The document discusses DevSecOps principles for delivering products continuously while maintaining security and compliance. It advocates treating security and compliance as engineering problems and integrating them into development practices like infrastructure as code, continuous delivery, monitoring and learning from failures. The document describes how one company implemented DevSecOps practices like secure software supply chains, automated security testing in CI/CD pipelines, monitoring and incident response to achieve security compliance and pass audits while maintaining continuous delivery of features.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
Data Theorem is Proud to Be Named a DevSecOps Leader for the Second Year in a Row.
DevSecOps was the only category listed as providing transformational benefits among the Application Security categories listed. DevSecOps approaches enable security teams to keep pace with development and operations teams in modern development and deliver deep integration and automation of security tools.
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
Data Theorem is Proud to Be Named a DevSecOps Leader for the Second Year in a Row.
DevSecOps was the only category listed as providing transformational benefits among the Application Security categories listed. DevSecOps approaches enable security teams to keep pace with development and operations teams in modern development and deliver deep integration and automation of security tools.
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
DevSecOps means considering application and infrastructure security from the beginning. This also means automating some security doors to prevent the DevOps workflow from slowing down.
The goal of DevSecOps (development, security, and operations) is to make everyone responsible for security, with the main target on implementing security decisions and actions at an equivalent scale and speed as development and operations decisions and actions.
Implementing DevSecOps are often an elaborate process for a corporation , but well worthwhile when considering the advantages .
Implementation usually includes the subsequent stages:
Planning and development
Building and testing
Deployment and operation
Monitoring and scaling
Tonex's DevSecOps Training Bootcamp
DevSecOps training Bootcamp is a practical DevSecOps course, participants can acquire in-depth knowledge and skills to apply, implement and improve IT security in modern DevOps.
Participants understand DevOps and DevSecOps to take full advantage of the agility and responsiveness of the secure DevOps method, IT security on SDLC, and the entire life cycle of the application.
DevSecOps Training Bootcamp focuses on:
Concepts
Principles
Processes
Policies
Guidelines
Mitigation
Applied Risk Management Framework (RMF)
Technical Skills
Audience:
Security Staff
IT Leadership
IT Infrastructure
CIOs / CTOs /CSO
Configuration Managers
Developers and Application Team Members and Leads
IT Operations Staff
IT Project & Program Managers
Product Owners and Managers
Release Engineers
Agile Staff and ScrumMasters
Software Developers
Software Team Leads
System Admin
Training Objectives:
Identify and explain the phases of the DevOps life cycle
Define the roles and responsibilities that support the DevOps environment
Describe the security components of DevOps and determine its risk principles
Analyze, evaluate and automate DevOps application security across SDLC
Identify and explain the characteristics required to meet the definition of DevOps computing security
Discuss strategies for maintaining DevOps methods
Perform gap analysis between DevOps security benchmarks and industry standard best practices
Evaluate and implement the safety controls necessary to make sure confidentiality, integrity and availability (CIA) in DevOps environments
Perform risk assessments of existing and proposed DevOps environments
Integrate RMF with DevOps
Explain the role of encryption in protecting data and specific strategies for key management
And more.
Course Content:
DevOps vs. DevSecOps
DevOps Security Requirements
DevOps Typical Security Activities
Tools for Securing DevOps
Principles Behind DevSecOps
DevSecOps and Application Security
How to DevSecOps
DevSecOps Maturity
RMF, DevOps and DevSecOps
For More Information:
https://www.tonex.com/training-courses/devsecops-training-bootcamp/
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Barriers to Container Security and How to Overcome ThemWhiteSource
Over the past few years, more and more companies are turning to containerized environments to scale their applications.
However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools.
This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely.
Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses:
The top challenges to security in containerized environments
How DevSecOps addresses security in containerized environments
Tips and tricks for successfully incorporating security into the container lifecycle
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Security Testing for Containerized ApplicationsSoluto
Everybody wants to run their code on Kubernetes these days, but it requires a radical change to your deployment process. You want to make sure you don’t create new vulnerabilities when you take this leap. What kind of security tests can you run in this pipeline to assert that this code does not contain any known vulnerabilities?
At Soluto, we started to migrate services to Kubernetes in the recent months, and we would like to share with you what we did. In this session I’m planning to cover our CI/CD pipeline, and give extra attention to the following points:
Scanning code dependencies
Scanning containers
Testing for insecure Kubernetes configurations
Securely deploy to Kubernetes cluster
Join this session to hear our story and learn about many useful tools you can start using today to deploy secure apps to your Kubernetes cluster. All the tools I’ll present are open source tools, so using them should be as simple as possible.
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
Have you ever needed to wrestle a legacy application onto a modern, scalable cloud platform, while increasing security test coverage? Sometimes real applications are not easily stuffed into a Docker container and deployed in a container orchestration system. In this talk, Modus Create Principal Architect Richard Bullington-McGuire will show how to compose Jenkins, Docker, Terraform, Packer, Ansible, Packer, Vagrant, Gauntlt, OpenSCAP, the CIS Benchmark for Linux, AWS CodeDeploy, Auto Scaling Groups, Application Load Balancers, and other AWS services to create a performant and scalable solution for deploying applications. A local development environment using Vagrant mirrors the cloud deployment environment to minimize surprises upon deployment.
Awareness and Guide to a Practical Implementation.
Discover how to automate security testing, and ensure every bit of code is scanned before it leaves the developer’s hands
https://bsidesdc2018.busyconf.com/schedule#day_5acff470ec4a15f24e000036
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
In the fusion between DevOps and DevSecOps, the pace and agility of the DevSecOps approach made AppSec and InfoSec were a little left behind. The DevOps squad topology does not involve any of the organization's AppSec and InfoSec Engineer. Many DevOps team are also not included them since they lack the information on how to manage and configure DevOps CI / CD pipelines and DevSecOps approaches. There's no shortage of talent — you probably don't have a mission worth getting out of bed or a culture that fosters continuous learning such DevSecOps skill and tools and growth where people feel psychologically safe. Besides, there is no shortage of skills — most have a poor understanding of what they need to be successful or the skills that need to leverage to improve their security posture.
This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
DevSecOps means considering application and infrastructure security from the beginning. This also means automating some security doors to prevent the DevOps workflow from slowing down.
The goal of DevSecOps (development, security, and operations) is to make everyone responsible for security, with the main target on implementing security decisions and actions at an equivalent scale and speed as development and operations decisions and actions.
Implementing DevSecOps are often an elaborate process for a corporation , but well worthwhile when considering the advantages .
Implementation usually includes the subsequent stages:
Planning and development
Building and testing
Deployment and operation
Monitoring and scaling
Tonex's DevSecOps Training Bootcamp
DevSecOps training Bootcamp is a practical DevSecOps course, participants can acquire in-depth knowledge and skills to apply, implement and improve IT security in modern DevOps.
Participants understand DevOps and DevSecOps to take full advantage of the agility and responsiveness of the secure DevOps method, IT security on SDLC, and the entire life cycle of the application.
DevSecOps Training Bootcamp focuses on:
Concepts
Principles
Processes
Policies
Guidelines
Mitigation
Applied Risk Management Framework (RMF)
Technical Skills
Audience:
Security Staff
IT Leadership
IT Infrastructure
CIOs / CTOs /CSO
Configuration Managers
Developers and Application Team Members and Leads
IT Operations Staff
IT Project & Program Managers
Product Owners and Managers
Release Engineers
Agile Staff and ScrumMasters
Software Developers
Software Team Leads
System Admin
Training Objectives:
Identify and explain the phases of the DevOps life cycle
Define the roles and responsibilities that support the DevOps environment
Describe the security components of DevOps and determine its risk principles
Analyze, evaluate and automate DevOps application security across SDLC
Identify and explain the characteristics required to meet the definition of DevOps computing security
Discuss strategies for maintaining DevOps methods
Perform gap analysis between DevOps security benchmarks and industry standard best practices
Evaluate and implement the safety controls necessary to make sure confidentiality, integrity and availability (CIA) in DevOps environments
Perform risk assessments of existing and proposed DevOps environments
Integrate RMF with DevOps
Explain the role of encryption in protecting data and specific strategies for key management
And more.
Course Content:
DevOps vs. DevSecOps
DevOps Security Requirements
DevOps Typical Security Activities
Tools for Securing DevOps
Principles Behind DevSecOps
DevSecOps and Application Security
How to DevSecOps
DevSecOps Maturity
RMF, DevOps and DevSecOps
For More Information:
https://www.tonex.com/training-courses/devsecops-training-bootcamp/
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Barriers to Container Security and How to Overcome ThemWhiteSource
Over the past few years, more and more companies are turning to containerized environments to scale their applications.
However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools.
This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely.
Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses:
The top challenges to security in containerized environments
How DevSecOps addresses security in containerized environments
Tips and tricks for successfully incorporating security into the container lifecycle
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Security Testing for Containerized ApplicationsSoluto
Everybody wants to run their code on Kubernetes these days, but it requires a radical change to your deployment process. You want to make sure you don’t create new vulnerabilities when you take this leap. What kind of security tests can you run in this pipeline to assert that this code does not contain any known vulnerabilities?
At Soluto, we started to migrate services to Kubernetes in the recent months, and we would like to share with you what we did. In this session I’m planning to cover our CI/CD pipeline, and give extra attention to the following points:
Scanning code dependencies
Scanning containers
Testing for insecure Kubernetes configurations
Securely deploy to Kubernetes cluster
Join this session to hear our story and learn about many useful tools you can start using today to deploy secure apps to your Kubernetes cluster. All the tools I’ll present are open source tools, so using them should be as simple as possible.
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
Have you ever needed to wrestle a legacy application onto a modern, scalable cloud platform, while increasing security test coverage? Sometimes real applications are not easily stuffed into a Docker container and deployed in a container orchestration system. In this talk, Modus Create Principal Architect Richard Bullington-McGuire will show how to compose Jenkins, Docker, Terraform, Packer, Ansible, Packer, Vagrant, Gauntlt, OpenSCAP, the CIS Benchmark for Linux, AWS CodeDeploy, Auto Scaling Groups, Application Load Balancers, and other AWS services to create a performant and scalable solution for deploying applications. A local development environment using Vagrant mirrors the cloud deployment environment to minimize surprises upon deployment.
Awareness and Guide to a Practical Implementation.
Discover how to automate security testing, and ensure every bit of code is scanned before it leaves the developer’s hands
https://bsidesdc2018.busyconf.com/schedule#day_5acff470ec4a15f24e000036
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
In the fusion between DevOps and DevSecOps, the pace and agility of the DevSecOps approach made AppSec and InfoSec were a little left behind. The DevOps squad topology does not involve any of the organization's AppSec and InfoSec Engineer. Many DevOps team are also not included them since they lack the information on how to manage and configure DevOps CI / CD pipelines and DevSecOps approaches. There's no shortage of talent — you probably don't have a mission worth getting out of bed or a culture that fosters continuous learning such DevSecOps skill and tools and growth where people feel psychologically safe. Besides, there is no shortage of skills — most have a poor understanding of what they need to be successful or the skills that need to leverage to improve their security posture.
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
For today’s digital organizations, even a few minutes of downtime can mean millions of dollars lost and customers who go elsewhere. To keep up with customer expectations, organizations must handle and prioritize real-time operations at a scale that didn’t exist before. However, developing this competency is easier said than done, especially without a solid understanding of the capabilities needed to drive real-time operations across cloud and on-premises environments. In this session, we explore how innovations around machine learning, automation, and analytics, when combined with modern incident management best practices, can improve operational performance, team productivity, and drive business results. This session is brought to you by AWS partner, PagerDuty, Inc.
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
In this webinar, Sumo Logic VP of Security and Compliance George Gerchow dives into how to make the shift to DevSecOps, discussing how to:
- Incorporate fundamental and high impact security best practices into your current DevOps operations
- Gain visibility into your compliance posture
- Identify potential risks and threats in your environments
This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
Waterfall is based on the concept of sequential software development—from conception to ongoing maintenance—where each of the many steps flowed logically into the next.
Join this webinar presentation to learn:
- Why DevOps cannot effectively work in waterfall
- How to use DevOps tools to optimize processes in either development or operations through automation
We will also discuss what is needed to support full DevOps
Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products.
During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.
DevSecOps represents development, security, and operation. DevSecOps aims to embed the security process within the DevOps process. The objective of DevSecOps is to embrace a "security as code" culture within the ongoing flexible collaboration between security teams and release engineers.
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
Respresenting Cyber Defense Community (cdef.id) to present and share my view on Secure DevOps / DevSecOps. Through this presentation, I shared several insights about:
1. How to balance the risk and controls in the "great shift left" paradigm (agile)
2. DevOps activities
3. How to seamlessly integrate security into DevOps
4. How to "shift left" the security"
5. Get started with Secure DevOps / DevSecOps
6. Case Study about DevSecOps implementation
For further discussion, especially how to secure digital and agile transformation in your organization, don't hesitate to contact me :)
DevSecOps represents development, security, and operation. DevSecOps aims to embed the security process within the DevOps process. The objective of DevSecOps is to embrace a "security as code" culture within the ongoing flexible collaboration between security teams and release engineers.
Similar to Dev secops security and compliance at the speed of continuous delivery - owasp (20)
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
2. Holy Grails
You want to deliver product
You want to deliver it fast
You want people to trust it
3.
4. Holy Grails
Oh and …
Usable, secure, has defense in
depth,
hardened, easy to patch, uses the
principle of least privilege, compliant,
auditable, supportable, uses modern tech,
attracts developers, cost effective ...
9. Compliance
Document what you do
– Security Controls, plans, and processes
Do it
– Hard
Prove you did it
– If you haven’t planned - this can be hard,
disruptive work
15. Why Compliance?
Compliance opens wallets
Moves security spending from fear
• Avoid a big incident
To greed
• A sales tool
Paraphrasing Bruce
Schneier
16.
17. DevSecOps
DevOps used to deliver and run systems in a
secure and reliable way
Bringing in Security and Compliance
increases the focus on Ops
– “You build it, you run it”
18.
19. No Magic
Just DevOps done right
Other terms
– DevSecOps
– DevOpsSec
– Rugged DevOps
It is a good search phrase, tho
22. Tehama the Product
Delivers privileged technical services
over the internet with
– Transparency
– Security
– Auditability
Ensures trust while enabling quick
onboarding and connectivity
23.
24. Tehama and SOC2
Decided that SOC2 compliance was
mandatory
– Sales tool
– Trust tool
• Validated security practices via a
trusted 3rd party auditor
25.
26. DevSecOps - Secret Sauce
The whole team approach
Leverage security and compliance expertise
in building out the system
Leverage the technical expertise of your
DevOps team
What about - Product? Testing? Marketing? Legal?
• Yes, the whole team
28. Tehama DevSecOps Principles
Security and Compliance is not the office of
no
Build security in
Don’t be compliant for compliance’s sake
– Make it secure, to demonstrate
compliance
– Keep it valuable
30. Implementation
Security is everyone’s job, all the time
Design it into the system
• Then it is just how the software is
delivered
Audit evidence is generated during daily
work
– Not extra work
32. Policy Designed for CI/CD
Change Management
Standard Change
– Pre-approved
– Move most changes here
– High success rate, low MTTR
High Risk Change
– Classic security approval
Emergency Change
– Post release approval
– Don’t block an emergency change
33.
34. DevOps Audit Defense
d) Automated security testing of the code and environment
is performed as part of the deployment pipeline, as per
CS2.e.
e) All production deployments must have a JIRA ticket
number. Deployers must input the JIRA ticket number into
the Jenkins build pipeline system for code to be deployed
into production.
i) Jenkins uses the JIRA plugin to pull information from
JIRA to include with the build information and push
information about the build into the JIRA ticket.
35. Implementation
Secure software supply chain
All images and OSs are from trusted repos
– Hardened
All software dependencies are scanned
Patch management is just another change
36. Implementation - SDLC
The SDLC is based on a CI/CD pipeline
Automatic
SAST
– Static Application Security Testing
DAST
– Dynamic Application Security Testing
SCA
– Software Component Analysis
Container vulnerability analysis
37. Implementation - SDLC
Manual
Prioritization and planning
Pull requests and code review
– Code review guidelines call out security
concerns with a standard checklist
PR approval, and release authorization
38. Implementation - Monitoring
Vulnerability plan includes intrusion detection
Requires monitoring and alerting to detect
incidents
• Alerting will launch Incident Response (IR)
• Note, manual detection is still in scope
– Strange system behaviour
– Customer reports
– AWS security
– Law enforcement
39. Implementation - IR and Logging
DevOps includes a focus on monitoring and
observability
• This is adds big value
• Enables robust Incident Response and
troubleshooting capabilities
41. Results
Last pentest had no findings
Security and compliance dev work is not exceptional
First audit (Type 1) passed without complications
– Kudos from auditors
Second audit (Type 2) had no major out of band work
for developers or compliance - Passed
Continuous improvement on logging and monitoring
IR and post-mortem process well established
42. References
• DevOpsSec: Securing software through continuous delivery
– https://www.safaribooksonline.com/library/view/devopssec/978149197
1413/
• DevOps Audit Defense Toolkit
– https://itrevolution.com/devops-audit-defense-toolkit/
• The DevOps Handbook: How to Create World-Class Agility, Reliability, and
Security in Technology Organizations
– Chapter 19
– Section VI
– Appendix 9
– https://www.amazon.ca/DevOps-Handbook-World-Class-Reliability-
Organizations/dp/1942788002
43. References
• Accelerate: The Science of Lean Software and DevOps: Building and
Scaling High Performing Technology Organizations
– Chapter 6
– https://www.amazon.ca/Accelerate-Software-Performing-Technology-
Organizations/dp/1942788339/
• Incident Management for Operations
– https://www.amazon.ca/Incident-Management-Operations-Rob-
Schnepp/dp/1491917628/
• Pagerduty Incident Response
– https://response.pagerduty.com/
• Incident Response: Trade-offs Under Pressure
– https://www.slideshare.net/InfoQ/incident-response-tradeoffs-under-
pressure
44. References
• Blameless PostMortems and a Just Culture
– https://codeascraft.com/2012/05/22/blameless-postmortems/
• The infinite hows
– https://www.oreilly.com/ideas/the-infinite-hows
• Debriefing Facilitation Guide
– https://extfiles.etsy.com/DebriefingFacilitationGuide.pdf
• Was it technical failure or human error?
– https://www.youtube.com/watch?v=Ygx2AI2RtkI
• AWS Monitoring & Logging
– https://www.slideshare.net/JasonPoley/aws-monitoring-logging
• Container & Microservice Security
– https://www.youtube.com/watch?v=8tDpGyVV8OQ
• How the Human Brain Buys Security
– https://www.schneier.com/essays/archives/2008/07/how_the_human_
brain.html