The document discusses best practices for securing software throughout the development lifecycle, including identifying threats during design, developing secure code, scanning builds and runtimes for security issues, validating external components, containing risks, testing in production environments, and continuously monitoring for attacks. The goal is to put security (Sec) considerations into every phase from threat modeling to production support to help ensure the safe operation of software systems.
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
In this talk Florin Coada, who's been dealing with SAST over the last 7 years, will share some of his top tips to achieve more SASTisfaction from your tooling. Each tip will come with a little story that shows why this tip made it to the top 5 list.
We have the pleasure to have Steve Giguere and Michael Foster, the hosts from Clust3rF8ck, to share with us their experience cramming in all the relevant materials to take both the CKA (Kubernetes Administrator) and CKS (Kubernetes Security Specialist) exams.
https://www.twitch.tv/clust3rf8ck
https://www.cncf.io/certification/cka/
https://www.cncf.io/certification/cks/
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
In just a few years, Open Policy Agent (OPA) has established itself as the de-facto standard for policy based guard rails around kubernetes clusters - now it's moving into our microservices! In this talk we'll explore the benefits of decoupling policy from application logic, and how OPA can help bring order to an increasingly distributed, heterogeneous and complex tech stack.
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...Michael Man
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes. Developers today face a massive onslaught of new and old attack vectors in both the code they write and the open source they use.
So, to explore this, I am very pleased that Bruce Mayhew - Head of Data Research at Sonatype and the OWASP WebGoat Project lead - will be flying into the UK and speaking at our Gathering.
This will be an interactive and informative discussion to learn the most basic, but common, application security problems and mitigation strategies in the OWASP Top 10 and relating this to the DevSecOps initiative.
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
Latest version of the basic rolling slides used at DevSecOps - London Gathering evenings.
Ideas for 2020 - please provide input/feedback back to Michael Man.
This is obviously not everything in the industry. The slide gives you a taster of what's out there.
Disclaimer: DevSecOps - London Gathering is not endorsing any of these products. Michael Man may have experience with some of them and is happy to share his view.
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
In this talk Florin Coada, who's been dealing with SAST over the last 7 years, will share some of his top tips to achieve more SASTisfaction from your tooling. Each tip will come with a little story that shows why this tip made it to the top 5 list.
We have the pleasure to have Steve Giguere and Michael Foster, the hosts from Clust3rF8ck, to share with us their experience cramming in all the relevant materials to take both the CKA (Kubernetes Administrator) and CKS (Kubernetes Security Specialist) exams.
https://www.twitch.tv/clust3rf8ck
https://www.cncf.io/certification/cka/
https://www.cncf.io/certification/cks/
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
In just a few years, Open Policy Agent (OPA) has established itself as the de-facto standard for policy based guard rails around kubernetes clusters - now it's moving into our microservices! In this talk we'll explore the benefits of decoupling policy from application logic, and how OPA can help bring order to an increasingly distributed, heterogeneous and complex tech stack.
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...Michael Man
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes. Developers today face a massive onslaught of new and old attack vectors in both the code they write and the open source they use.
So, to explore this, I am very pleased that Bruce Mayhew - Head of Data Research at Sonatype and the OWASP WebGoat Project lead - will be flying into the UK and speaking at our Gathering.
This will be an interactive and informative discussion to learn the most basic, but common, application security problems and mitigation strategies in the OWASP Top 10 and relating this to the DevSecOps initiative.
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
Latest version of the basic rolling slides used at DevSecOps - London Gathering evenings.
Ideas for 2020 - please provide input/feedback back to Michael Man.
This is obviously not everything in the industry. The slide gives you a taster of what's out there.
Disclaimer: DevSecOps - London Gathering is not endorsing any of these products. Michael Man may have experience with some of them and is happy to share his view.
Chris Rutter: Avoiding The Security BrickMichael Man
DevSecOps - London Gathering (March 2019)
This is a continuation of Chris Rutter's security talks (typically focused around Threat Modelling). In this talk Chris will explore real techniques, both technical and organisational, to introduce security into DevOps without hitting people with bricks [Not literally].
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
Security Rationale For Istio
An introduction to Istio security, looking at how Istio helps to keeps your security team happy by satisfying Kubernetes security requirements for multi-tenancy, and your developers happy by reducing implementation effort. Istio is still an evolving technology, and outstanding issues and impending improvements will be discussed.
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Michael Man
Introduction to Istio
I’ll show what Istio is, and how it does what it does. We’ll explore that from the point of view of one packet travelling in from the internet and back out again, to show us all the major data and control plane components.
August 2018: DevSecOps - London GatheringMichael Man
Rolling slides to kick of the event.
*** Description of the main talk ***
Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today's IT environments.
Continuous Security: From tins to containers - now what!Michael Man
Information Security departments often view containers as challenging to manage (code moves too fast for risk analysis, thousands of containers with limited visibility or control). Government organizations such as NIST have come out with guidelines for Application Container Security, while serverless technologies such as Azure Container Instances or AWS Fargate create additional challenges regarding how security risks are managed.
The mechanics behind how attackers exploit simple programming mistakes ...Michael Man
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes. Developers today face a massive onslaught of new and old attack vectors in both the code they write and the open source they use.
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
Secret Management Journey - In the beginning there was a file and it contained all the passwords in the plain text, but then someone stole all the passwords, so we don't do that anymore. In this talk I will explore how secret management has evolved over the years, what is the common path to maturity, what good looks like and why "Just use HashiCorp Vault" is a good heuristic. Explore with me the perils of storing secrets in Jenkins, how ansible-vault leads to disasters and where does CyberArk Conjur sit in all of this.
*** DevSecOps: The Evolution of DevOps ***
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
Presentation by James Betteley who shares his experience of shaping DevOps and what he foresees will happen with DevSecOps.
There are many techniques that help introduce security into the DevOps lifecycle, each has its own set of benefits and constraints. Therefore, it is important to evaluate each technique and associated tools to ensure they match the organisation’s security testing strategy, languages and risk appetite.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Chris Rutter: Avoiding The Security BrickMichael Man
DevSecOps - London Gathering (March 2019)
This is a continuation of Chris Rutter's security talks (typically focused around Threat Modelling). In this talk Chris will explore real techniques, both technical and organisational, to introduce security into DevOps without hitting people with bricks [Not literally].
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
Security Rationale For Istio
An introduction to Istio security, looking at how Istio helps to keeps your security team happy by satisfying Kubernetes security requirements for multi-tenancy, and your developers happy by reducing implementation effort. Istio is still an evolving technology, and outstanding issues and impending improvements will be discussed.
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Michael Man
Introduction to Istio
I’ll show what Istio is, and how it does what it does. We’ll explore that from the point of view of one packet travelling in from the internet and back out again, to show us all the major data and control plane components.
August 2018: DevSecOps - London GatheringMichael Man
Rolling slides to kick of the event.
*** Description of the main talk ***
Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today's IT environments.
Continuous Security: From tins to containers - now what!Michael Man
Information Security departments often view containers as challenging to manage (code moves too fast for risk analysis, thousands of containers with limited visibility or control). Government organizations such as NIST have come out with guidelines for Application Container Security, while serverless technologies such as Azure Container Instances or AWS Fargate create additional challenges regarding how security risks are managed.
The mechanics behind how attackers exploit simple programming mistakes ...Michael Man
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes. Developers today face a massive onslaught of new and old attack vectors in both the code they write and the open source they use.
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
Secret Management Journey - In the beginning there was a file and it contained all the passwords in the plain text, but then someone stole all the passwords, so we don't do that anymore. In this talk I will explore how secret management has evolved over the years, what is the common path to maturity, what good looks like and why "Just use HashiCorp Vault" is a good heuristic. Explore with me the perils of storing secrets in Jenkins, how ansible-vault leads to disasters and where does CyberArk Conjur sit in all of this.
*** DevSecOps: The Evolution of DevOps ***
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
Presentation by James Betteley who shares his experience of shaping DevOps and what he foresees will happen with DevSecOps.
There are many techniques that help introduce security into the DevOps lifecycle, each has its own set of benefits and constraints. Therefore, it is important to evaluate each technique and associated tools to ensure they match the organisation’s security testing strategy, languages and risk appetite.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
19. Summary
Identify Threats during the design phase
Develop Safe code
Security scan the builds
Security scan the runtimes
Validate external components
Contain your risks
Test in production
Monitor continuously
DynamiNET
Editor's Notes
Michael Howard put it at the 2006 OWASP AppSec Conference in Seattle, “Tools do not make software secure! They help scale the process and help enforce policy.”
We are beginning to understand what DevOps is. It is based on Automation
Putting the ’Sec’ into DevSecOps is work in progress with different levels of maturity
Automating security testing tasks is part of the solution (but not the complete solution)
But how does security testing fit into this DevOps model?
In this presentation, I will highlight some of the techniques and supporting tools available to you during the DevSecOps lifecycle
Let’s start from the Planning stage of the cycle
This is where a new feature, or a change to an existing feature, is designed
During the planning phase, the main Sec task is Threat Modelling
Threat modelling was demonstrated by Chris Rutter in October’s session (so I won’t go over it again here)
Identifying threats during the design phase is the cheapest and most effective way to mitigate risks before a line of code is written. Using STRIDE analysis allows you to identify potential vulnerabilities at the earliest phase of the cycle.
This task is probably best carried out manually, however, there are a few tools on the market that allow you to threat model
What makes a good threat modelling tool?
Has an extensible library of threats
Builds a threat model of the system
Provides mitigation steps for identified threats
Reporting (for regulatory purposes)
This type of tooling has been around for a while, but the manual process is still the most effective way of threat modelling
The next phase of the cycle is the process of actually writing code.
During development, there are a number of methodologies to support security
Unit tests.
Write unit tests that mimic the actions of an attacker and make them fail
Use Threat actor driven tests to write unit tests that identify threat surfaces
Write functional tests that manage security – username and password rules
Peer Reviews
Developers working together is an effective way to identify bad practices in writing code
Requires knowledge of security related best practices
Tooling
SAST – Static Analysis of application code. There are two types of tools:
Those that analyse the raw source code
Those that analyse the binaries
Look for tools that:
Educate developers
Provide incremental feedback (it’s quicker running incremental scans that full scans)
Integrate into the IDE AND pipeline (providing developers with instant feedback when coding AND during check-ins)
Support the languages and frameworks used by your development teams (not all tools and languages are supported, such as more recent versions)
Provide options to fix root cause issues
The tool should be able to identify the root issue rather than peripheral issues.
Fixing the root issue will make your product more secure than fixing lots of dependent issues.
Covers industry known standards OWASP, PCI, HIPPA etc.
So how does SAST work?
The tools examine the code to identify vulnerabilities such as storing passwords in the clear, non-paramaterised SQL commands or holding passwords in the clear within non-secure memory
What to look out for
Must integrate the tool within the development lifecycle to be effective (fixing issues as they are found)
Consider on premise versus cloud based solutions based on your requirements
Some companies offer either options
Licensing
Product based
Code based
Developer based
False Positives is a problem with all SAST tools so it is a good idea to work with a company that can provide some consultancy to minimise false postives
The Build phase is when components are integrated for the first time within the lifecycle
The best options during this phase is DAST (Dynamic Application Security Testing)
How does DAST work?
Identifies vulnerabilities in an application in its RUNNING state
Normally managed as a SaaS and supported by experts performing manual verification
A type of Black Box testing (there is no knowledge of the underlying code base)
Testers usually have a number of tools to support them which are used to identify potential issues
Manual verification of the issues discovered reduces the number of false positives discovered
The advantage of outsourcing this process is the availability of security experts who can analyse your code
It can be run in-house with internal testing teams
This is an expensive option and only scales to a certain point
Very few false positives
The testing phase within the lifecycle normally involves running a plethora of functional and non-functional tests
During this phase, the best options is IAST (Interactive Application Security Testing)
What is IAST?
It is a runtime analysis tool that sits inside a JVM
It identifies potential issues as the data flows through the application
There are two types of IAST:
Active
Induced
DAST is a precursor
Targeted testing
Passive
Self-Induced
Monitors applications passively during runtime (such as functional testing)
Good vulnerability coverage
Key advantages:
reduces false positives
Instant feedback
No configuration / experts required
However, this is the least mature of the ’AST’ tools with only a small number of vendors offering this service
Language coverage is not great
The release phase is when your software may become more dependent on external or third party components
These include web hosts such as Apache
Free and Open Source Software (FOSS)
Can often expose your applications to vulnerabilties
Need to compare OSS with known vulnerabilities with CVE (Common Vulnerability and Exposures)
Ensure your open source software is safe
Hardening
Ensure the your products do not contain any malicious content due from external sources
Patching
Ensure all items are up-to-date with patching
The Deployment phase is where your application is pushed into production
Deploying code to production is another opportunity to inject malicious content into your applications
Containers provide a way to deploy products and microservices onto physical or virtual machines
More granular control over what is deployed
Many Containers are accompanied by tools to validate hardening of the container
This is a very immature market
Many products out there
When the application is live there are multiple approaches to testing to catch security vulnerabilities that have made it to production
Bug Bounty Hunters - paid white hat hackers who identify vulnerabilities using a plethora of hacking techniques
Penetration testing (either external or internal) – Black box testing to identify security vulnerabilities and satisfy audits
Continuous Security Validation – validates against new threats in real time
System Information Event Monitoring tools (SEIM)
Monitor applications for real-time attacks (uses Correlation engine):
Data Aggregation – pulling data from logs such as Splunk
Alerting – identify immediate issues (DDoS)
Dashboards – to show the current health of the network
Compliance – ensure products follow governance and auditing processes
Forensic analysis – identify potential attacks that would otherwise go undetected
These are complex technologies requiring significant integration with existing enterprise security controls
Putting the Sec into DevOps is a maturing part of continuous delivery
As the speed of delivery of new products and features increases, so does the level of risk of introducing vulnerabilities into your products
There are emerging technologies such as Containers that are gaining momentum but security is struggling to keep up
However, bringing security good practices into the early parts of the lifecycle can mitigate many risks
Yet, new technologies bring their own risks
Stay patched
Use Open Source Scanning tools
Develop safe code
Identify threats during the design phases