As the world of system and application deployment continues to change, the sys admin and security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional sys admin and security processes just don’t work. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. Rackspace has been developing a tool to help them design, deploy and security assess complex configurations for customers called Checkmate. This talk will cover the concepts behind and the architecture of Checkmate and how it helps minimize the time to deploy systems and verify they have been created to spec and in a secure state. A discussion of how Checkmate has inspired the concept of Test Driven Security based on the Test Driven Development model familiar to the development world.
Learn how Azure DevOps has empowered Horizons LIMS to streamline their collaboration and CI / CD process to accelerate their enterprise digital transformation. You will also hear about the latest Azure DevOps features and how to integrate DevOps with GetHub, Jenkins, and leverage transformation workloads like Kubernetes and Microsoft Common Data Service to deliver products and services faster.
Microsoft recently released Azure DevOps, a set of services that help developers and IT ship software faster, and with higher quality. These services cover planning, source code, builds, deployments, and artifacts. One of the great things about Azure DevOps is that it works great for any app and on any platform regardless of frameworks.
In this session, I will provide a hands on workshop guiding you through getting started with Azure Pipelines to build your application. Using continuous integration and deployment processes, you will leave with clear understanding and skills to get your applications up and running quickly in Azure DevOps and see the full benefits that CI/CD can bring to your organization.
You will learn about source control principles and source control systems. You will also learn about Azure repositories, migrating strategies and authentication options.
Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019Jeffrey Palermo
Azure DevOps Services and all of the automation involved for a complete DevOps environment can be daunting. In this talk, Jeffrey Palermo provides prescriptive guidance for developers to fall into the "pit of success" when creating automated DevOps pipelines for complex .NET apps targeting Azure.
Microsoft recently released Azure DevOps, a set of services that help developers and IT ship software faster, and with higher quality. These services cover planning, source code, builds, deployments, and artifacts.
One of the great things about Azure DevOps is that it works great for any app and on any platform regardless of frameworks.
In this session, I will give you a quick overview of what Azure DevOps is and how you can quickly get started and incorporate it into your continuous integration and deployment processes.
Learn how Azure DevOps has empowered Horizons LIMS to streamline their collaboration and CI / CD process to accelerate their enterprise digital transformation. You will also hear about the latest Azure DevOps features and how to integrate DevOps with GetHub, Jenkins, and leverage transformation workloads like Kubernetes and Microsoft Common Data Service to deliver products and services faster.
Microsoft recently released Azure DevOps, a set of services that help developers and IT ship software faster, and with higher quality. These services cover planning, source code, builds, deployments, and artifacts. One of the great things about Azure DevOps is that it works great for any app and on any platform regardless of frameworks.
In this session, I will provide a hands on workshop guiding you through getting started with Azure Pipelines to build your application. Using continuous integration and deployment processes, you will leave with clear understanding and skills to get your applications up and running quickly in Azure DevOps and see the full benefits that CI/CD can bring to your organization.
You will learn about source control principles and source control systems. You will also learn about Azure repositories, migrating strategies and authentication options.
Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019Jeffrey Palermo
Azure DevOps Services and all of the automation involved for a complete DevOps environment can be daunting. In this talk, Jeffrey Palermo provides prescriptive guidance for developers to fall into the "pit of success" when creating automated DevOps pipelines for complex .NET apps targeting Azure.
Microsoft recently released Azure DevOps, a set of services that help developers and IT ship software faster, and with higher quality. These services cover planning, source code, builds, deployments, and artifacts.
One of the great things about Azure DevOps is that it works great for any app and on any platform regardless of frameworks.
In this session, I will give you a quick overview of what Azure DevOps is and how you can quickly get started and incorporate it into your continuous integration and deployment processes.
Leveraging Azure DevOps across the EnterpriseAndrew Kelleher
In this presentation we exploring how teams across the enterprise can leverage Azure DevOps' by diving into its different capabilities and services. Specifically in the context of Azure platform teams that can leverage agile and DevOps practices when deploying and supporting services within Azure.
A session on how to use Azure DevOps best practices for developing and publishing applications and infrastructure to Azure, whether you use PaaS, FaaS or IaaS
Automated Release Pipelines with Azure DevOpsProjectCon
PROJECTCON | AGILECON Midwest 2019 in Indianapolis on May 10, 2019
Presenter: Benjamin Day
Automated Release Pipelines with Azure DevOps
What's DevOps and how do you make it work using Microsoft’s Azure DevOps service? At its core, DevOps is about automating every last thing that you can possibly automate between development and production. Basically, automate away all the annoying & tedious stuff that distracts you from being able to quickly and easily deliver done, working software.
This session will be a mix of the practical (75%) and the theoretical (25%). We'll start by talking about the DevOps mindset and why you should even care about DevOps. From there, we'll dive in to the skills and practices you'll need in order to implement an automated, multi-environment DevOps pipeline using Azure DevOps.
The demo will to take an existing ASP.NET Core application with automated tests, commit it to Git, create automated builds, and an automated release pipeline that'll take the application from development to test to production.
Event Website: https://projectconevent.com
LinkedIn: https://www.linkedin.com/company/projectcon-llc
Facebook: http://www.facebook.com/ProjectConEvent
Twitter: http://www.twitter.com/projectconevent
YouTube: https://www.youtube.com/channel/UCLLG1SGPs1L5YLoFndvGGhQ
Instagram: https://www.instagram.com/projectconevent
Presentation Slides: https://slideshare.com/projectcon
Post Event Trailer: https://youtu.be/1_RzFBnZ7bo
ProjectCon AgileCon Project Management
This is an overview of Azure Artifacts and how you can add a fully integrated package management to your continuous integration/continuous delivery (CI/CD) pipelines with a single click. Azure Artifacts allows you to share your code effortlessly by creating and sharing Maven, npm, and NuGet package feeds from public and private sources.
Azure Devops provides a set of cloud DevOps services that allow enterprises to deliver business outcomes, from an idea to production-level code. Azure Devops works for any language, any cloud, and any platform.
Ever heard "We can't do DevOps because of [insert excuse here]" ?
This session will expose that lie with a trip back to the 1980’s complete with 8-bit assembly code, a Commodore 64 and bulletin boards. We will walk through an automated delivery pipeline using Azure and Azure DevOps to develop, build , approve and release native C64 code to a real C64.
Along the way we’ll look at how to build your own Azure DevOps Extensions and leverage Azure services to help bridge a variety of technical barriers.
Experience/relive the glory and horror of 80’s technology and learn to push DevOps even further. Inconceivable!
Devops core principles
CI/CD basics
CI/CD with asp.net core webapi and Angular app
Iac Why and What?
Demo using Azure and Azure Devops
Docker why and what ?
Demo using Azure and Azure Devops
Kubernetes why and what?
Demo using Azure and Azure Devops
Azure DevOps Tutorial | Developing CI/ CD Pipelines On Azure | EdurekaEdureka!
(** DevOps Certification Training: https://www.edureka.co/devops **)
This Edureka "Azure DevOps” PPT will give you a thorough and insightful overview Microsoft Azure and DevOps approach and help you create a CI/CD pipeline using Microsoft Azure.
Following are the offerings of this PPT:
1. What Is DevOps?
2. What Is Azure DevOps?
3. Components Of Azure DevOps
4. Demo – Azure DevOps
Check out our Playlists: https://goo.gl/Xpx77b
Blog Series: https://goo.gl/KvjU4h
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Tearing Down Silos and Building Your Enterprise Dev/Ops EngineRackspace
Miss the latest installment of the Enterprise Cloud Forum? Not to worry here is a copy of the slides from Rackspace Sr. IT Strategist Brian Jawalka and Rackspace VP of Software Application Development Krishna Prasad with guest host Mark Majewski – Cloud Solution Architect discussed how enterprises need to approach Dev/Ops to ensure cloud adoption success.
Leveraging Azure DevOps across the EnterpriseAndrew Kelleher
In this presentation we exploring how teams across the enterprise can leverage Azure DevOps' by diving into its different capabilities and services. Specifically in the context of Azure platform teams that can leverage agile and DevOps practices when deploying and supporting services within Azure.
A session on how to use Azure DevOps best practices for developing and publishing applications and infrastructure to Azure, whether you use PaaS, FaaS or IaaS
Automated Release Pipelines with Azure DevOpsProjectCon
PROJECTCON | AGILECON Midwest 2019 in Indianapolis on May 10, 2019
Presenter: Benjamin Day
Automated Release Pipelines with Azure DevOps
What's DevOps and how do you make it work using Microsoft’s Azure DevOps service? At its core, DevOps is about automating every last thing that you can possibly automate between development and production. Basically, automate away all the annoying & tedious stuff that distracts you from being able to quickly and easily deliver done, working software.
This session will be a mix of the practical (75%) and the theoretical (25%). We'll start by talking about the DevOps mindset and why you should even care about DevOps. From there, we'll dive in to the skills and practices you'll need in order to implement an automated, multi-environment DevOps pipeline using Azure DevOps.
The demo will to take an existing ASP.NET Core application with automated tests, commit it to Git, create automated builds, and an automated release pipeline that'll take the application from development to test to production.
Event Website: https://projectconevent.com
LinkedIn: https://www.linkedin.com/company/projectcon-llc
Facebook: http://www.facebook.com/ProjectConEvent
Twitter: http://www.twitter.com/projectconevent
YouTube: https://www.youtube.com/channel/UCLLG1SGPs1L5YLoFndvGGhQ
Instagram: https://www.instagram.com/projectconevent
Presentation Slides: https://slideshare.com/projectcon
Post Event Trailer: https://youtu.be/1_RzFBnZ7bo
ProjectCon AgileCon Project Management
This is an overview of Azure Artifacts and how you can add a fully integrated package management to your continuous integration/continuous delivery (CI/CD) pipelines with a single click. Azure Artifacts allows you to share your code effortlessly by creating and sharing Maven, npm, and NuGet package feeds from public and private sources.
Azure Devops provides a set of cloud DevOps services that allow enterprises to deliver business outcomes, from an idea to production-level code. Azure Devops works for any language, any cloud, and any platform.
Ever heard "We can't do DevOps because of [insert excuse here]" ?
This session will expose that lie with a trip back to the 1980’s complete with 8-bit assembly code, a Commodore 64 and bulletin boards. We will walk through an automated delivery pipeline using Azure and Azure DevOps to develop, build , approve and release native C64 code to a real C64.
Along the way we’ll look at how to build your own Azure DevOps Extensions and leverage Azure services to help bridge a variety of technical barriers.
Experience/relive the glory and horror of 80’s technology and learn to push DevOps even further. Inconceivable!
Devops core principles
CI/CD basics
CI/CD with asp.net core webapi and Angular app
Iac Why and What?
Demo using Azure and Azure Devops
Docker why and what ?
Demo using Azure and Azure Devops
Kubernetes why and what?
Demo using Azure and Azure Devops
Azure DevOps Tutorial | Developing CI/ CD Pipelines On Azure | EdurekaEdureka!
(** DevOps Certification Training: https://www.edureka.co/devops **)
This Edureka "Azure DevOps” PPT will give you a thorough and insightful overview Microsoft Azure and DevOps approach and help you create a CI/CD pipeline using Microsoft Azure.
Following are the offerings of this PPT:
1. What Is DevOps?
2. What Is Azure DevOps?
3. Components Of Azure DevOps
4. Demo – Azure DevOps
Check out our Playlists: https://goo.gl/Xpx77b
Blog Series: https://goo.gl/KvjU4h
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Tearing Down Silos and Building Your Enterprise Dev/Ops EngineRackspace
Miss the latest installment of the Enterprise Cloud Forum? Not to worry here is a copy of the slides from Rackspace Sr. IT Strategist Brian Jawalka and Rackspace VP of Software Application Development Krishna Prasad with guest host Mark Majewski – Cloud Solution Architect discussed how enterprises need to approach Dev/Ops to ensure cloud adoption success.
Cloud orchestration stacks are an important component in completing the move to a private cloud. In this rapid fire session, speakers representing key cloud orchestration stacks will have 10 minutes each to present their responses to key questions about the functions, features and capabilities of each cloud stack. Questions include: services and capabilities offered; languages, operating systems, APIs and image formats supported; virtualization stacks supported; management tools; portability; hardware, capacity, performance and availability constraints, pricing and more. Presentations will be followed by an open Q and A discussion.
This presentation covers the OpenStack cloud stack.
Build Your Custom Performance Testing FrameworkTechWell
Performance testing requires knowledge of systems architecture, techniques to simulate the load equivalent of sometimes millions of transactions per day, and tools to monitor/report runtime statistics. With the evolution from desktop to web and now the cloud, performance testing involves an unparalleled combination of different workloads and technologies. There is no one tool available—either commercial or open source—that meets all performance testing needs. Some tools act as load generators; others only monitor system resources; and many only operate for specific applications or environments. Prashant Suri shares the essential components you need for a comprehensive performance test framework and explores why each component is required for a holistic test. Learn how to develop your custom framework―starting with parsing test scripts in a predefined format, iterating over test data, employing distributed load generators, and integrating test monitors into the framework. Discover how building your own framework gives you flexibility to challenge multiple performance problems—and save thousands of dollars along the way.
Traditional application security cannot keep pace with pace of change in applicaiton development - that model is dead. Move beyond the 5 stages of grief and get your agile security on. This talk covers practices that helped the product security team at Rackspace keep up with the rate of change facing modern day application security teams.
Learning to Scale Openstack: A Case Study in Rackspace's Open Cloud Deployment was presented at OpenStack Design Summit in Portland, OR on April 17, 2013. Watch the recording of the presentation on youtube at the following link: http://www.youtube.com/watch?v=3x8X6f5mnzc
Operating OpenStack - Case Study in the Rackspace CloudRainya Mosher
Presentation given in Seoul, South Korea at the Cloud and Data Center Conference in March 2014. Introduces the concept of the Rackspace Hybric Cloud Experience, the product platforms that are being used to make that happen, and then focuses on the operation and deployment of the Public Cloud.
Similar to DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012 (20)
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
You’re tasked with ‘doing DevSecOps’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tool outputs for all your different apps let alone shrink the pile of work already on your plate? In this talk, we’ll discuss the key decision points and requirements to set up a program that moves as fast as it needs to without your team burning out. Learn how to keep moving forward while keeping your sanity.
After learning to be nimble from dealing with teams that are doing 75 production deployments per week, the surviving ideas have been distilled into a collection of tenants. We’ll cover: How to handle CI/CD tests versus traditional security assessments? How to best manage SLAs? How to keep data for auditors and regulatory requirements while also doing continuous testing? Understanding health checks versus continuous testing versus manual testing. How to deal with false positives, risk acceptances and the lifecycle of a security issue? By using these tenants, security assessments at one company grew from 44 to 414 in 2 years or 9.4 times all while losing some headcount. Time to turn chaos into calm and distress into success.
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
From LASCON 2022:
APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
From ONUG Fall 2022:
"Shift Left'' and automation have turned from ideals to meaningless buzzwords. Instead of riding the hype train, let's get real and cover practical and real-world examples taken from actual product security successes. Not every business is the same, neither will their DevSecOps program.
In this talk, I'll cover the fundamentals of common to successful DevSecOps programs as well as a grab bag of useful techniques to consider. These are lessons learned doing AppSec at a wide variety of companies including Rackspace, Pearson, a fortune 500 financial, Duo Security and Cognizant Healthcare. Bruce Lee said "Research your own experience. Absorb what is useful, reject what is useless, add what is essentially your own". The goal of this talk is to provide you with enough examples to build your own pragmatic and practical DevSecOps program or maybe absorb a new technique or two into your existing program.
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.
APIs seem simple. It's just one program talking to another program over a network. However, behind that seeming simplicity lies a
complex landscape full of landmines, foot guns and sharp edges.
How do you navigate the API terrain without exposing yourself to
attack? This talk will cover the API landscape and point out where
'there be dragons'. If you don't have a large number of APIs, you will soon enough so do yourself a favor and follow the map provided in this talk.
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
APIs are everywhere. Any business with a mobile app, modern web apps (SPAs), using the cloud, doing a digital transformation, integrating with business partners, running microservices or using kubernetes has APIs. There's a good foundation of AppSec knowledge out there - thanks in part to OWASP but API Security isn't exactly the same as AppSec. Additional complexity is part of the landscape with multiple competing API technologies like REST, gRPC and GraphQL plus stakeholders spread across multiple parts of the business. How to do you make sense of API Security landscape? This talk will cover the three fundamental areas to consider, the various chess pieces and the many ways those pieces can be put on your API chessboard. The goal is for you to leave knowing how to map out your API Security landscape and reach a state of solid API Security.
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
This is not your normal DevSecOps presentation. We’re going to take on the most difficult aspect of security automation, the dreaded and pitfall prone, dynamic testing. You want to shift left and automate all the things, but DAST specifically has many thorns. How do you ensure what you’re testing matches production? Do devs own the environment? On metal, docker, kubernetes, or docker-compose? Test coverage? Balancing all these elements and more is not easy. Especially if you want to create a single, scalable, standard for your entire org. In this talk, we’ll cover what is needed to start automating your dynamic security testing, how to navigate the trade-offs you’ll have to consider, and finally how best to fit automated DAST testing into your software delivery pipelines. We’ll discuss simple and easy steps to gain efficiency and how to scale to mature pipelines that require little to no human intervention.
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
You’re tasked with ‘doing AppSec’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo can be your one source of truth and become the heart of your AppSec automation program.
DefectDojo grew out of a Product Security program 8 years ago and was created by AppSec people for AppSec people. In this talk, you’ll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your one source of truth for discovered security vulnerabilities, report generation, aggregation of over 80 different security tools, inventory of applications, tracking testing efforts and metrics on the AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo.
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls.
My talk from Secure Coding Virtual Summit (2021-03-24)
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give the audience a leg up on starting a DevSecOps program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of DevSecOps quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a DevSecOps journey.
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
Serverless is here so why not use it to make your life better. This talk discussing ways to use serverless to add automation to your application and cybersecurity work.
Originally presented at Global AppSec DC 2019
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work. Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started.
The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided. Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline. The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them. If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
What an AppSec Pipeline is, why it's going to change AppSec, how to take good ideas from DevOps and Agile into AppSec Programs and various stages of maturity for AppSec Pipelines. All done with the hope that others will start on their AppSec Pipeline journey.
AppSec Pipelines and Event based SecurityMatt Tesauro
Presented at AppSec California 2017, this is a continuation of earlier talks about AppSec Pipelines and demonstrates 1st and 2nd Gen Pipelines, how OWASP is creating a pipeline for its projects and how several companies have benefited from combining DevOps, Agile, CI/CD and Security into an AppSec Pipeline to move beyond traditional AppSec testing.
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
Presented at AppSec USA 2016 - Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
Curious how DevOps, Agile and CI/CD ideas can speed up your AppSec program? Here's how it can be done and an example where it lead to a 5x speed/flow improvement.
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
Slide deck from AppSec California 2016 + some additional slides.
Abstract:
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.
The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
2. 2
WHO AM I?
Matt Tesauro – Cloud Application Security Guy + OWASP
Racker since October 2011
Rackspace’s Cloud Product Group
Work with developers and QE
matt.tesauro@rackspace.com
OWASP International Foundation Board
Member and Treasurer
Project Leader of OWASP Live CD &
OWASP WTE projects
matt.tesauro@owasp.org
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
3. 3
RACKSPACE® HOSTING
The Service Leader in Cloud Computing
4,000+
RACKERS WE SERVE
172,000+
CUSTOMERS
40% OF
THE
FORTUNE® 100
120 +
COUNTRIES
9 GLOBAL DATA
CENTERS
LEADER IN
GARTNER'S MAGIC
RAX QUADRANT FOR
MANAGED HOSTING
2008, 2010, 2011
& 2012
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
4. OUR VISION
To be recognized as one of the
World’s greatest service companies.
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
4
6. 6
THE FUTURE: FANATICAL SUPPORT
ANYWHERE
Rackspace Provides
The Fanatical Support
DEDICATED PUBLIC CLOUD PRIVATE CLOUD PRIVATE CLOUD PUBLIC CLOUD
RACKSPACE LOCATIONS CUSTOMER SITE PROVIDER DC
• One Control Panel across OpenStack connected clouds
• One Fanatical Support Team
• Our Cloud, Your Cloud, Partner Hosted OpenStack Cloud
• Global Reach
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
6
7. SECURING APPS IN A
DevOps WORLD
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
7
8. A quick Overview of DevOps
• The combination of traditional development activities with operations and
testing (QA/QE)
• Collaboration, communication and integration is key
• Agile development model (sprints, scrum, …)
• Release coordination and automation
"DevOps" is an emerging set of principles, methods and practices for
communication, collaboration and integration between software development
(application/software engineering) and IT operations (systems
administration/infrastructure) professionals.
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
8
9. CI, CD, CD, TDD and API
CI == Continuous Integration
CD == Continuous Deployment
CD == Continuous Delivery
TDD == Test Driven Development
API == Application Programming Interface
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
9
10. 10
THE PROBLEM
• Cycle time for software is getting
shorter
• Continuous delivery is a goal
• Scanning windows are not viable
• First mover / first to market
advantage
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
10
11. THE PROBLEM – or at least more
• Traditional software development left little time to test
• DevOps, Agile and Continuous Delivery squeeze those windows
even more
• New languages and programming methods aren’t making
this better
• Growth of interpreted languages with loose typing
hurts static analysis efforts
• Few automated tools to test APIs especially
RESTful APIs
• Little time for any testing, manual testing is doomed
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
11
13. Think like a developer
Sprints break software into little pieces…
• Break your testing into little pieces
• Use your threat model to know the crucial bits to test
Long and short running tests
• Testing time drives testing frequency
• Code for tests needs to be optimized
Smoke test versus full regression test
• Smoke test early and often
• Full regression tests on regular intervals
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
13
14. Maximize what you’ve got
Make the most of your frameworks
• Embrace, understand and fill gaps where necessary
Make the best use of your time…
• Make tests easily repeatable
• Make tests easy to understand
• Make tests abstract and combine-able
• Ala carte tests for mixing and matching
• Think about the Unix pipe | and its power
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
14
15. Test Driven Development Security
Under the constraints of DevOps, Continuous Deployment
Your testing has to be nimble
Dare I say…Agile
In TDD, you know your code works
when the tests pass
In TD(S), you know your app has met
the baseline when the tests pass
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
15
16. A snail on fire!
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
16
17. 17
AUTOMATING
• Declarative configuration language
• Plain-text configuration in source control
• Fully programmatic, no manual interactions
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
17
18. 18
CHEF
Server / Hosted / Private
1. Solo
Racker
2. Server
3. Hosted
4. Private Hosted Node
Node
Node
Node
Node
Node
Node Node Node
Node Node Node
Node Node Node
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
18
19. 19
COOKBOOKS
• Most major software
packages have cookbooks
• You will have to write your
own / customize
• Good place to spend
security cycles
- Merge patches upstream for
extra points.
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
19
20. 20
GROUPING & TAGGING
Node • Tagging your
Node
Apache Node servers applies
Node
Web the required set of
recipes
Node • A base set of
Node
MySql Node
Node
recipes is
DB
common
• Each server will
Node
Node
have multiple tags
Memcache Node
Node set at bootstrap
Cache
time
Monitoring 20
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
21. 21
LIMITATIONS
• Focus on single machines Cloud Load Balancer
• A multi-box configuration
is based on copying
Web Web Web Web
existing configurations
• No support for implicit
application or environment Memcached
Database as a
Service
configuration
• Applications include more
Cloud Files CDN
than just servers
• Images have security
issues
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
21
22. 22
CHECKMATE
Inspector
• Verification
Contractor • Due Diligence
• Decomposition
Architect • Orchestration
• Templates
• Questions
A system to build generic application configurations
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
22
23. 23
ARCHITECTURE • Components communicate
through a common queue
Architect • Each provisioning
component is independent
Checkmate Message Contractor Compute
Web Queue
Caching Storage
Message
Inspector
Queue
Load
Hadoop
Balancer
Database
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
23
36. 37
CONTRACTOR
• Takes Architect’s plan and
builds it
• Task Decomposition
- Uses standard workflow
patterns
• Orchestration / Ordering
• Status Reporting
• Farms out tasks to sub-
Our current implementation uses an open source
contractors Python workflow engine, SpiffWorkflow.
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
37
37. 38
INSPECTOR
• Takes Architect’s plan &
contractor’s output
• Focuses on checking for
code compliance
- Not perfection, bare minimums
• Can include multiple facets
- Security
- Scalability
Our current implementation includes WP Scan for
- Compliance WordPress and the Nikto vulnerability scanner.
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
38
38. 39
INSPECTOR
+ Server: Apache/2.2.12 (Ubuntu)
+ No CGI Directories found (use '-C all' to force check all
possible dirs)
+ Apache/2.2.12 appears to be outdated (current is at least
Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also
current.
+ ETag header found on server, inode: 12534048, size: 317, mtime:
0x4b9436dbea280
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6448 items checked: 0 error(s) and 5 item(s) reported
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
39
39. 40
INSPECTOR
[!] The WordPress "http://---.com/readme.html" file exists.
[!] WordPress version 3.1 identified from meta generator.
[+] Enumerating installed plugins...Checking for 2394 total
plugins
[+] We found 2 plugins:
Name: disqus-comment-systemLocation:
Name: wordpress-popular-postsLocation:
[+] There were 1 vulnerabilities identified from the plugin
names:
[!] ["WordPress Plugin Disqus Comment System <= 2.68 Reflected
Cross-Site Scripting (XSS)"]*
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
40
41. So I was talking with a friend…
He was bemoaning the pace of change and the speed at which software
was being pushed to production…
In essence, management has made the decision that
getting their app out the door with possible bugs is
more valuable to the business then having strong
assurance that the software has few or no significant
bugs.
You’ve got to up your game,
get automated, agile and
get on pace with your developers.
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
42
Rackspace HostingOur clients include more than 40% of the Fortune® 100. Today we have more than 150,000 customers in 120 countries.One of the achievements that we are most proud of is that Rackspace Hosting has been recognized by Fortune as one of the 100 best places to work not only in the United States, but in EMEA as well. People really like working here. What that means to customers is that we have a growing, stable workforce that is carefully selected not only for technical skills but also forhow much each employee enjoys delivering exceptional service, and how well they match our culture and core values.OURCULTURE AND THE EXCEPTIONAL SERVICE THATWE BRAND AS FANATICAL SUPPORT MAKE THE DIFFERENCE BETWEEN GROWING AT, SAY, 5% A YEAR AND GROWING AT THE MUCH FASTER RATE THAT OUR COMPANY HAS EXPERIENCED IN THE LAST FEW YEARSFor the quarter ended June 30, 2011: Net revenue of $247.2 million grew 32% year-over-year and 7.5% from Q1 2011Adjusted EBITDA (1) of $81.6 million grew 31% year-over-year and 7.5% from Q1 2011Net income of $17.6 million grew 57% year-over-year and 27% from Q1 2011Total server count increased to 74,028, up from 70,473 servers at the end of the previous quarter, and total customers increased to 152,578, up from 142,441 at the end of the previous quarter.Adjusted EBITDA for the quarter was $81.6 million, a 7.5% increase compared to the first quarter of 2011 and a 31% increase compared to the second quarter of 2010. The adjusted EBITDA margin for the quarter was 33.0% compared to 33.0% for the previous quarter and 33.2% for the second quarter of 2010. Adjusted EBITDA and adjusted EBITDA margin were negatively impacted by a non-cash charge of $2.8 million for the quarter relating to data center operating leases.Net income was $17.6 million for the quarter, up 27.1% from the previous quarter and 56.8% from the second quarter of 2010. Net income margin for the quarter was 7.1% compared to 6.0% for the previous quarter and 6.0% in the second quarter of 2010.Cash flow from operating activities was $79 million for the second quarter of 2011. Capital expenditures were $95 million, including $49 million for purchases of customer gear, $17 million for data center build outs, $14 million for office build outs and $15 million for capitalized software and other projects. Adjusted free cash flow (1) for the quarter was $(18) million. At the end of the second quarter of 2011, cash and cash equivalents were $132 million. Debt obligations totaled $139 million, consisting of $137 million related to capital leases and $2 million related to current and non-current debt. On a worldwide basis, Rackspace employed 3,712 Rackers as of June 30, 2011, up from 3,492 Rackers as of March 31, 2011 and 3,002 Rackers as of June 30, 2010. Rackspace Developments and Business HighlightsGrowing Momentum for OpenStack: With over 90 participating companies, the project continues to see major traction including its most recent code release, Cactus Code, accompanied by the Cactus Design Summit/OpenStack Conference in Santa Clara, CA, with over 500 attendees, 133 participating organizations and 217 developers. This event was followed by the announcement of Citrix’s Project Olympus, a new cloud infrastructure product based on OpenStack, which is designed to allow enterprises to quickly build and deploy OpenStack based clouds. Last month, we also began to see major traction of OpenStack in Europe. We held an OpenStack Day in London — the first for our community in Europe and had over 350 people in attendance. Domino’s Pizza Group chooses Rackspace: To help drive revenue and future growth, pizza delivery expert Domino’s Pizza Group has selected Rackspace to provide them with RackConnect, an integrated cloud hosting and dedicated managed hosting service. The service will give Domino’s a scalable and cost-effective platform that will support the execution of the company’s ambitious growth strategy and meet the evolving demands of its online business. Domino’s sought a hosting service that would meet the evolving demands of its online business, and allow its internal IT team to focus less on the maintenance of its online properties and business applications, and more on innovation.Launch of Hosted Virtual Desktop: In May, Rackspace announced the availability of Rackspace Hosted Virtual Desktop. The hosted virtual desktop platform utilizes Rackspace’s comprehensive hosting services and may be paired with industry leading desktop virtualization solutions from Citrix and other joint channel partners. The offering enables customers to host their virtual desktops on their choice of dedicated and/or cloud solutions.Continued European Cloud Growth: Since its launch in January, Rackspace’s UK cloud has been steadily growing and now has over 5,000 customers. To help meet this demand, the UK added new cloud services including Cloud Servers with managed service level and Cloud Load Balancers. The new UK offerings build upon Rackspace’s existing portfolio and are already Some other interesting facts:85% Increase in Cloud Revenue46% Increase in Fortune 100 Customers20% Increase in Number of Servers400% Increase in Number of Hybrid Customer Solutions24% Increase in Number of Rackers28.6% Increase in Y/Y Revenue.0008% Average Customer Churn3X Server Utilization of Average Enterprise IT OrganizationLargest Customer Equals Less Than 1% Revenue
VisionEveryone at Rackspace can tell you our vision, a vision that we all support to become the world’s greatest service company. Our senior leadership is passionate about this. We refuse to accept mediocre. Once you accept less than great, you become “a phone company.” And, when was the last time you got great service from your mobile carrier or home phone company?PAUSEBUT, YOU CANNOT JUST HAVE A VISION TOO…
One Control Panel Future:Next generation tools to make our customers’ lives easier. Next generation tools for Rackers to deliver Fanatical Support Unification and integrated products where it makes sense Design driven, looks and works great for all users Cornerstone for all customer interaction Compelling technology
VisionEveryone at Rackspace can tell you our vision, a vision that we all support to become the world’s greatest service company. Our senior leadership is passionate about this. We refuse to accept mediocre. Once you accept less than great, you become “a phone company.” And, when was the last time you got great service from your mobile carrier or home phone company?PAUSEBUT, YOU CANNOT JUST HAVE A VISION TOO…