Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
DevSecOps without DevOps is Just SecurityKevin Fealey
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined.
Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream.
This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
Managing incidents in a DevOps environment is a near insurmountable task. With shared responsibilities and on-call rotations, anyone might be called into a system firefight at any time. Accepting failure and the problems created with complex system is a core tenet of DevOps thinking, and helping your team respond to incidents more effectively is key.
Matthew Boeckman has served on the frontlines of DevOps incident management for 19 years. He’s seen it all and is an expert on building teams and workflows to support effective alerting, clear communication, and rapid recovery.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice.
Shannon Lietz, Intuit
James WIckett, Signal Sciences
RSA Conference 2019
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the
inputs to those URLs that can change the behavior of the application. Understanding an
application’s attack surface is critical to being able to provide sufficient security test coverage,
and by watching an application’s attack surface change over time security and development
teams can help target and optimize testing activities. This presentation looks at methods of
calculating web application attack surface and tracking the evolution of attack surface over
time. In addition, it looks at metrics and thresholds that can be used to craft policies for
integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD)
pipelines for teams integrating security into their DevOps practices.
The document discusses the rise of DevSecOps and its importance for software development. It notes that existing security solutions are no longer adequate due to the speed of modern development, and that security has become a bottleneck. DevSecOps aims to integrate security practices into development workflows to enable continuous and real-time security. It outlines how security responsibilities have evolved from separate teams to being shared among developers, and how tools have progressed from periodic testing to continuous monitoring and automation. The document argues that DevSecOps is necessary now given the costs of data breaches and risks of vulnerabilities in open source components.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
DevSecOps without DevOps is Just SecurityKevin Fealey
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined.
Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream.
This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
Managing incidents in a DevOps environment is a near insurmountable task. With shared responsibilities and on-call rotations, anyone might be called into a system firefight at any time. Accepting failure and the problems created with complex system is a core tenet of DevOps thinking, and helping your team respond to incidents more effectively is key.
Matthew Boeckman has served on the frontlines of DevOps incident management for 19 years. He’s seen it all and is an expert on building teams and workflows to support effective alerting, clear communication, and rapid recovery.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice.
Shannon Lietz, Intuit
James WIckett, Signal Sciences
RSA Conference 2019
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the
inputs to those URLs that can change the behavior of the application. Understanding an
application’s attack surface is critical to being able to provide sufficient security test coverage,
and by watching an application’s attack surface change over time security and development
teams can help target and optimize testing activities. This presentation looks at methods of
calculating web application attack surface and tracking the evolution of attack surface over
time. In addition, it looks at metrics and thresholds that can be used to craft policies for
integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD)
pipelines for teams integrating security into their DevOps practices.
The document discusses the rise of DevSecOps and its importance for software development. It notes that existing security solutions are no longer adequate due to the speed of modern development, and that security has become a bottleneck. DevSecOps aims to integrate security practices into development workflows to enable continuous and real-time security. It outlines how security responsibilities have evolved from separate teams to being shared among developers, and how tools have progressed from periodic testing to continuous monitoring and automation. The document argues that DevSecOps is necessary now given the costs of data breaches and risks of vulnerabilities in open source components.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
This document summarizes a presentation given by Sébastien Gioria on application security. The presentation provided an overview of the current state of application security, described the Open Web Application Security Project (OWASP) including its mission and resources, and highlighted several OWASP projects that developers can use to help secure applications. It also listed upcoming security events in France and ways to support OWASP.
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
Richard Mills discusses how DevSecOps enables continuous security in Agile development through integrating security tools and processes into CI/CD pipelines. He outlines essential categories of security tools, including static analysis, software composition analysis, vulnerability scanning, dynamic testing, and monitoring. These tools can run tests at various stages of the pipeline to catch issues early. Mills also stresses the importance of integrating security teams with development teams through structures like technical guilds to build a culture of security.
Full Spectrum Engineering – The New Full-stack Deborah Schalm
Software development is changing and so are the roles that developers need to play. Over the last decade or so, companies have been trying to fill their ranks with what was called full-stack engineers. These developers were versed in software development from database to GUI and everything in between. This was necessary in the age of monolithic application architectures.
The move to DevOps and microservices demands new skills. Now a developer must become fluent in software testing, deployment, telemetry and even security. It is less about multi-layer and more about multi-discipline.
In this webinar, Pete Chestna, Director of Developer Engagement will share his insights into this transformation, the opportunity that it presents to developers as lifelong learners as well as practical advice to get started. Don’t miss the shift. Get ahead of it!
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
How Security can be the Next Force Multiplier in DevOpsAndrew Storms
RSA 2015 Conference Presentation
DevOps is the hottest moving target when it comes to software development methodologies. Many people fear that this fast paced, barrier breaking movement will leave information security best practices in the dust. Turn the equation upside down and make security a force multiplier for DevOps. - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1540/how-security-can-be-the-next-force-multiplier-in#sthash.jg6O44Yv.dpuf
During a recent webinar, Meera Rao, DevSecOps Practice Director with Synopsys Software Integrity Group spoke on Risk Based Adaptive DevSecOps.
Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities.
For more information, please visit our website at https://www.synopsys.com/devops
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
This document discusses building application security teams. It begins by introducing the author and their background in application security. It then discusses creating an environment where security enables business goals rather than hinders them. It suggests embedding security into culture by focusing on quality, testing, and engineering. It discusses the importance of application security policies being customized and delivered effectively. It emphasizes the need for application security activities like threat modeling and code reviews to avoid relying on "security pixie dust". It argues that even non-software companies should view themselves as software companies due to their reliance on code. Finally, it discusses building application security teams internally by training and educating developers rather than exclusively hiring specialists.
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
This document announces an upcoming webinar titled "Scaling Rugged DevOps to Thousands of Applications" on March 16th. It lists the panelists Aaron Rinehart, Tim Chase, and Surag Patel. It also provides information on how to register for the webinar, get the presentation slides, and take a DevSecOps survey.
This document summarizes ABN AMRO's DevSecOps journey and initiatives. It discusses their implementation of continuous integration and delivery pipelines to improve software quality, reduce lead times, and increase developer productivity. It also covers their work to incorporate security practices like open source software management, container security, and credentials management into the development lifecycle through techniques like dependency scanning, security profiling, and a centralized secrets store. The presentation provides status updates on these efforts and outlines next steps to further mature ABN AMRO's DevSecOps capabilities.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
Cloud services, Continuous Integration, and Continuous Deployment require security teams to adapt security controls to DevOps processes. This session will explore how security delivered as a service helps security teams work with DevOps to embed continuous security into IT and application infrastructure for improved and automated auditing, compliance and control of applications.
(Source : RSA Conference USA 2017)
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
DevSecOps means integrating security practices into the DevOps workflow from the beginning. The goal is to make everyone responsible for security and implement security decisions at the same speed as development and operations. This helps find vulnerabilities early and improve overall security. Implementing DevSecOps requires planning, building, deploying, monitoring and improving security continuously. It provides benefits like improved compliance and identifying issues earlier.
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
Building Blocks of Secure Development: How to Make Open Source Work for YouSBWebinars
To keep pace with the increasing demands of software development and delivery, the need for developers to leverage open source components and third party libraries continues to grow. Coupled with the escalating number of vulnerabilities these practices introduce, the result is an increased number of vulnerable entry points for cyber-criminals to exploit. However, this does not mean that companies should or must stop using components in their development efforts. Any company that forbids the use of components would be putting itself at a severe disadvantage in the digital economy. Developers though do need to consider the security aspects of using open source libraries and components as part of their build and testing process.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
This document summarizes a presentation given by Sébastien Gioria on application security. The presentation provided an overview of the current state of application security, described the Open Web Application Security Project (OWASP) including its mission and resources, and highlighted several OWASP projects that developers can use to help secure applications. It also listed upcoming security events in France and ways to support OWASP.
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
Richard Mills discusses how DevSecOps enables continuous security in Agile development through integrating security tools and processes into CI/CD pipelines. He outlines essential categories of security tools, including static analysis, software composition analysis, vulnerability scanning, dynamic testing, and monitoring. These tools can run tests at various stages of the pipeline to catch issues early. Mills also stresses the importance of integrating security teams with development teams through structures like technical guilds to build a culture of security.
Full Spectrum Engineering – The New Full-stack Deborah Schalm
Software development is changing and so are the roles that developers need to play. Over the last decade or so, companies have been trying to fill their ranks with what was called full-stack engineers. These developers were versed in software development from database to GUI and everything in between. This was necessary in the age of monolithic application architectures.
The move to DevOps and microservices demands new skills. Now a developer must become fluent in software testing, deployment, telemetry and even security. It is less about multi-layer and more about multi-discipline.
In this webinar, Pete Chestna, Director of Developer Engagement will share his insights into this transformation, the opportunity that it presents to developers as lifelong learners as well as practical advice to get started. Don’t miss the shift. Get ahead of it!
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
How Security can be the Next Force Multiplier in DevOpsAndrew Storms
RSA 2015 Conference Presentation
DevOps is the hottest moving target when it comes to software development methodologies. Many people fear that this fast paced, barrier breaking movement will leave information security best practices in the dust. Turn the equation upside down and make security a force multiplier for DevOps. - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1540/how-security-can-be-the-next-force-multiplier-in#sthash.jg6O44Yv.dpuf
During a recent webinar, Meera Rao, DevSecOps Practice Director with Synopsys Software Integrity Group spoke on Risk Based Adaptive DevSecOps.
Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities.
For more information, please visit our website at https://www.synopsys.com/devops
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
This document discusses building application security teams. It begins by introducing the author and their background in application security. It then discusses creating an environment where security enables business goals rather than hinders them. It suggests embedding security into culture by focusing on quality, testing, and engineering. It discusses the importance of application security policies being customized and delivered effectively. It emphasizes the need for application security activities like threat modeling and code reviews to avoid relying on "security pixie dust". It argues that even non-software companies should view themselves as software companies due to their reliance on code. Finally, it discusses building application security teams internally by training and educating developers rather than exclusively hiring specialists.
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
This document announces an upcoming webinar titled "Scaling Rugged DevOps to Thousands of Applications" on March 16th. It lists the panelists Aaron Rinehart, Tim Chase, and Surag Patel. It also provides information on how to register for the webinar, get the presentation slides, and take a DevSecOps survey.
This document summarizes ABN AMRO's DevSecOps journey and initiatives. It discusses their implementation of continuous integration and delivery pipelines to improve software quality, reduce lead times, and increase developer productivity. It also covers their work to incorporate security practices like open source software management, container security, and credentials management into the development lifecycle through techniques like dependency scanning, security profiling, and a centralized secrets store. The presentation provides status updates on these efforts and outlines next steps to further mature ABN AMRO's DevSecOps capabilities.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
Cloud services, Continuous Integration, and Continuous Deployment require security teams to adapt security controls to DevOps processes. This session will explore how security delivered as a service helps security teams work with DevOps to embed continuous security into IT and application infrastructure for improved and automated auditing, compliance and control of applications.
(Source : RSA Conference USA 2017)
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
DevSecOps means integrating security practices into the DevOps workflow from the beginning. The goal is to make everyone responsible for security and implement security decisions at the same speed as development and operations. This helps find vulnerabilities early and improve overall security. Implementing DevSecOps requires planning, building, deploying, monitoring and improving security continuously. It provides benefits like improved compliance and identifying issues earlier.
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
Building Blocks of Secure Development: How to Make Open Source Work for YouSBWebinars
To keep pace with the increasing demands of software development and delivery, the need for developers to leverage open source components and third party libraries continues to grow. Coupled with the escalating number of vulnerabilities these practices introduce, the result is an increased number of vulnerable entry points for cyber-criminals to exploit. However, this does not mean that companies should or must stop using components in their development efforts. Any company that forbids the use of components would be putting itself at a severe disadvantage in the digital economy. Developers though do need to consider the security aspects of using open source libraries and components as part of their build and testing process.
Two of the most important topics on everyone’s mind when developing PHP applications are performance and security.
Rogue Wave Software and RIPS Technologies are teaming up to show you how you can utilize our solutions to help make your PHP applications safe and fast. We will use a typical Magento implementation as an example to speak about finding and eliminating bottlenecks and debugging your code. We will also demonstrate how you can detect security vulnerabilities using cutting edge static code analysis.
This talk focussed on the challenges facing the DevOps community from the “developers culture perspective” and the consequences of the perceived disinterest in inculcating a complete 360 degrees’ risk mitigation framework in DevOps practices.
The talk touched on the legal +Security+Operational Risk of using Open Source in their SDLC, the need for internal customized Open Source policy and a two-step approach to resolve these risks
How to achieve security, reliability, and productivity in less timeRogue Wave Software
This introductory session lays the foundation for boosting the effectiveness of mission-critical systems testing by covering industry best practices for code security, software reliability, and team productivity. For each area, you will learn how to mitigate the top issues by seeing real examples and understanding the tools and techniques to overcome them. This includes: The value of different testing methods; The importance of standards compliance; and understanding how DevOps and continuous integration fit in.
Whether you’re considering migrating to PHP 7 or are already there, you need to know the specifics of how to keep your application running smoothly, efficiently, and with minimum downtime. Take these techniques proven by our customers to make your PHP 7 application shine.
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
Security should be integrated into every phase of the container application development life cycle, from build to ship to run. On August 31st, we hosted an online meetup to discuss the issues that need be addressed to achieve continuous security for containers.
The presentation included speakers from Rancher Labs (www.rancher.com), NeuVector (www.neuvector.com) and Black Duck Software (www.blackducksoftware.com) who discussed:
- Best practices for preparing your environment for secure deployment
- How to secure containers during run-time
- Actionable next steps to protect your applications
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
This document discusses the WannaCry ransomware attack of May 2017. It provides an overview of how WannaCry worked, including that it infected over 300,000 Windows machines worldwide by encrypting their contents until a ransom was paid in bitcoin. It spread using vulnerabilities in Microsoft SMB and EternalBlue/DoublePulsar exploits. The document advocates for securing networks and applications to manage risks from these types of attacks and focuses on quality and security practices across the software development lifecycle.
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Description : Organizations have spent massive amounts of money to protect the perimeter of their networks, but if your business exists on the internet, there really is no perimeter. In this presentation, we'll discuss Digital Footprints in understanding your company’s external attack surface. We will discuss social, mobile, web attacks and analyze and review lessons learned recently publicized attacks (Polish banking institutions, Apache Struts Vulnerability or WannaCry ransomware. The speed of business and cybercrime isn't slowing down, so how can you be prepared to address and defend against these types of threats? Attend our session to find out how.
Reducing Your Digital Attack Surface and Mitigating External Threats - What, Why, How:
What is a Digital Footprint?
Breakdown of External Threats (Social, Mobile, Web)
What are blended attacks?
What is actually being targeting at your company?
How are your brands, customers, and employees being attack outside of your company?
How to become proactive in threat monitoring on the internet?
Considerations in External Threat solutions
Threat correspondence tracking considerations
Is legal cease and desist letters adequate in stopping attacks?
Examination of a phishing attack campaign
How phishing kits work
Analysis and lesson learned from recent published attacks
What are the most important capability in a digital risk monitoring solution?
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.
SAP Hybris solutions are all about providing a connected front office. But the customer experience can easily get damaged if the data from your business partners or end customers is not secure. With the new EU General Data Protection Regulation (GDPR) coming into effect in May 2018, the need to protect your customers’ data is essential for your business. Learn how to reduce cost by integrating security into your implementation process to be ahead of the curve for future cyberattacks.
Take Control: Design a Complete DevSecOps Program DevOps.com
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
Tales from an Enterprise DevOps transformationLee Eason
Driving large scale change is hard, but the reward is more than worth the effort. In this talk, Lee shows some of the benefits he's seen and highlights three key areas to focus on: executive buy in, driving behavior changes by evolving values, and keeping teams healthy through all the changes.
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Solutions (Formerly Automic) and CA Privileged Access Manager
For more information on DevSecOps, please visit: http://ow.ly/u2pN50g63tN
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
It’s everywhere. From your phone to the enterprise, open source software (OSS) is running far and wide. Gartner predicts that by 2016, 99 percent of Global 2000 enterprises will use open source in mission-critical software. While it’s free, easy to find, and pushes software to the market faster, it’s vital to understand how to use OSS safely.
Join Richard Sherrard, director of product management at Rogue Wave, for a live webinar reviewing the top five OSS trends of 2015. From OSS discovery, to risk, and governance, we’ll take a deep dive into the trends we’ve noticed this year while providing you with some predictions for 2016.
In this webinar you’ll learn how to:
-Discover the OSS in your codebase to ensure that code is free of bugs, security vulnerabilities, and license conflicts
-Implement controls on OSS usage at your organization
-Create a multi-tier approach to OSS risk reduction with open source tools, static code analysis and dynamic analysis
Watch the webinar recording now: https://www.brighttalk.com/webcast/12285/164531
SecDevOps: Development Tools for Security ProsDenim Group
Security teams deal in penetration tests and vulnerabilities, and development teams deal in software defects, scrums and sprints. For the security professional, a failure to understand the way that development teams work and the tools that they use means that security vulnerabilities they identify will be hard to get remediated. This becomes an even greater issue as organizations try to roll out DevOps practices to gain greater efficiencies and responsiveness. This presentation walks through the tools and processes that development teams use to manage their workload, accomplish their goals, and track their success and lays out ways that security teams can better interface with developers to more successfully influence their priorities. The major tools discussed include defect trackers, integrated development environments (IDEs), continuous integration (CI) systems and metric tracking and demonstrations are given using open source examples of each. The presentation concludes with examples of healthy interaction patterns for security and development teams as well as interactions that lead to less healthy and less productive relationships.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayJimmy Mesta
This document provides an overview of a training session on DevSecOps using Kubernetes. It includes background on the instructor and warnings about unauthorized hacking. The training covers topics like DevOps and DevSecOps processes and patterns, infrastructure as code, deploying containers securely, Kubernetes, and managing secrets and monitoring in Kubernetes. It encourages collaboration and discusses how to access lab materials through a GitHub repository.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Qui est familier du devops?
Question à l’auditoire
Dans vos lampes
Dans vos maisons,
Dans votre electroménager
Dans l’administration
Il y a du software pour tout avec l’explosion de l’IOT, machine learning, IA…
attacks on the application layer are growing by more than 25 percent annually (Akamai Q3 2015 State of the Internet - Security Report).
US Office of Personnel Management
This breach was one of the biggest ever of US government systems. Although not proved, the attack was believed to be perpetrated by Chinese hackers. The data theft consisted of stealing addresses, health and financial details of 19.7 million people who had been subjected to government background checks as well as 1.8 million others.
Carphone Warehouse
One of the biggest breaches in the UK this year was when the details of almost 2.5 million customers was stolen
http://www.information-age.com/top-10-most-devastating-cyber-hacks-2015-123460657/
http://www.welivesecurity.com/2016/12/30/biggest-security-incidents-2016/
http://www.cbsnews.com/news/france-hit-by-19000-cyber-attacks-after-charlie-hebdo-terror-attacks/
http://en.rfi.fr/europe/20170219-french-fm-ayrault-accuses-russia-election-cyberattacks
Il y avait moins d’open source il y a 10 ans,
Microsoft on github by business insider http://uk.businessinsider.com/microsoft-github-open-source-2016-9?r=US&IR=T
Microsoft today counts on open source developers to feed azure with applications.
Nadella in 2014 said, "Microsoft loves Linux".
http://www.infoworld.com/article/3042699/open-source-tools/microsoft-loves-open-source-only-when-its-convenient.html
http://www.zdnet.com/article/why-microsoft-is-turning-into-an-open-source-company/
Ex : Xamarin for Visual Studio free and opensource
Failles sans que les dev ne le sachent, on introduit des failles de sécu sans le savoir
Entlib is a collection of reusable software components designed to assist software developers (such as logging, validation, data access). Application blocks are provided source code, test cases and documentation.
Telerik : UI frameworks and app development tools
ComponentOne Studio provides enterprise application developers with innovative UI and data management controls for all major platforms.
Bounty castle is a cryptography
Exemple de repository avec des failles découvertes en 2007 et pourtant encore téléchargé en 2015
Visualization of maven central, those organic looking dust mites represent components and their dependencies to other components.
Qu’utilisez-vous comme dependances ? Maitrisez-vous bien votre code open source ? Cb de dépendances avez-vous ?
On connait juste le haut du paquet
Dépendances non connues rajoutées par les IDE (utilisées ?)
SAST: Static Application Security Testing
DAST: Dynamic Application Security Testing
SCA: Software component analysis
DAST teste une application Web en cours d'exécution (les requêtes et les réponses) selon des techniques similaires à celles utilisées par un pirate informatique.
SAST examine le code source d'une application afin de détecter les vulnérabilités potentielles.
SCA Open source components
Checkmarx SAST et SCA
Sonatype SCA
Exemple DAST : acunetix, IBM, HPE, PortSwigger
More test, more checks, more visibility to each key player
Parler ROI,TTM,CDepl.
More test, more checks, more visibility to each key player
Parler ROI,TTM,CDepl.
More test, more checks, more visibility to each key player
Parler ROI,TTM,CDepl.
For a developer : security officers are simply always standing in the way, they force rather tiring procedures (pen testing, waf, code audit) right before production which usually creates change requests that adds time and money to an almost done project.
HP published a paper that says while devops should theoretically improve the security it does the opposite. From their point of view it failed to improve security
http://www.computerweekly.com/news/450401645/DevOps-largely-failing-to-improve-security-study-shows
More test, more checks, more visibility to each key player