Continuous Security

•

4 likes•1,080 views

Talk given by Phil Parker (Partner at Equal Experts) at London Continuous Delivery Meetup hosted at Financial Times, Monday 23rd May, 2016.

CONTINUOUS SECURITY
THANK YOU!

@parker0phil

@parker0phil
How do we achieve Security in a
Continuous Delivery environment?

@parker0phil
3. Continuous Delivery IS MORE secure!

@parker0phil
2. Continuous Delivery IS MORE secure!

@parker0phil
2. Continuous Delivery IS MORE secure!

@parker0phil
2. Continuous Delivery IS MORE secure!

@parker0phil
1. Continuous Delivery IS MORE secure!
Mean
Time to
Detect
(MTTD)
Mean
Time to
Resolve
(MTTR)
RELEASE
FIND
VULN
FIX
VULN
Attack Window
MTTD MTTE

@parker0phil
Continuous Delivery
IS MORE secure!

@parker0phil
3. Thinking about Security

@parker0phil
3. Thinking about Security

@parker0phil
2. Thinking about Security
Exploitability Impact

@parker0phil
1. Thinking about Security
1. Rely on developers and testers more than security
specialists.
2. Secure while we work more than after we’re done.
3. Implement features securely more than adding on
security features.
4. Mitigate risks more than fix bugs.

@parker0phil
Thinking
about Security

@parker0phil
Pet Hate #3

@parker0phil
Encoding Hashing
Encryption Signing
Pet Hate #2
b2JmdXNjYXRpb24=
%3Cscript%3Ealert(0)
%3C%2Fscript%3E
Integrity +
Non-repudiation
Confidentiality

@parker0phil
Pet Hate #1

@parker0phil
Pet Hates!

@parker0phil
3. Enumeration of Usernames

@parker0phil
3. Enumeration of Usernames

@parker0phil
2. Unvalidated Redirects
?queryString=param
Cookie:value
Persisted

@parker0phil
2. Unvalidated Redirects
?queryString=param
Cookie:value
Persisted

@parker0phil
1. Cross-Site Request Forgery (CSRF)

@parker0phil
BONUS. SelfXSS

@parker0phil
BONUS. SelfXSS

@parker0phil
My Favourite
attacks!

@parker0phil
Continuous Delivery IS MORE secure
How we achieve Security in a CD environment
Mental Models for Security
Pet Hates
My Favourite attacks

@parker0phil
Security is HARD

#DevSecOpsDevSecOps#DevSecOps

CONTINUOUS
SECURITY

More Related Content

What's hot

Google updated their Penguin algorithm with version Penguin 3.0 late Friday night. The Penguin algorithm primarily looks at a site’s backlink profile and may demote a site that appears to have a poor backlink profile. The Penguin 3.0 release was communicated very poorly by Google. With Google only confirming the update 24-hours after the update was release and not giving us the details they would typically give when we ask them.

Google penguin 3.0

Google penguin 3.0

Google penguin 3.0

IGSTK: Building High Quality Roads with Open Source Software-9300

IGSTK: Building High Quality Roads with Open Source Software-9300

IGSTK: Building High Quality Roads with Open Source Software-9300

Kitware Kitware

It's a move we've seen coming since early 2017. Chrome HTTP sites are now officially being marked as 'not secure'. With Chrome dominating 62.85% of the browser market space as of last month means that even small changes can have a big impact on website owners if ignored. To avoid this, we will address the most pertinent questions we are asked: *What steps happened to get to this point? *Why is it still happening? *What is SSL? *How does SSL help secure the internet? *Why is SSL not a standalone solution in making a site secure? *What can you do to ensure your site isn't marked 'not secure' by Chrome?

Sucuri Webinar: Is SSL enough to secure your website?

Sucuri Webinar: Is SSL enough to secure your website?

Sucuri Webinar: Is SSL enough to secure your website?

There is growing demand from organizations to adopt a mobile strategy that goes beyond simply providing a responsive version of their content knowledge base. Field engineers, sales staff and customers often need the ability to take content offline and work with no access to the internet. Finding the content they need to take offline, and ensuring they don’t forget something, requires planning – ensuring that related content is easily discovered and downloaded.

LavaCon 2017 - Making a Quantum Shift in Structured Authoring

LavaCon 2017 - Making a Quantum Shift in Structured Authoring

LavaCon 2017 - Making a Quantum Shift in Structured Authoring

Finding Hazards Using Washing State Hazard Zone Cchecklist

Finding Hazards Using Washing State Hazard Zone Cchecklist

Finding Hazards Using Washing State Hazard Zone Cchecklist

MathesonWorkSafe

Hacking WordPress... and countermeasures.

Hacking WordPress... and countermeasures.

Hacking WordPress... and countermeasures.

Nestor Angulo de Ugarte

Naswiz perfect app

Naswiz perfect app

Naswiz perfect app

dhekanenandkishor

What's hot (7)

Google penguin 3.0

Google penguin 3.0

Google penguin 3.0

IGSTK: Building High Quality Roads with Open Source Software-9300

IGSTK: Building High Quality Roads with Open Source Software-9300

IGSTK: Building High Quality Roads with Open Source Software-9300

Sucuri Webinar: Is SSL enough to secure your website?

Sucuri Webinar: Is SSL enough to secure your website?

Sucuri Webinar: Is SSL enough to secure your website?

LavaCon 2017 - Making a Quantum Shift in Structured Authoring

LavaCon 2017 - Making a Quantum Shift in Structured Authoring

LavaCon 2017 - Making a Quantum Shift in Structured Authoring

Finding Hazards Using Washing State Hazard Zone Cchecklist

Finding Hazards Using Washing State Hazard Zone Cchecklist

Finding Hazards Using Washing State Hazard Zone Cchecklist

Hacking WordPress... and countermeasures.

Hacking WordPress... and countermeasures.

Hacking WordPress... and countermeasures.

Naswiz perfect app

Naswiz perfect app

Naswiz perfect app

Similar to Continuous Security

Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place. So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are: Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns Securing DevOps methodologies - changing when and how security controls interact with the application and the development process Adapting to a DevOps philosophy of shared ownership for security In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.

Maturing DevSecOps: From Easy to High Impact

Maturing DevSecOps: From Easy to High Impact

Maturing DevSecOps: From Easy to High Impact

Continuous Security: 5 Ways DevOps Improves Security

Continuous Security: 5 Ways DevOps Improves Security

Continuous Security: 5 Ways DevOps Improves Security

Cybersecurity: A game of innovation

Cybersecurity: A game of innovation

Cybersecurity: A game of innovation

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...

S TECHNOLOGY Product/ Services Presentation

S TECHNOLOGY Product/ Services Presentation

S TECHNOLOGY Product/ Services Presentation

Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report

Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report

Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report

Splunk Webinar: Splunk App for Palo Alto Networks

Splunk Webinar: Splunk App for Palo Alto Networks

Splunk Webinar: Splunk App for Palo Alto Networks

Cybercrime and the developer 2021 style

Cybercrime and the developer 2021 style

Cybercrime and the developer 2021 style

SharePoint Fest Denver - Practical Tools and Techniques for the SharePoint Bu...

SharePoint Fest Denver - Practical Tools and Techniques for the SharePoint Bu...

SharePoint Fest Denver - Practical Tools and Techniques for the SharePoint Bu...

Richard Harbridge

Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...

Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...

Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...

Cyber Security Dr Sally Ernst

Cyber Security Dr Sally Ernst

Cyber Security Dr Sally Ernst

Cissy Ma FCPA GAICD

Getting Started with Splunk Hands-on

Getting Started with Splunk Hands-on

Getting Started with Splunk Hands-on

[View the Webinar] - https://electrici.mp/2v1fQlI Electric Imp CEO, Hugo Fiennes, and UL’s Director of Connected Technologies, Rachna Stegall discuss the unique demands of helping to secure the IoT — and why independent certification is even more critical in the fast-evolving world. Join us to hear Fiennes & Stegall share candid insights into why establishing an IoT Security Benchmark, such as UL 2900-2-2 Cybersecurity Certification, is critical for due diligence of edge to enterprise technologies — and the future of commercial, industrial and consumer IoT overall.

[Webinar] Why Security Certification is Crucial for IoT Success

[Webinar] Why Security Certification is Crucial for IoT Success

[Webinar] Why Security Certification is Crucial for IoT Success

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. In this session, you will learn practical strategies in using threat modeling in secure software design and how to apply risk management in dealing with the threats.

Robert Hurlbut - Threat Modeling for Secure Software Design

Robert Hurlbut - Threat Modeling for Secure Software Design

Robert Hurlbut - Threat Modeling for Secure Software Design

centralohioissa

Opsec for security researchers

Opsec for security researchers

Opsec for security researchers

LeadDev NYC 2022: Calling Out a Terrible On-call System

LeadDev NYC 2022: Calling Out a Terrible On-call System

LeadDev NYC 2022: Calling Out a Terrible On-call System

Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...

Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...

Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...

Think horizontally - Giuliano and De Donato

Think horizontally - Giuliano and De Donato

Think horizontally - Giuliano and De Donato

Claire Hunsaker, VP of Marketing, Stormpath Building a new market with an innovative and deeply technical product: it's a tall order for a small company. With few resources, extremely limited time, and well-funded incumbent competition - how do you describe a new product few people have heard of, much less thought of? Stormpath has used Optimizely (along with other analytics tools) to carve out a new market in a deeply technical - and skeptical - audience. More importantly, the small team has been able to nimbly test into great positioning that larger competitors can't touch, without spending money on expensive agencies, or burdening the team. Through a series of A/B tests, they discovered: - How users identified our product as a great solution. - How to set themselves apart from the confusingly-adjacent competition. - How to describe functionality in terms customers understand. In this presentation, Claire Hunsaker, VP of Marketing at Stormpath, covers actionable lessons from positioning tests, tips on how to structure A/B tests for new product positioning, and how to interpret results.

Disruptive Product Positioning with A/B Testing

Disruptive Product Positioning with A/B Testing

Disruptive Product Positioning with A/B Testing

SplunkLive! Utrecht - Splunk for Security - Monzy Merza

SplunkLive! Utrecht - Splunk for Security - Monzy Merza

SplunkLive! Utrecht - Splunk for Security - Monzy Merza

Similar to Continuous Security (20)

Maturing DevSecOps: From Easy to High Impact

Maturing DevSecOps: From Easy to High Impact

Maturing DevSecOps: From Easy to High Impact

Continuous Security: 5 Ways DevOps Improves Security

Continuous Security: 5 Ways DevOps Improves Security

Continuous Security: 5 Ways DevOps Improves Security

Cybersecurity: A game of innovation

Cybersecurity: A game of innovation

Cybersecurity: A game of innovation

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...

S TECHNOLOGY Product/ Services Presentation

S TECHNOLOGY Product/ Services Presentation

S TECHNOLOGY Product/ Services Presentation

Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report

Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report

Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report

Splunk Webinar: Splunk App for Palo Alto Networks

Splunk Webinar: Splunk App for Palo Alto Networks

Splunk Webinar: Splunk App for Palo Alto Networks

Cybercrime and the developer 2021 style

Cybercrime and the developer 2021 style

Cybercrime and the developer 2021 style

SharePoint Fest Denver - Practical Tools and Techniques for the SharePoint Bu...

SharePoint Fest Denver - Practical Tools and Techniques for the SharePoint Bu...

SharePoint Fest Denver - Practical Tools and Techniques for the SharePoint Bu...

Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...

Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...

Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...

Cyber Security Dr Sally Ernst

Cyber Security Dr Sally Ernst

Cyber Security Dr Sally Ernst

Getting Started with Splunk Hands-on

Getting Started with Splunk Hands-on

Getting Started with Splunk Hands-on

[Webinar] Why Security Certification is Crucial for IoT Success

[Webinar] Why Security Certification is Crucial for IoT Success

[Webinar] Why Security Certification is Crucial for IoT Success

Robert Hurlbut - Threat Modeling for Secure Software Design

Robert Hurlbut - Threat Modeling for Secure Software Design

Robert Hurlbut - Threat Modeling for Secure Software Design

Opsec for security researchers

Opsec for security researchers

Opsec for security researchers

LeadDev NYC 2022: Calling Out a Terrible On-call System

LeadDev NYC 2022: Calling Out a Terrible On-call System

LeadDev NYC 2022: Calling Out a Terrible On-call System

Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...

Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...

Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...

Think horizontally - Giuliano and De Donato

Think horizontally - Giuliano and De Donato

Think horizontally - Giuliano and De Donato

Disruptive Product Positioning with A/B Testing

Disruptive Product Positioning with A/B Testing

Disruptive Product Positioning with A/B Testing

SplunkLive! Utrecht - Splunk for Security - Monzy Merza

SplunkLive! Utrecht - Splunk for Security - Monzy Merza

SplunkLive! Utrecht - Splunk for Security - Monzy Merza

More from Equal Experts

So much of the time, we get bogged down in senseless process, causing delays to delivery and reduced morale in the team. Agile frameworks implicitly build trust; this talk introduces the TRUST Framework, which attempts to bring trust management as an explicit part of how we effectively manage projects and relationships. We start with this simple Axiom: maximising trust throughout the organisation, in all directions, creates a more efficient and happier working environment, resulting in higher value creation for the organisation and its stakeholders. This talk challenges how we think about trust and cover practical actions to build trust in your teams.

TRUST Framework Talk 2023-03-10.pptx

TRUST Framework Talk 2023-03-10.pptx

TRUST Framework Talk 2023-03-10.pptx

Will it matter if your child cannot code?

Will it matter if your child cannot code?

Will it matter if your child cannot code?

Practical tips and heroic war stories on how to secure a large, modern, fast software delivery platform. From building a team to building cool stuff, dealing with organisational setups to dealing with security incidents. Zero Buzzwords Guaranteed. Chris Rutter has spent the last few years obsessed with making security, engineering and the business work together. Starting his career as an engineer, he uses a deep understanding of Agile, Devops, and product delivery to solve security problems in a way that enables teams, rather than hitting them with bricks.

Platform Security IRL: Busting Buzzwords & Building Better

Platform Security IRL: Busting Buzzwords & Building Better

Platform Security IRL: Busting Buzzwords & Building Better

Infrastructure as Code (IaC) has rapidly become a key part of cloud native engineering. The hard gained experience from writing software can be applied to infrastructure, but fundamental differences means some fundamental approached need to be reconsidered. This talk will explore the implications for test driven development and build pipelines applied to IaC. Jon Barber is an Engineer with Equal Experts. He has been paid to write software for over 30 years, and has spent most of his time recently in the platform engineering space. He’s a keen advocate of XP values and practices, and sees himself more as an engineer than craftsman.

Software development practices & Infrastructure as Code - how well do they wo...

Software development practices & Infrastructure as Code - how well do they wo...

Software development practices & Infrastructure as Code - how well do they wo...

Watch the video at https://www.equalexperts.com/expert-talks/a-whole-team-approach-to-quality-in-continuous-delivery/ It’s not uncommon for teams practicing, or moving towards, continuous delivery to face a growing backlog of customer-reported bugs and struggle to maintain their deployment cadence. If a team has testers, the testers may be expected to continue with their same testing activities, without any thought as to how those can be fit into CD. Teams without testing specialists often struggle with insufficient coverage from their automated regression tests, and they may miss serious problems entirely because of inadequate exploratory testing. How can teams build confidence to release small changes so frequently? It’s not just about testing, it’s about finding ways to build quality into the product. This interactive session will introduce: • a pipeline visualization exercise teams can do to find ways to fit in all testing activities, including manual ones, and shorten feedback loops • using a test suite canvas to determine the minimum automated tests needed • ways testing specialists help teams prevent defects and transfer testing skills across the team This is a session for everyone on the software delivery team, who may or may not have experience with continuous delivery and deployment. SPEAKER: Lisa Crispin Lisa Crispin is the co-author, with Janet Gregory, of three books: Agile Testing Condensed: A Brief Introduction, More Agile Testing: Learning Journeys for the Whole Team, Agile Testing: A Practical Guide for Testers and Agile Teams; the LiveLessons Agile Testing Essentials video course, and “The Whole Team Approach to Agile Testing” 3-day training course offered through the Agile Testing Fellowship. Lisa was voted by her peers as the Most Influential Agile Testing Professional Person at Agile Testing Days in 2012. She is co-founder with Janet of Agile Testing Fellowship, Inc. Please visit www.lisacrispin.com, www.agiletestingfellow.com, and www.agiletester.ca for more. Lisa is currently a Fellow Quality Owner at OutSystems, helping with the observability practice.

A Whole Team Approach to Quality in Continuous Delivery - Lisa Crispin

A Whole Team Approach to Quality in Continuous Delivery - Lisa Crispin

A Whole Team Approach to Quality in Continuous Delivery - Lisa Crispin

When organisations begin to adopt Continuous Delivery, engineering teams begin to deliver at a pace that can create a strain on other parts of the business. Security teams often struggle to adapt to this faster delivery model, but that doesn’t need to be the case. In this talk, Stuart will discuss a few ways you can take advantage of continuous delivery to make security a first class citizen of software engineering. Grounding the theory with real world experience, he’ll share a few stories of how other organisations have used these ideas to transform their delivery. SPEAKER: Stuart Gunter Stuart is the Security Practice Lead at Equal Experts. He has over 20 years experience in software engineering, architecture and security. He has worked with a variety of public and private sector organisations across a range of industries, helping them effectively embed security within agile delivery.

Secure Continuous Delivery

Secure Continuous Delivery

Secure Continuous Delivery

What makes Continuous Delivery easy and what makes it hard? How much impact do your tech and architectural choices have on it? Should you start with a .Net monolith or go-lang microservices? This session shares lessons learnt by two teams, with very different tech and architectures, but who both were successful in their continuous delivery journey. Speaker: Lyndsay Prewer Lyndsay is an agile delivery consultant with over 20 years' experience of helping individuals, teams and organisations improve their software delivery. He’s currently working with Equal Experts, at a variety of public and private sector clients.

Smoothing the continuous delivery path a tale of two architectures - expert...

Smoothing the continuous delivery path a tale of two architectures - expert...

Smoothing the continuous delivery path a tale of two architectures - expert...

Today’s systems are inherently complex, with some component parts often operating in or close to suboptimal or failure modes. Left unchecked, as complexity increases, the compounding of failure modes will inevitably lead to catastrophic system failure. Chaos Days help us address this risk by spending time deliberately inducing failures, then analysing the response. This session summarises our experience of running Chaos Days on a large scale platform. We’ll explore the what, why, how and when of running a Chaos Day, plus tips for running them remotely.

Embracing collaborative chaos (April 2020) by Lyndsay Prewer

Embracing collaborative chaos (April 2020) by Lyndsay Prewer

Embracing collaborative chaos (April 2020) by Lyndsay Prewer

Design Systems help modern innovative companies build new software quickly without waste and with a consistent look and feel. They are the single source of truth to allow the teams to design, realise and develop a product. From our work with Design Systems for Equal Experts' clients we have many learnings to share about benefits and risks and what needs to be overcome to get a system live and adopted. SPEAKER: David Hawdale. Product and UX person at Equal Experts. Contact www.equalexperts.com Contact David: david.hawdale@hawdale-associates.co.uk

Design Systems: Designing out Waste, Designing in Consistency

Design Systems: Designing out Waste, Designing in Consistency

Design Systems: Designing out Waste, Designing in Consistency

Growing Together - software development in the Developing world

Growing Together - software development in the Developing world

Growing Together - software development in the Developing world

Infrastructure - a journey from datacentres to cloud

Infrastructure - a journey from datacentres to cloud

Infrastructure - a journey from datacentres to cloud

Data Science In Action: Prenatal Screening for Down Syndrome

Data Science In Action: Prenatal Screening for Down Syndrome

Data Science In Action: Prenatal Screening for Down Syndrome

University taught me a lot, but after getting my first job I quickly realised that I was lacking many skills that I had never even heard about or not realised how important they were. In this talk I will introduce you to notions and tools that are used on a daily basis in the industry, such as version control and coding patterns. This will give you a list of items that you should explore and use to get yourself ready for the real IT world.

The essentials of the IT industry or What I wish I was taught about at Univer...

The essentials of the IT industry or What I wish I was taught about at Univer...

The essentials of the IT industry or What I wish I was taught about at Univer...

This talk discusses how a FTSE 100 publishing house confronted the urgent need to transform to meet the challenges and opportunities created by a changing world. Despite the fact that there was plenty of time, money and will to succeed, almost straight away, their situation was revealed to be much harder than they first thought... Telling the true story of the publishers’ attempt to navigate the choppy waters of changing ways of working combined with high levels of uncertainty, the talk covers George Harrison, Keswick Pencil Museum, the philosopher Karl Popper and Middlemarch by George Eliot. Along the way, three key lessons that were learned the hard way are shared, to help you avoid making the same mistakes. Speaker : David Cox - Transformation Manager at Equal Experts

Secrets of an agile transformation

Secrets of an agile transformation

Secrets of an agile transformation

Obstacles of Digital Transformation Evolution

Obstacles of Digital Transformation Evolution

Obstacles of Digital Transformation Evolution

Talk given by Chris Rutter Avoiding The Security Brick An exploration of some common scenarios when security teams and processes seriously impact product delivery and result in questionable security benefits, and some battle-proven techniques on how to work more effectively with security while delivering at pace Chris Rutter. A Security Engineer / Transformation specialist who cut his teeth writing Java in Agile environments, then moved into Security Architecture and now helps teams secure their systems by making security technical rather than a tick box.

Avoiding the security brick

Avoiding the security brick

Avoiding the security brick

Talk given by Lyndsay Prewer Technical Delivery Manager at Equal Experts at ExpertTalks Leeds on June 11 2019. Embracing Collaborative Chaos Today’s systems are inherently complex, with some component parts often operating in or close to suboptimal or failure modes. Left unchecked, as complexity increases, the compounding of failure modes will inevitably lead to catastrophic system failure. Chaos Days help us address this risk by spending time deliberately inducing failures, then analysing the response. This session summarises our experience of running Chaos Days on a large scale platform. We’ll explore the what, why, how and when of running a Chaos Day.

Embracing collaborative chaos

Embracing collaborative chaos

Embracing collaborative chaos

Talk given by Phil Parker (Partner at Equal Experts) at ExpertTalks Berlin, 14th June 2018. Running a build server does not mean you are *doing* Continuous Delivery. An OWASP Top 10 poster on the wall does not mean you are *doing* Information Security. This talk explores what the real important factors of Continuous Delivery are, does the same for Information Security and then focusses in on how the two intersect and interact. Developers, testers, ops (and anyone else working on tech teams) will learn why Continuous Delivery is actually MORE secure than the alternatives.

Continuous Security

Continuous Security

Continuous Security

Talk given by Phil Parker (Partner at Equal Experts) at ExpertTalks Sydney, 27th February 2018. Continuous Delivery requires “a close, collaborative working relationship between everyone involved in delivery” but - as you are probably all too aware - most organisations don’t structure teams (or software) to achieve this. This talk explores what the communications structures of our organisations really are, and how they should best serve the systems we design? A Continuous Delivery talk with no mention of Continuous Integration, virtually nothing on Deployment Pipelines and a real effort not to mention DevOps (people, teams or mindset!) This is a lot about Organisations and Domains (a definition of the latter will be forthcoming), but mostly it’s about People…

Organising for Continuous Delivery

Organising for Continuous Delivery

Organising for Continuous Delivery

Hugo Ferreira, one of our Developers, presented this talk – "Cracking Passwords via Common Topologies"" – during Pizza Talks Lisbon, on the 29th of November 2017 Description: A brief overview of how typical password complexity policies and common human behaviour conspire to create easily hackable systems, and what you can do about it as a developer. Useful Links: * [OWASP](https://www.owasp.org) * [Testing Guide](https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents) for securing web applications * [Authentication Cheat Sheet](https://www.owasp.org/index.php?title=Authentication_Cheat_Sheet) * [Have I been pwned? Check if your email has been compromised in a data breach](https://haveibeenpwned.com/) * [Pwned websites](https://haveibeenpwned.com/PwnedWebsites) * [Pwned Passwords](https://haveibeenpwned.com/Passwords) * [dropbox/zxcvbn: Low-Budget Password Strength Estimation](https://github.com/dropbox/zxcvbn) * [test zxcvbn interactively](https://lowe.github.io/tryzxcvbn/) * [KoreBlog PathWell - Top 100 common topologies](https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies)

Cracking passwords via common topologies

Cracking passwords via common topologies

Cracking passwords via common topologies

More from Equal Experts (20)

TRUST Framework Talk 2023-03-10.pptx

TRUST Framework Talk 2023-03-10.pptx

TRUST Framework Talk 2023-03-10.pptx

Will it matter if your child cannot code?

Will it matter if your child cannot code?

Will it matter if your child cannot code?

Platform Security IRL: Busting Buzzwords & Building Better

Platform Security IRL: Busting Buzzwords & Building Better

Platform Security IRL: Busting Buzzwords & Building Better

Software development practices & Infrastructure as Code - how well do they wo...

Software development practices & Infrastructure as Code - how well do they wo...

Software development practices & Infrastructure as Code - how well do they wo...

A Whole Team Approach to Quality in Continuous Delivery - Lisa Crispin

A Whole Team Approach to Quality in Continuous Delivery - Lisa Crispin

A Whole Team Approach to Quality in Continuous Delivery - Lisa Crispin

Secure Continuous Delivery

Secure Continuous Delivery

Secure Continuous Delivery

Smoothing the continuous delivery path a tale of two architectures - expert...

Smoothing the continuous delivery path a tale of two architectures - expert...

Smoothing the continuous delivery path a tale of two architectures - expert...

Embracing collaborative chaos (April 2020) by Lyndsay Prewer

Embracing collaborative chaos (April 2020) by Lyndsay Prewer

Embracing collaborative chaos (April 2020) by Lyndsay Prewer

Design Systems: Designing out Waste, Designing in Consistency

Design Systems: Designing out Waste, Designing in Consistency

Design Systems: Designing out Waste, Designing in Consistency

Growing Together - software development in the Developing world

Growing Together - software development in the Developing world

Growing Together - software development in the Developing world

Infrastructure - a journey from datacentres to cloud

Infrastructure - a journey from datacentres to cloud

Infrastructure - a journey from datacentres to cloud

Data Science In Action: Prenatal Screening for Down Syndrome

Data Science In Action: Prenatal Screening for Down Syndrome

Data Science In Action: Prenatal Screening for Down Syndrome

The essentials of the IT industry or What I wish I was taught about at Univer...

The essentials of the IT industry or What I wish I was taught about at Univer...

The essentials of the IT industry or What I wish I was taught about at Univer...

Secrets of an agile transformation

Secrets of an agile transformation

Secrets of an agile transformation

Obstacles of Digital Transformation Evolution

Obstacles of Digital Transformation Evolution

Obstacles of Digital Transformation Evolution

Avoiding the security brick

Avoiding the security brick

Avoiding the security brick

Embracing collaborative chaos

Embracing collaborative chaos

Embracing collaborative chaos

Continuous Security

Continuous Security

Continuous Security

Organising for Continuous Delivery

Organising for Continuous Delivery

Organising for Continuous Delivery

Cracking passwords via common topologies

Cracking passwords via common topologies

Cracking passwords via common topologies

Recently uploaded

Agnieszka Andrzejewska - BIM School Course in Kraków

Agnieszka Andrzejewska - BIM School Course in Kraków

Agnieszka Andrzejewska - BIM School Course in Kraków

AI/ML Infra Meetup May. 23, 2024 Organized by Alluxio For more Alluxio Events: https://www.alluxio.io/events/ Speaker: - Eric Wang (Software Engineer, @Uber) Uber has numerous deep learning models, most of which are highly complex with many layers and a vast number of features. Understanding how these models work is challenging and demands significant resources to experiment with various training algorithms and feature sets. With ML explainability, the ML team aims to bring transparency to these models, helping to clarify their predictions and behavior. This transparency also assists the operations and legal teams in explaining the reasons behind specific prediction outcomes. In this talk, Eric Wang will discuss the methods Uber used for explaining deep learning models and how we integrated these methods into the Uber AI Michelangelo ecosystem to support offline explaining.

AI/ML Infra Meetup | ML explainability in Michelangelo

AI/ML Infra Meetup | ML explainability in Michelangelo

AI/ML Infra Meetup | ML explainability in Michelangelo

Breaking the Code : A Guide to WhatsApp Business API.pdf

Breaking the Code : A Guide to WhatsApp Business API.pdf

Breaking the Code : A Guide to WhatsApp Business API.pdf

Meon Technology

Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

Key takeaways: Challenges of building platforms and the benefits of platformless. Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience. How Choreo enables the platformless experience. How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo. Demo of an end-to-end app built and deployed on Choreo.

Accelerate Enterprise Software Engineering with Platformless

Accelerate Enterprise Software Engineering with Platformless

Accelerate Enterprise Software Engineering with Platformless

In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey. Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience. Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system. Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Natan Silnitsky

Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload. Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.

Designing for Privacy in Amazon Web Services

Designing for Privacy in Amazon Web Services

Designing for Privacy in Amazon Web Services

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

"Introduction to Windows 7" serves as the foundational chapter in our guide, setting the stage for understanding the key features and functionalities of this operating system. Windows 7, released by Microsoft in 2009, quickly became one of the most popular and widely used versions of Windows due to its user-friendly interface, stability, and performance improvements over its predecessor, Windows Vista. This chapter begins by providing an overview of the Windows 7 operating system, highlighting its key attributes and improvements compared to earlier versions of Windows. It introduces users to the visual enhancements such as Aero Glass, the revamped taskbar (also known as the Superbar), and the redesigned Start menu, which all contribute to a more intuitive and streamlined user experience. Furthermore, "Introduction to Windows 7" delves into the architecture and system requirements of the operating system, helping users understand what hardware specifications are necessary for optimal performance. It covers topics such as processor requirements, RAM, disk space, and graphics capabilities, ensuring that readers have a clear 3 understanding of the hardware prerequisites for running Windows 7 smoothly. Additionally, this chapter explores the various editions of Windows 7, including Home Premium, Professional, Ultimate, and Enterprise, outlining the differences between them and helping users choose the edition that best suits their needs and requirements. Moreover, "Introduction to Windows 7" provides an overview of the installation process, guiding users through the steps required to install or upgrade to Windows 7 on their computers. It covers topics such as preparing for installation, choosing the installation type (upgrade or custom), partitioning disks, and configuring initial settings. In summary, "Introduction to Windows 7" serves as a comprehensive primer for users who are new to the operating system or seeking to refresh their understanding. By familiarizing themselves with the core concepts and features of Windows 7, readers can lay a solid foundation for exploring more advanced topics covered in subsequent chapters of this guide.

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

Unlocking Business Potential: Tailored Technology Solutions by Prosigns Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support. Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth. Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices. AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making. Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency. DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration. Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly. Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business. Join us on a journey of innovation and growth. Let's partner for success with Prosigns.

Prosigns: Transforming Business with Tailored Technology Solutions

Prosigns: Transforming Business with Tailored Technology Solutions

Prosigns: Transforming Business with Tailored Technology Solutions

Crafting the Perfect Measurement Sheet with PLM Integration

Crafting the Perfect Measurement Sheet with PLM Integration

Crafting the Perfect Measurement Sheet with PLM Integration

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf

kalichargn70th171

De mooiste recreatieve routes ontdekken met RouteYou en FME

De mooiste recreatieve routes ontdekken met RouteYou en FME

De mooiste recreatieve routes ontdekken met RouteYou en FME

Jelle | Nordend

CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.

Cyaniclab : Software Development Agency Portfolio.pdf

Cyaniclab : Software Development Agency Portfolio.pdf

Cyaniclab : Software Development Agency Portfolio.pdf

AI/ML Infra Meetup | Perspective on Deep Learning Framework

AI/ML Infra Meetup | Perspective on Deep Learning Framework

AI/ML Infra Meetup | Perspective on Deep Learning Framework

Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Shahin Sheidaei

Skilrock is an igaming technology platform & lottery software provider to the Global Lottery & Gaming Industry with a strong presence across continents. As part of the $2.4 billion SUGAL & DAMANI GROUP, Skilrock leverages the group's extensive domain experience to offer the INFINITI gaming platform - a true Omni-Channel, Omni-Gaming Platform that can serve any lottery or gaming operator anywhere in the world. INFINITI serves Retail, iGaming & Self Service Channels with equal ease and at the same time supports a wide variety of games like Lotto, Keno, Bingo, Instant, Sports, Poker, Rummy, Casino and Slots. Our popular solutions are Scratch Lottery, Retail Lottery, Instant Lottery and other igaming and lottery solutions.

iGaming Platform & Lottery Solutions by Skilrock

iGaming Platform & Lottery Solutions by Skilrock

iGaming Platform & Lottery Solutions by Skilrock

Skilrock Technologies

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1

Studiovity film pre-production and screenwriting software

Studiovity film pre-production and screenwriting software

Studiovity film pre-production and screenwriting software

Recently uploaded (20)

Agnieszka Andrzejewska - BIM School Course in Kraków

Agnieszka Andrzejewska - BIM School Course in Kraków

Agnieszka Andrzejewska - BIM School Course in Kraków

AI/ML Infra Meetup | ML explainability in Michelangelo

AI/ML Infra Meetup | ML explainability in Michelangelo

AI/ML Infra Meetup | ML explainability in Michelangelo

Breaking the Code : A Guide to WhatsApp Business API.pdf

Breaking the Code : A Guide to WhatsApp Business API.pdf

Breaking the Code : A Guide to WhatsApp Business API.pdf

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

Accelerate Enterprise Software Engineering with Platformless

Accelerate Enterprise Software Engineering with Platformless

Accelerate Enterprise Software Engineering with Platformless

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Designing for Privacy in Amazon Web Services

Designing for Privacy in Amazon Web Services

Designing for Privacy in Amazon Web Services

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

Prosigns: Transforming Business with Tailored Technology Solutions

Prosigns: Transforming Business with Tailored Technology Solutions

Prosigns: Transforming Business with Tailored Technology Solutions

Crafting the Perfect Measurement Sheet with PLM Integration

Crafting the Perfect Measurement Sheet with PLM Integration

Crafting the Perfect Measurement Sheet with PLM Integration

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf

De mooiste recreatieve routes ontdekken met RouteYou en FME

De mooiste recreatieve routes ontdekken met RouteYou en FME

De mooiste recreatieve routes ontdekken met RouteYou en FME

Cyaniclab : Software Development Agency Portfolio.pdf

Cyaniclab : Software Development Agency Portfolio.pdf

Cyaniclab : Software Development Agency Portfolio.pdf

AI/ML Infra Meetup | Perspective on Deep Learning Framework

AI/ML Infra Meetup | Perspective on Deep Learning Framework

AI/ML Infra Meetup | Perspective on Deep Learning Framework

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

iGaming Platform & Lottery Solutions by Skilrock

iGaming Platform & Lottery Solutions by Skilrock

iGaming Platform & Lottery Solutions by Skilrock

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1

Studiovity film pre-production and screenwriting software

Studiovity film pre-production and screenwriting software

Studiovity film pre-production and screenwriting software

Continuous Security

1. CONTINUOUS SECURITY THANK YOU!

2. @parker0phil

3. @parker0phil How do we achieve Security in a Continuous Delivery environment?

4. @parker0phil 3. Continuous Delivery IS MORE secure!

5. @parker0phil 2. Continuous Delivery IS MORE secure!

6. @parker0phil 2. Continuous Delivery IS MORE secure!

7. @parker0phil 2. Continuous Delivery IS MORE secure!

8. @parker0phil 1. Continuous Delivery IS MORE secure! Mean Time to Detect (MTTD) Mean Time to Resolve (MTTR) RELEASE FIND VULN FIX VULN Attack Window MTTD MTTE

9. @parker0phil Continuous Delivery IS MORE secure!

10. @parker0phil 3. Thinking about Security

11. @parker0phil 3. Thinking about Security

12. @parker0phil 2. Thinking about Security Exploitability Impact

13. @parker0phil 1. Thinking about Security 1. Rely on developers and testers more than security specialists. 2. Secure while we work more than after we’re done. 3. Implement features securely more than adding on security features. 4. Mitigate risks more than fix bugs.

14. @parker0phil Thinking about Security

15. @parker0phil Pet Hate #3

16. @parker0phil Encoding Hashing Encryption Signing Pet Hate #2 b2JmdXNjYXRpb24= %3Cscript%3Ealert(0) %3C%2Fscript%3E Integrity + Non-repudiation Confidentiality

17. @parker0phil Pet Hate #1

18. @parker0phil Pet Hates!

19. @parker0phil 3. Enumeration of Usernames

20. @parker0phil 3. Enumeration of Usernames

21. @parker0phil 2. Unvalidated Redirects ?queryString=param Cookie:value Persisted

22. @parker0phil 2. Unvalidated Redirects ?queryString=param Cookie:value Persisted

23. @parker0phil 1. Cross-Site Request Forgery (CSRF)

24. @parker0phil BONUS. SelfXSS

25. @parker0phil BONUS. SelfXSS

26. @parker0phil My Favourite attacks!

27. @parker0phil Continuous Delivery IS MORE secure How we achieve Security in a CD environment Mental Models for Security Pet Hates My Favourite attacks

28. @parker0phil Security is HARD

29. #DevSecOpsDevSecOps#DevSecOps

30. CONTINUOUS SECURITY