and segregation. This presentation will look at how these two forces are coming together, firstly by examining how containers are networked and some of the new approaches and challenges that come with that. This will be followed by a look at how overlay networks are being deployed to achieve ‘microsegmentation’, and ultimately drive a shift towards application centric networking. Of course these forces will collide, bringing us to contained networks of containers.
Docker - Demo on PHP Application deployment Arun prasath
Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more.
In this demo, I will show how to build a Apache image from a Dockerfile and deploy a PHP application which is present in an external folder using custom configuration files.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
The full value of DevOps cannot be achieved without the business first transforming itself according to the principles represented by Agile, Lean, and TDD. Applying principles from these disciplines will produce a lean, agile, and secure organization, while improving overall business performance.
DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)ZeroTurnaround
This is a 5-min version of RebelLabs IT Ops / DevOps Productivity Report" (http://zeroturnaround.com/rebellabs/rebel-labs-release-it-ops-devops-productivity-report-2013/) presented at DevOps Days in Paris, Austin, Berlin and Silicon Valley by Oliver White (@TheOTown).
As DevOps practices have been put into wide use, it's become evident that developers and operations aren't merging to become one discipline. Nor is operations simply going away. Rather, DevOps is leading software development and operations - together with other practices such as security - to collaborate and coexist with less overhead and conflict than in the past.
In his session at @DevOpsSummit at 19th Cloud Expo, Gordon Haff, Red Hat Technology Evangelist, will discuss what modern operational practices look like in a world in which applications are more loosely coupled, are developed using DevOps approaches, and are deployed on software-defined, and often containerized, infrastructures - and where operations itself is increasingly another "as a service" capability from the perspective of developers.
How does the operations tool chest change? How does the required skill set differ? How are the interactions between operations and other IT and business organizations different from in the past? How can operations provide the confidence to the entire organization that this new pipeline is still delivering non-functional requirements such as regulatory compliance and a secure and certified operating environment? How does operations safely consume vendor and upstream dependencies while meeting developer desires for the latest and greatest?
Operations is more important than ever for a business to derive value from its IT organization. But the roles and the goals of operations are significantly different than they were historically.
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...Puppet
DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code.
It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.
DevOpsDays Baltimore 2017.
As organizations begin the path towards Dev-ops, I often run across development teams who are ready to start the transition, but don't yet have their operations counterparts on board.
This talk is about the experiences and techniques that I have seen work (and not work) in my time supporting customers as a Solutions Engineer for GitHub, as well as being a development team lead in an Organization whose Operations-side was reluctant to pursue DevOps.
DevSecOpsNess: Adding the business dimension to DevOps by Tanusree McCabeDevOpsDays Baltimore
DevOpsDays Baltimore 2017.
In my experience, I have found that the DevOps generalist that wears multiple hats is not as efficient as the DevOps practitioner that also understands Security and Business drivers but is able to focus on a primary area of expertise that is informed by the other domains. I propose, instead of limiting 'DevOps' to Development and Operations, to also include the dimensions of Security and Business. This talk will discuss practical means to help ensure security minded development, operations and prioritization and enabling innovation that delivers true business value. Practical means is more than just including a test tool; among other possible means, it includes commitment to cross-training, cultural norms such as trusting each team member, and incorporating business value validations in definition of done.
Business Value of CI, CD, & DevOpsSec: Scaling to Billion User Systems Using ...David Rico
This is a presentation on the "Business Value of Continuous Integration, Continuous Delivery, & DevOps(Sec): Scaling Up to Billion User Global Systems of Systems Using End-to-End Automation & Containerized Docker Ubuntu Cloud Image-Based Microservices," which are late-breaking 21st century approaches for rapidly and cost-effectively building high-quality global information systems, minimum viable products, minimum marketable features, service oriented architectures, web services, and microservices using containerization and end-to-end automation.
Devops security-An Insight into Secure-SDLCSuman Sourav
The integration of Security into DevOps is already happening out of necessity. DevOps is a powerful paradigm shift and companies often don’t understand how security fits. Aim of this session is to give an overview of DevOps security and How security can be integrated and automated into each phases of software development life-cycle.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Winning tenders / securing tenderers in a competitive construction market - N...Browne Jacobson LLP
This seminar looked at:
(1) how employers can make their tenders attractive in an increasingly competitive market, and
(2) from a supply chain's perspective, what employers are looking for from tenderers.
The Culver City Film Festival is brought to you by Film Marketing Services Inc., founder of the Marina del Rey Film Festival.
The Culver City Film Festival brings together a diverse group of film makers to share recent work and recognize local talent in a city celebrated for it's cinematic history and cultural depth.
HDI Capital Area Local Chapter March 2016 Meeting hdicapitalarea
HDI Capital Area Local Chapter March 2016 Meeting. HDI Updates, membership, presentation on Hiring and Compensation by Christie Shell, Robert Half Technology
Creating Developer-Friendly Docker Containers with ChaperoneGary Wisniewski
Chaperone provides a lean, full-featured environment which simplifies development and deployment of container services while adding minimal overhead (a single process does it all).
Scaling up development of a modular code baseRobert Munteanu
Microservices are quickly becoming one of the preferred deployment models in the software industry. Much has been said about the runtime impact of microservices, but less about how they impact the development process.
This talk will discuss the details of moving from a single monolithic codebase to multiple repositories in terms of the development process. We will present the impact of modularisation on source control, continous integration, code reviews, IDEs and public discussion on chat/email.
After this talk attendees will have a better understanding on the impact of the development process of modular development.
My talk at FullStackFest, 4.9.2017. Become more familiar with managing infrastructure using Terraform, Packer and deployment pipeline. Code repository - https://github.com/antonbabenko/terraform-deployment-pipeline-talk
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
Conférence présentée lors du summer meetup de l'AFUP à Limoges le 19 juin 2018. Son objectif est de présenter plusieurs outils permettant de gagner rapidement en efficacité au quotidien.
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Priyanka Aash
"We propose a new exploit technique that brings a whole-new attack surface to defeat path normalization, which is complicated in implementation due to many implicit properties and edge cases. This complication, being under-estimated or ignored by developers for a long time, has made our proposed attack vector possible, lethal, and general. Therefore, many 0days have been discovered via this approach in popular web frameworks written in trending programming languages, including Python, Ruby, Java, and JavaScript.
Being a very fundamental problem that exists in path normalization logic, sophisticated web frameworks can also suffer. For example, we've found various 0days on Java Spring Framework, Ruby on Rails, Next.js, and Python aiohttp, just to name a few. This general technique can also adapt to multi-layered web architecture, such as using Nginx or Apache as a proxy for Tomcat. In that case, reverse proxy protections can be bypassed. To make things worse, we're able to chain path normalization bugs to bypass authentication and achieve RCE in real world Bug Bounty Programs. Several scenarios will be demonstrated to illustrate how path normalization can be exploited to achieve sensitive information disclosure, SMB-Relay and RCE.
Understanding the basics of this technique, the audience won't be surprised to know that more than 10 vulnerabilities have been found in sophisticated frameworks and multi-layered web architectures aforementioned via this technique."
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
Some of the best businesses today are deploying their code dozens of times a day. How? By making heavy use of automation, smart tools, and repeatable patterns to get process out of the way and keep the workflow moving. Come to this session to learn how you can do this too, using services such as AWS OpsWorks, AWS CloudFormation, Amazon Simple Workflow Service, and other tools. We'll discuss a number of different deployment patterns, and what aspects you need to focus on when working toward deployment automation yourself.
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Provectus
In this demo based talk with live coding, we’ll present a functional typeful framework for developing Apache Spark applications. We’ll walk through the following key topics: – turning unmanageable Spark scripts into typeful Spark Functions – serverless deployment of Spark functions into the cloud – unit testing Spark functions to save cluster resources and developers time – seamless Spark session management between concurrent Spark jobs in exclusive or share modes
Reuse, Reduce, Recycle in Serverless WorldDmitri Zimine
Slides for the talk at @ServerlessConf San Francisco 2018
Reuse is fundamental to any software development. Serverless development, however, still misses a coherent end-to-end resuability story. AWS Application Repository, Serverless Components from @goserverless, and LogicApps' Connectors are all the steps in the right direction. But we are still far away from npm/pip install developer's paradise. What is missing, and the what is path forward?
In this talk, I reflect on the current state of reusability in Serverless, share relevant learnings from establishing reusability in DevOps tools, and show a working code, a proof of concept for an open-source catalog of reusable Serverless functions. How exactly? We recycled StackStorm Exchange - a mature opensource action catalog - with a plugin to serverless framework. Come and see the details, and bring your ideas to discuss how we promote reusability in Serverless.
This session will re-evaluate Cassandra’s relationship with runtime and build systems, pointing out ways that the existing systems fall down, and identifying avenues for improvement. Over the past few years, a number of platforms have emerged for running user code. Container runtimes like Docker, container orchestrators such as Kubernetes, and metrics collections agents like Prometheus and Spectator have all gained popularity and mind-share. Cassandra functionality such as metrics, bootstrapping, and monitoring integrates with the newer paradigms, but in an ad-hoc and improvised fashion. By taking a purposeful approach to integrating with these new methods of deployment, the Cassandra community can more fully benefit from their advertised strengths. The Cassandra build system based on Ant+Ivy dates to the early 2000’s, and reflects legacy complexity that could be avoided with modern build systems. Cassandra’s system package builds are not much better and often fail to integrate with industry standards such as systemd. Iterating on the existing systems is difficult, but this technical debt slows innovation in our build systems. In this talk, we propose solutions to make building, deploying and monitoring Cassandra easy and low overhead, while taking advantage of cloud advancements wherever possible.
More info at http://blog.carlossanchez.eu/2011/11/15/from-dev-to-devops-slides-from-apachecon-na-vancouver-2011/
The DevOps movement aims to improve communication between developers and operations teams to solve critical issues such as fear of change and risky deployments. But the same way that Agile development would likely fail without continuous integration tools, the DevOps principles need tools to make them real, and provide the automation required to actually be implemented. Most of the so called DevOps tools focus on the operations side, and there should be more than that, the automation must cover the full process, Dev to QA to Ops and be as automated and agile as possible. Tools in each part of the workflow have evolved in their own silos, and with the support of their own target teams. But a true DevOps mentality requires a seamless process from the start of development to the end in production deployments and maintenance, and for a process to be successful there must be tools that take the burden out of humans.
Apache Maven has arguably been the most successful tool for development, project standardization and automation introduced in the last years. On the operations side we have open source tools like Puppet or Chef that are becoming increasingly popular to automate infrastructure maintenance and server provisioning.
In this presentation we will introduce an end-to-end development-to-production process that will take advantage of Maven and Puppet, each of them at their strong points, and open source tools to automate the handover between them, automating continuous build and deployment, continuous delivery, from source code to any number of application servers managed with Puppet, running either in physical hardware or the cloud, handling new continuous integration builds and releases automatically through several stages and environments such as development, QA, and production.
Deploy and Destroy: Testing Environments - Michael Arenzon - DevOpsDays Tel A...DevOpsDays Tel Aviv
One of the critical factors for development velocity is software correctness. Our ability to develop and ship new features fast is bounded by our ability to validate several aspects of the change: * Does the feature meet the requirements? * How does the feature affect existing code, and how can it affect the production environment? With continues codebase growth and new features being added, naturally our productivity decreases, and our need to improve the guarantees for quality and correctness increase.
In this talk, I’ll focus on testing environments: why developers need a self-serve platform to create a full functioning environment on-demand, how such environments should be managed, and how can one restore part of the lost velocity. I’ll cover an internal system we use at AppsFlyer called ‘Namespaces’ that addresses the issue with the help of Mesos / Marathon, Docker, Traefik, and Consul.
Orchestrating docker containers at scale (#DockerKRK edition)Maciej Lasyk
Slightly different version (original is here http://www.slideshare.net/d0cent/orchestrating-docker-containersatscale). This version was presented during first #Docker meetup in Kraków / Poland.
Orchestrating docker containers at scale (PJUG edition)Maciej Lasyk
Slightly changed version (original is here http://www.slideshare.net/d0cent/orchestrating-docker-containersatscale). This version was presented during Polish Java User Group meetup JavaCamp#13 in Kraków / Poland.
Orchestrating Docker containers at scaleMaciej Lasyk
Many of us already poked around Docker. Let's recap what we know and then think what do we know about scaling apps & whole environments which are Docker - based? Should we PaaS, IaaS or go with bare? Which tools to use on a given scale?
Slides from the talk I gave during 2014 edition of IT Night. This lecture is about working in terminal: from choosing a term through picking proper shell, applications and finally finishes on GitHub project which covers this talks' topics.
High Availability (HA) Explained - second editionMaciej Lasyk
I gave this talk at one of the biggest Linux conferences in Poland: 11 Liux Session that took place in Wrocław on 5/6-04-2014. It was a lightning talk covering subject of High Availability solutions, architecture, planning and deploying.
How could one create very sophisticated, open - source based monitoring solution that is very scalable and easy to deploy?
I gave this talk during on of the biggest Linux conferences in Poland: 11 Linux Session which took place in Wrocław on 5/6-04-2013
I gave this talk during first Infosec meetup in Kraków/Poland on 13th March 2014. After viewing this presentation you'll know how and why you should use SELinux (or others LSMs).
Is Red Hat / Fedora / Centos ready for lightweight Docker containers? Is Docker secure enough? How about SELinux? How could we deploy Jboss or Django within Docker / RHEL?
I gave this talk at DevOPS meetup in Krakow at 2014-02-26.
I gave this talk at Krakow/Poland DevOPS meetup. It was a lightning talk covering subject of High Availability solutions, architecture, planning and deploying.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th Octomber 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
8. I'm not a security expert but an engineer
passionate about security & quality
9. “The only thing more dangerous than a developer is a
developer conspiring with Security. The two working
together gives means, motive and opportunity.”
“The Phoenix Project”
by Gene Kim, Kevin Behr and George Spafford
10. General security rule in IT: security is based on layers
NetworkNetwork
OSOS
App / DBApp / DB
HardwareHardware
VMsVMs
ContainersContainers
12. DevOps Anti-Types & patterns
This is a copy/paste from
http://blog.matthewskelton.net/
w/my comments included and InfoSec layer added
Great job Matthew! Thanks!
22. Deciding about InfoSec strategy w/devops remember:
→ security ninjas (just like admins) are expensive and rare
→ virtual teams might cut this problem
→ wandering experts
23. Deciding about InfoSec strategy w/devops remember:
→ security ninjas (just like admins) are expensive and rare
→ virtual teams might cut this problem
→ wandering experts
24. Deciding about InfoSec strategy w/devops remember:
→ security ninjas (just like admins) are expensive and rare
→ virtual teams might cut this problem
→ wandering experts
39. → repeatable tasks leads to automation
→ automation leads to consistency
40. → repeatable tasks leads to automation
→ automation leads to consistency
→ consistency reduces errors
41. → repeatable tasks leads to automation
→ automation leads to consistency
→ consistency reduces errors
→ reducing errors leads to stable environment
42. → repeatable tasks leads to automation
→ automation leads to consistency
→ consistency reduces errors
→ reducing errors leads to stable environment
→ stable environment leads to less unplanned work
43. → repeatable tasks leads to automation
→ automation leads to consistency
→ consistency reduces errors
→ reducing errors leads to stable environment
→ stable environment leads to less unplanned work
→ less unplanned work leads to focus on delivery
44. → flat learning curve
→ doesn't required additional resources
→ fit for maintenance jobs / procedures
→ great for any containers as non-daemon
→ might be easily adopted as universal language
→ ansible-galaxy
52. - name: run portscan
shell: /usr/bin/nmap -sS -p- > wide_scan_results
# vars in e.g. group_vars
ports:
tcp:
- 80
- 443
--exclude-ports=”{{ ports.tcp | join(",") }}”
async, pool, fire & forget
- name: Parse results
shell: python parse.py {{ ports.tcp }}
register: parse_results
- name: Notify
- shell: echo “{{ parse_results.stdout }}” | mail -s “results” a@b.com
- when: "'error_placeholder' in parse_results.stdout"
53. - name: run portscan
shell: /usr/bin/nmap -sS -p- > wide_scan_results
# vars in e.g. group_vars
ports:
tcp:
- 80
- 443
--exclude-ports=”{{ ports.tcp | join(",") }}”
async, pool, fire & forget
- name: Parse results
shell: python parse.py {{ ports.tcp }}
register: parse_results
- name: Notify
- shell: echo “{{ parse_results.stdout }}” | mail -s “results” a@b.com
- when: "'error_placeholder' in parse_results.stdout"
54. - name: run portscan
shell: /usr/bin/nmap -sS -p- > wide_scan_results
# vars in e.g. group_vars
ports:
tcp:
- 80
- 443
--exclude-ports=”{{ ports.tcp | join(",") }}”
async, pool, fire & forget
- name: Parse results
shell: python parse.py {{ ports.tcp }}
register: parse_results
- name: Notify
- shell: echo “{{ parse_results.stdout }}” | mail -s “results” a@b.com
- when: "'error_placeholder' in parse_results.stdout"
55. - name: run portscan
shell: /usr/bin/nmap -sS -p- > wide_scan_results
# vars in e.g. group_vars
ports:
tcp:
- 80
- 443
--exclude-ports=”{{ ports.tcp | join(",") }}”
async, pool, fire & forget
- name: Parse results
shell: python parse.py {{ ports.tcp }}
register: parse_results
- name: Notify
- shell: echo “{{ parse_results.stdout }}” | mail -s “results” a@b.com
- when: "'error_placeholder' in parse_results.stdout"
56. - name: run portscan
shell: /usr/bin/nmap -sS -p- > wide_scan_results
# vars in e.g. group_vars
ports:
tcp:
- 80
- 443
--exclude-ports=”{{ ports.tcp | join(",") }}”
async, pool, fire & forget
- name: Parse results
shell: python parse.py {{ ports.tcp }}
register: parse_results
- name: Notify
- shell: echo “{{ parse_results.stdout }}” | mail -s “results” a@b.com
- when: "'error_placeholder' in parse_results.stdout"
57. C for Culture
A for Automation
M for Monitoring
S for Sharing
58. → Visualization – graph everything (or make it possible)
→ Same monitoring interfaces for all
→ Logfiles lines number (e.g. audit.log) as a metric
→ False negs / pos number as a metric
59. C for Culture
A for Automation
M for Monitoring
S for Sharing
60. It's simple as: stop hiding security incidents reports in the
locked drawer
Let other learn: think continuous improvement!
Share the knowledge about mistakes
66. Let's wrap this up
→ security is about providing quality – it must be the part of delivery
→ including security in CD is a business decission; involve business in devops!
→ security doesn't have to slow the CD pipeline
67. Let's wrap this up
→ security is about providing quality – it must be the part of delivery
→ including security in CD is a business decision; involve business in devops!
→ security doesn't have to slow the CD pipeline
68. Let's wrap this up
→ security is about providing quality – it must be the part of delivery
→ including security in CD is a business decission; involve business in devops!
→ security doesn't have to slow the CD pipeline
69. Deep dive into technical infra
(briefly, more in my arch presentation today)
Linux Containers
70. why InfoSec should bother about infra?
→ because infra is a code
→ because infra might be a tool
71. →grouping processes
→allocating resources to particular groups
→memory
→network
→CPU
→storage bandwidth (I/O throttling)
→device whitelisting
control groups (cgroups)
72. Providing a unique views of the system for processes.
→ PID – PIDs isolation
→ NET – network isolation (via virt-ifaces; demo @arch)
→ IPC – won't use this
→ MNT – chroot like; deals w/mountpoints
→ UTS – deals w/hostname
Kernel Namespaces
73. Layered filesystems
→ OS installation
→ libraries
→ application
→ apps updates
We ship this as one package – container
It has to be lightweight!
http://www.blaess.fr/christophe/2014/12/14/le-systeme-overlayfs-de-linux-3-18/
74. Docker in a nutshell – installing WP in seconds demo
75. Docker in a nutshell – installing WP in seconds demo
remember #DockerKrk & infosec & devops meetups
http://www.meetup.com/Docker-Krakow-Poland/
http://www.meetup.com/Krakow-DevOps/
http://www.meetup.com/Infosec-Krakow/
76. It doesn't have to be docker
LXC, LXD, systemd-nspawn etc
Just make sure it does its job
77. Summing this up – learn how to use containers
so you can focus on InfoSec work not on infrastructure
mojo
You'll see how this repays :)
79. GAUNTLT - http://gauntlt.org/
→ Hooks for sectools (nmap, sslyze, sqlmap)
→ Output formatting (json and others)
→ see yourself (demo)
80. nikto - https://www.cirt.net/Nikto2
→ webapp sec scanner
→ customizable reports (templates)
→ logging to metasploit
→ save full requests for positive tests
→ ...
→ see yourself (demo)
81. nikto - https://www.cirt.net/Nikto2
And docker maybe? (demo)
https://registry.hub.docker.com/u/activeshadow/nikto/dockerfile/
Remember to verify those images..
82. nikto - https://www.cirt.net/Nikto2
FROM debian:jessie
RUN apt-get update && apt-get install -y libtimedate-perl libnet-
ssleay-perl
&& rm -rf /var/lib/apt/lists/*
ADD https://cirt.net/nikto/nikto-2.1.5.tar.gz /root/
WORKDIR /opt
RUN tar xzf /root/nikto-2.1.5.tar.gz && rm /root/nikto-2.1.5.tar.gz
&& echo "EXECDIR=/opt/nikto-2.1.5" >> nikto-2.1.5/nikto.conf
&& ln -s /opt/nikto-2.1.5/nikto.conf /etc/nikto.conf
&& chmod +x nikto-2.1.5/nikto.pl && ln -s /opt/nikto-
2.1.5/nikto.pl /usr/local/bin/nikto
&& nikto -update
WORKDIR /root
CMD ["nikto"]
83. wapiti - http://wapiti.sourceforge.net/
→ webapp sec scanner
→ rich vulns detection (see docs)
→ JSON reports (and some other formats)
→ suspend / resume attack
→ modular
→ ...
→ see yourself (demo)
85. mittn - https://github.com/F-Secure/mittn
→ high level testing suite
→ alternative for Gauntlt
→ no required low-level knowledge about tools
→ Python / Behave (BDD)
→ automated web scanning w/Burp (BSPAS)
→ tls w/sslyze
→ HTTP api fuzzing w/Radamsa
87. How to deal with false negs / pos?
→ actually human analysis is always required
→ before “feedback loop” check yourself if it's red
→ mark, hide, automate