DevSecOps: A New Hope for Security in CI/CD
•
4 likes•697 views
Organizations today are utilizing DevOps to accelerate the software development and deployment pace with the goal of releasing better quality software more reliably. But as more high profile data breaches occur they help to awaken interest in how to integrate security into this practice without inhibiting the DevOps agility. Let's face it, attacks on web applications have become a menace, and the volume of data breaches caused by them is rapidly rising each year. Rogue actors are taking advantage of the weaknesses in our software and processes. How do we strike back against this? Enter a new hope: DevSecOps! DevSecOps is the solution that is talked about, but not always understood. In this talk, we discuss: * What is DevSecOps * Changing the security mindset * The Do's and Don'ts for success
Report
Share
Report
Share
Download to read offline
Recommended
The New Security Playbook: DevSecOps
Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
Maturing DevSecOps: From Easy to High Impact
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
The document discusses building a practical DevSecOps pipeline for free. It promotes using Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools to shift security left and implement security throughout the development, integration and operations phases. IAST can detect vulnerabilities during normal application use while RASP can prevent vulnerabilities from being exploited at runtime. The document advocates establishing a security workflow, ensuring instant security feedback, and building a security culture as part of DevSecOps. It also recommends the free and open source Contrast Community Edition as an IAST and RASP tool that can integrate with development tools and provide security testing without slowing down builds or developers.
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2017
https://www.meetup.com/SoftwareSecurityBangalore/Demystifying DevSecOps
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
DevSecOps : an Introduction
DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
Benefits of DevSecOps
Brief of benefits of DevSecOps
DevSecOps = Security +DevOps
DevSecOps = New culture + new skills + automation
Recommended
The New Security Playbook: DevSecOps
Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
Maturing DevSecOps: From Easy to High Impact
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
The document discusses building a practical DevSecOps pipeline for free. It promotes using Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools to shift security left and implement security throughout the development, integration and operations phases. IAST can detect vulnerabilities during normal application use while RASP can prevent vulnerabilities from being exploited at runtime. The document advocates establishing a security workflow, ensuring instant security feedback, and building a security culture as part of DevSecOps. It also recommends the free and open source Contrast Community Edition as an IAST and RASP tool that can integrate with development tools and provide security testing without slowing down builds or developers.
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2017
https://www.meetup.com/SoftwareSecurityBangalore/Demystifying DevSecOps
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
DevSecOps : an Introduction
DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
Benefits of DevSecOps
Brief of benefits of DevSecOps
DevSecOps = Security +DevOps
DevSecOps = New culture + new skills + automation
How to get the best out of DevSecOps - an operations perspective
This document discusses DevSecOps and the impact on operations. It describes how DevSecOps utilizes collaboration, flexibility, and automation through practices like infrastructure as code. This allows operations to focus on critical tasks rather than manual changes. Best practices for securing operations in a DevSecOps model include controlling source code repositories, protecting deployment pipelines, integrating security testing into the pipeline, and using security telemetry in applications and environments. Automated dashboards can measure security metrics.
RSAC DevSecOpsDays 2018 - We are all Equifax
This document discusses software supply chain security and vulnerabilities. It references the Equifax data breach in 2017 that was caused by a vulnerability in the Apache Struts software. The document notes that 80-90% of modern applications and operations consist of assembled components, but not all parts are created equal from a security standpoint. It provides statistics showing that 11.1% of Java components downloaded annually have known vulnerabilities and that 80% of organizations analyzed show poor cyber hygiene. The key takeaway is that businesses are ultimately responsible for the security of their data and systems, so emphasizing security for the entire software supply chain is important.
DevOps or DevSecOps
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
Zero to Ninety in Securing DevOps
Delivered at DevSecOps Days 2018, RSA Conference
j. Wolfgang Goerlich
About J. Wolfgang Goerlich
About J Wolfgang Goerlich
CBI (Creative Breakthroughs, Inc.)
Cyber Security Strategist
J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.
Getting to Know Security and Devs: Keys to Successful DevSecOps
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
DevSecCon London 2018: Open DevSecOps
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
Adversary Driven Defense in the Real World
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
DevSecOps: Bringing security to the DevOps pipeline
The document discusses DevSecOps, which aims to automate security practices like testing and monitoring into the development lifecycle. It advocates integrating security practices like static code analysis, dependency management, and container scanning into the build process. For testing, it recommends smoke tests and restricting access to test environments. In deployment, it suggests automating atomic container deployments to remove the need for developer access to production. For operations, it outlines security practices like isolating containers, documenting infrastructure, and preventing configuration drift between environments. The goal is to implement security controls through automation and standardization rather than manual reviews.
DevSecOps at Agile 2019
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
DevSecOps 101
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Practical DevSecOps Course - Part 1
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
2019 DevSecOps Reference Architectures
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Introduction to DevSecOps
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
DevSecOps - The big picture
This document discusses the concepts of DevSecOps at a high level. It begins with a brief history of development methodologies, from Waterfall to Agile, and how Ops became a bottleneck. This led to trends in Agile Operations and collaboration between Dev and Ops, known as DevOps. DevSecOps expands this to incorporate security. It discusses the importance of culture, processes, and technologies for effective communication, automation, and collaboration across Dev, Ops, and Security. The goal is to enable organizations to deliver inherently secure software at DevOps speed through a high-trust environment and automated security pipelines integrated into the software development lifecycle.
Introduction to DevSecOps
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
DevSecOps reference architectures 2018
DevSecOps reference architectures: Sonatype Nexus, Sonatype Nexus Lifecycle, HP Fortify, SonarQube, Jenkins, Twistlock, JIRA, Contrast, aqua, OWASP Zap, Find Bugs, Gaunltl, OWASP Depedency check, NESSUS, ThreadFix
DevOps 2018
The State of DevSecOps
The document discusses the rise of DevSecOps and its importance for software development. It notes that existing security solutions are no longer adequate due to the speed of modern development, and that security has become a bottleneck. DevSecOps aims to integrate security practices into development workflows to enable continuous and real-time security. It outlines how security responsibilities have evolved from separate teams to being shared among developers, and how tools have progressed from periodic testing to continuous monitoring and automation. The document argues that DevSecOps is necessary now given the costs of data breaches and risks of vulnerabilities in open source components.
DevSecOps
This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.
DevSecOps The Evolution of DevOps
*** DevSecOps: The Evolution of DevOps ***
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
Presentation by James Betteley who shares his experience of shaping DevOps and what he foresees will happen with DevSecOps.
Top Application Security Trends of 2012
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
2013 michael coates-javaone
This document discusses how to scale web security programs to enable security at large organizations. It argues that relying solely on security professionals is not scalable, and that security must be embedded throughout the entire software development lifecycle (SDLC). It recommends automating as many security tasks as possible, such training developers, conducting static/dynamic analysis, and defending applications post-release. Security experts should focus on strategic tasks like risk management, architecture design, and tackling new problems. The key is gaining incremental security wins at each stage and building everything with scaling in mind.
More Related Content
What's hot
How to get the best out of DevSecOps - an operations perspective
This document discusses DevSecOps and the impact on operations. It describes how DevSecOps utilizes collaboration, flexibility, and automation through practices like infrastructure as code. This allows operations to focus on critical tasks rather than manual changes. Best practices for securing operations in a DevSecOps model include controlling source code repositories, protecting deployment pipelines, integrating security testing into the pipeline, and using security telemetry in applications and environments. Automated dashboards can measure security metrics.
RSAC DevSecOpsDays 2018 - We are all Equifax
This document discusses software supply chain security and vulnerabilities. It references the Equifax data breach in 2017 that was caused by a vulnerability in the Apache Struts software. The document notes that 80-90% of modern applications and operations consist of assembled components, but not all parts are created equal from a security standpoint. It provides statistics showing that 11.1% of Java components downloaded annually have known vulnerabilities and that 80% of organizations analyzed show poor cyber hygiene. The key takeaway is that businesses are ultimately responsible for the security of their data and systems, so emphasizing security for the entire software supply chain is important.
DevOps or DevSecOps
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
Zero to Ninety in Securing DevOps
Delivered at DevSecOps Days 2018, RSA Conference
j. Wolfgang Goerlich
About J. Wolfgang Goerlich
About J Wolfgang Goerlich
CBI (Creative Breakthroughs, Inc.)
Cyber Security Strategist
J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.
Getting to Know Security and Devs: Keys to Successful DevSecOps
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
DevSecCon London 2018: Open DevSecOps
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
Adversary Driven Defense in the Real World
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
DevSecOps: Bringing security to the DevOps pipeline
The document discusses DevSecOps, which aims to automate security practices like testing and monitoring into the development lifecycle. It advocates integrating security practices like static code analysis, dependency management, and container scanning into the build process. For testing, it recommends smoke tests and restricting access to test environments. In deployment, it suggests automating atomic container deployments to remove the need for developer access to production. For operations, it outlines security practices like isolating containers, documenting infrastructure, and preventing configuration drift between environments. The goal is to implement security controls through automation and standardization rather than manual reviews.
DevSecOps at Agile 2019
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
DevSecOps 101
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Practical DevSecOps Course - Part 1
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
2019 DevSecOps Reference Architectures
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Introduction to DevSecOps
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
DevSecOps - The big picture
This document discusses the concepts of DevSecOps at a high level. It begins with a brief history of development methodologies, from Waterfall to Agile, and how Ops became a bottleneck. This led to trends in Agile Operations and collaboration between Dev and Ops, known as DevOps. DevSecOps expands this to incorporate security. It discusses the importance of culture, processes, and technologies for effective communication, automation, and collaboration across Dev, Ops, and Security. The goal is to enable organizations to deliver inherently secure software at DevOps speed through a high-trust environment and automated security pipelines integrated into the software development lifecycle.
Introduction to DevSecOps
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
DevSecOps reference architectures 2018
DevSecOps reference architectures: Sonatype Nexus, Sonatype Nexus Lifecycle, HP Fortify, SonarQube, Jenkins, Twistlock, JIRA, Contrast, aqua, OWASP Zap, Find Bugs, Gaunltl, OWASP Depedency check, NESSUS, ThreadFix
DevOps 2018
The State of DevSecOps
The document discusses the rise of DevSecOps and its importance for software development. It notes that existing security solutions are no longer adequate due to the speed of modern development, and that security has become a bottleneck. DevSecOps aims to integrate security practices into development workflows to enable continuous and real-time security. It outlines how security responsibilities have evolved from separate teams to being shared among developers, and how tools have progressed from periodic testing to continuous monitoring and automation. The document argues that DevSecOps is necessary now given the costs of data breaches and risks of vulnerabilities in open source components.
DevSecOps
This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.
DevSecOps The Evolution of DevOps
*** DevSecOps: The Evolution of DevOps ***
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
Presentation by James Betteley who shares his experience of shaping DevOps and what he foresees will happen with DevSecOps.
What's hot (20)
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
Similar to DevSecOps: A New Hope for Security in CI/CD
Top Application Security Trends of 2012
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
2013 michael coates-javaone
This document discusses how to scale web security programs to enable security at large organizations. It argues that relying solely on security professionals is not scalable, and that security must be embedded throughout the entire software development lifecycle (SDLC). It recommends automating as many security tasks as possible, such training developers, conducting static/dynamic analysis, and defending applications post-release. Security experts should focus on strategic tasks like risk management, architecture design, and tackling new problems. The key is gaining incremental security wins at each stage and building everything with scaling in mind.
Essentials of Web Application Security: what it is, why it matters and how to...
Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.
The Thing That Should Not Be
This document summarizes a presentation about the future of web application security. It discusses how security practitioners and developers have skewed views of security. It notes how compliance, processes, people, and tools need to change to improve security. Developers will not prioritize security without requirements to do so. Tools and frameworks need to make security the default instead of something that must be explicitly added.
Zen and the art of Security Testing
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Continuous security
Agile is maturing in delivering incremental change. We innovate through data-driven experiments, enabled through continuous delivery and evolutionary architectures. Delivering small and fast means we are more frequently introducing new vulnerabilities. We are also facing new threats that come from increased integration through cloud computing and the internet of things. Traditional cycles of penetration tests and code reviews are not keeping up with the accelerated delivery pace unless these processes are also automated. DevSecOps focusses on integrating security in our processes and teams. Automate security first and fail fast will help build security in, but will also support the growth of awareness in the teams. Kim will show the lessons learned from her journey to Continuous security at ANVA, securing their open SaaS cloud platform for insurance software. Get an overview of the current continuous security landscape and the practical insights and pitfalls. And learn how security can be fun.
Bulletproof IT Security
This document discusses strategies for achieving bulletproof IT security. It recommends establishing strong security policies, frequent employee training, ongoing self-assessments, encryption, asset management, and testing business continuity plans. It also stresses the importance of system hardening through vulnerability management and addressing issues like BYOD. The document provides numerous free tools and resources organizations can use to identify vulnerabilities, harden systems, and prevent malware.
We cant hack ourselves secure
1) Cybercrime costs billions globally each year in direct losses and downtime, with the greatest transfer of wealth coming from cyber espionage of industrial and intellectual property. Nearly $1 trillion was spent in 2012 on cybercrime protection.
2) Traditional annual penetration tests only provide minimal security due to changing software and many variables. Comprehensive security requires strategies like threat modeling, ongoing testing, and vulnerability management.
3) Applications often incorporate many third party libraries and components that may contain known vulnerabilities, but these dependencies are rarely tested or covered by patch management. A holistic approach considering the entire "software food chain" is needed.
Who owns Software Security
This document discusses software security and outlines a 4 step plan to improve it. It begins by recommending studying successful security initiatives at other companies. The second step is to inventory your own applications to understand what data and services they involve. The third step is to incorporate security practices into agile development processes and use tools to help scale this. The final step is to drive a security-focused culture change and have plans for incident response.
Who Owns Software Security?
This document discusses software security and outlines a 4 step plan to improve it. It begins by recommending studying successful security initiatives at other companies. The second step is to inventory your own applications to understand what needs protecting. The third step is to incorporate security practices into agile development processes. The final step is to drive a security-focused culture change across the organization.
Solnet dev secops meetup
DevSecOps aims to integrate security practices into DevOps workflows to deliver value faster and safer. It addresses challenges like keeping security practices aligned with continuous delivery models and empowered DevOps teams. DevSecOps incorporates security checks and tools into development pipelines to find and fix issues early. This helps prevent breaches like the 2017 Equifax hack, which exploited a known vulnerability. DevSecOps promotes a culture of collaboration, shared responsibility, and proactive security monitoring throughout the software development lifecycle.
DevSecOps - Building continuous security into it and app infrastructures
Cloud services, Continuous Integration, and Continuous Deployment require security teams to adapt security controls to DevOps processes. This session will explore how security delivered as a service helps security teams work with DevOps to embed continuous security into IT and application infrastructure for improved and automated auditing, compliance and control of applications.
(Source : RSA Conference USA 2017)
Allianz Global CISO october-2015-draft
Appsec Basics, concepts, Risk, Sustainable Risk Management. SaaS, Continuous Vulnerability Assessment. Fullstack Assessment with edgescan.com. OWASP web security. Systems development security, Agile security assessment.
Why security is the kidney not the tail of the dog v3
Security is sometimes thought of being the tail that wags the Dog. A better analogy is that Cyber Security should be the Kidneys of the organization taking out the waste while allowing the useful information to pass.
DevSecOps Days Istanbul 2020 Security Chaos Engineering
This document summarizes a presentation on chaos engineering and security chaos engineering. It discusses how systems have become too complex for humans to fully understand and that failures are the normal condition. Chaos engineering experiments intentionally introduce failures to build confidence in a system's resilience. Security chaos engineering uses the same principles to continuously validate security controls and reduce uncertainty. The document provides examples of chaos experiments and introduces ChaoSlingr, an open source tool for automating security chaos experiments.
MT 117 Key Innovations in Cybersecurity
Cyber attackers are better funded, more focused, and more successful than ever. Making matters worse, defenders have more IT territory to protect, including public cloud, virtual infrastructure, mobile, Internet of Things, and an expanding list of users, applications, and data. An evolution in security strategies is underway; shifting from a preventive approach to one that is more balanced across prevention, monitoring, and response. In this session, we delve into key innovations that enable a more effective defense and how RSA’s NetWitness suite is delivering many of these innovations.
ADDO - Navigating the DevSecOps App-ocalypse 2020
The speed and scale of complex system operations within cloud-driven architectures make them extremely difficult for humans to mentally model their behavior. This often results in unpredictable and catastrophic outcomes that become costly when unexpected security incidents occur. There is a need to realign the actual state of operational security measures in order to maintain an acceptable level of confidence that our security actually works when we need it to.
As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Chaos Engineering allows us to proactively expose the failures, build resilient systems, and develop an "Applied Security" model to minimize the impact of failures.
Chaos Engineering allows for security teams to proactively experiment and derive new information about underlying factors that were previously unknown. This is done by developing live fire exercises that can be measured, managed, and automated. Contrary to Red/Purple Team exercises, chaos engineering does not use threat actor or adversarial tactics, techniques and procedures. As far as we know it Chaos Engineering is the only proactive mechanism for detecting availability and security incidents before they happen. We proactively introduce turbulent conditions, faults, and failures into our systems to determine the conditions by which our security will fail before it actually does.
In this session we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.
Crash Course In Brain Surgery
Crash Course in Brain Surgery (by "brain" I mean "application", and by "surgery" I mean "security").
More Info: http://codebits.eu/intra/s/session/70
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Stay safe, grab a drink and join us virtually for our upcoming "Reveal the Security Risks in the Software Development Lifecycle" Meetup to learn how to find application security threats, issues in software development life cycle, build mature application security incident response processes and implement application security posture management.
Agenda:
17:00 - 17:05 - 'Opening words' - by Gary Berman (Cyber Heroes Network)
17:05 - 17:35 - 'Why securing the SDLC fails at scale' - by Liav Caspi (Co-Founder & CTO at Legit Security)
17:35 - 18:05 - 'The Real AppSec Issues' - by Josh Grossman (CTO at BounceSecurity)
18:05 - 18:35 - 'Application security and IR process' - by Vitaly Davidoff (Application Security Lead at JFrog)
18:35 - 19:00 - 'The ASPM way - a new approach' - by Liav Caspi (Co-Founder & CTO at Legit Security)
Make Every Spin Count: Putting the Security Odds in Your Favor
Cerdant’s Director of Engineering, Joshua Skeens, presented the best ‘bets’ to increase your security odds. Josh warned customers to stop gambling with their data, and cautioned against weak, guessable passwords stating, “Use 2-Factor Authentication everywhere!” The first step in creating the best security posture possible for your business will always be just getting started, and to keep momentum Josh suggests implementing 1 new security practice each week.
Similar to DevSecOps: A New Hope for Security in CI/CD (20)
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
More from Franklin Mosley
Taking Security Responsibility in the AWS Cloud
Many businesses have migrated to the cloud to take advantage of its benefits of flexibility, cost structure, economies of scale, and global reach. But how do you meet your security objectives around confidentiality, integrity and availability? In this talk we highlight AWS security best practices.
How to Make a Unicorn: Finding Cybersecurity Talent in the Real World (Boston)
Another day, another high-profile security incident. Forty percent of all data breach incidents occur from attacks on web applications. With DevOps accelerating the pace at which software is developed and deployed, it’s critical to integrate proper security thinking into the DevOps process. Without this, rapid software development can introduce security flaws.
The cybersecurity labor crunch is expected to hit 3.5 million unfilled jobs by 2021. So where do you turn for help when the demand for qualified cybersecurity professionals is high, but the supply is low?
In addition, all security professionals aren’t created equal. How do you identify the security skills needed in DevSecOps?
AppSec engineers have been called unicorns, and in this talk we will make these mythical creatures a reality and discuss:
* The skills needed to be a successful AppSec engineer
* Scenarios in which these skills are used in DevSecOps
* How to identify and groom talent within your own organization
* Ways to scale your team
How to Make a Unicorn: Finding Cybersecurity Talent in the Real World (Dallas)
With DevOps accelerating the pace at which software is developed and deployed, it’s critical to integrate proper security thinking. Application security for DevSecOps is in high demand, and AppSec engineers have been called unicorns. In this talk we will make these mythical creatures a reality.
DevSecOps: Minimizing Risk, Improving Security
Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
Security pros have written countless jokes and comics maligning developers' exultant disregard for security and lauding their own long-suffering devotion to repairing reckless dev teams' vulnerable code. Yet, this narrative -- which does nothing to improve application security -- has gone on long enough. This session will help you change the conversation and the trend. You'll learn how to speak developers' language, learn about the real pressures they face in a continuous delivery environment, and discover how to get Dev, Ops, and Security teams aligned and focused on a singular goal.
RoboCop: Bringing Law and Order to CI/CD
In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.
More from Franklin Mosley (6)
How to Make a Unicorn: Finding Cybersecurity Talent in the Real World (Boston)
How to Make a Unicorn: Finding Cybersecurity Talent in the Real World (Boston)
How to Make a Unicorn: Finding Cybersecurity Talent in the Real World (Dallas)
How to Make a Unicorn: Finding Cybersecurity Talent in the Real World (Dallas)
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
Recently uploaded
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing non-technical founders before engaging a tech agency is crucial for the success of their projects. It starts with clearly defining their vision and goals, conducting thorough market research, and gaining a basic understanding of relevant technologies. Setting realistic expectations and preparing a detailed project brief are essential steps. Founders should select a tech agency with a proven track record and establish clear communication channels. Additionally, addressing legal and contractual considerations and planning for post-launch support are vital to ensure a smooth and successful collaboration. This preparation empowers non-technical founders to effectively communicate their needs and work seamlessly with their chosen tech agency.Visit our site to get more details about this. Contact us today www.ishtechnologies.com.au
Measures in SQL (SIGMOD 2024, Santiago, Chile)
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Malibou Pitch Deck For Its €3M Seed Round
French start-up Malibou raised a €3 million Seed Round to develop its payroll and human resources
management platform for VSEs and SMEs. The financing round was led by investors Breega, Y Combinator, and FCVC.
WWDC 2024 Keynote Review: For CocoaCoders Austin
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
In today's fiercely competitive mobile app market, the role of the QA team is pivotal for continuous improvement and sustained success. Effective testing strategies are essential to navigate the challenges confidently and precisely. Ensuring the perfection of mobile apps before they reach end-users requires thoughtful decisions in the testing plan.
14 th Edition of International conference on computer vision
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
Image: Include an image that represents the concept of precision, such as a AI helix or a futuristic healthcare
setting.
Objective: Provide a foundational understanding of precision medicine and its departure from traditional
approaches
Role of theory: Discuss how genomics, the study of an organism's complete set of AI ,
plays a crucial role in precision medicine.
Customizing treatment plans: Highlight how genetic information is used to customize
treatment plans based on an individual's genetic makeup.
Examples: Provide real-world examples of successful application of AI such as genetic
therapies or targeted treatments.
Importance of molecular diagnostics: Explain the role of molecular diagnostics in identifying
molecular and genetic markers associated with diseases.
Biomarker testing: Showcase how biomarker testing aids in creating personalized treatment plans.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Real-world case study: Present a detailed case study showcasing the success of precision
medicine in a specific medical scenario.
Patient's journey: Discuss the patient's journey, treatment plan, and outcomes.
Impact: Emphasize the transformative effect of precision medicine on the individual's
health.
Objective: Ground the presentation in a real-world example, highlighting the practical
application and success of precision medicine.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions for handling and analyzing vast
datasets.
Visuals: Include graphics representing data management challenges and technological solutions.
Objective: Acknowledge the data-related challenges in precision medicine and highlight innovative solutions.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions
What’s New in Odoo 17 – A Complete Roadmap
Odoo releases a new update every year. The latest version, Odoo 17, came out in October 2023. It brought many improvements to the user interface and user experience, along with new features in modules like accounting, marketing, manufacturing, websites, and more.
The Odoo 17 update has been a hot topic among startups, mid-sized businesses, large enterprises, and Odoo developers aiming to grow their businesses. Since it is now already the first quarter of 2024, you must have a clear idea of what Odoo 17 entails and what it can offer your business if you are still not aware of it.
This blog covers the features and functionalities. Explore the entire blog and get in touch with expert Odoo ERP consultants to leverage Odoo 17 and its features for your business too.
An Overview of Odoo ERP
Odoo ERP was first released as OpenERP software in February 2005. It is a suite of business applications used for ERP, CRM, eCommerce, websites, and project management. Ten years ago, the Odoo Enterprise edition was launched to help fund the Odoo Community version.
When you compare Odoo Community and Enterprise, the Enterprise edition offers exclusive features like mobile app access, Odoo Studio customisation, Odoo hosting, and unlimited functional support.
Today, Odoo is a well-known name used by companies of all sizes across various industries, including manufacturing, retail, accounting, marketing, healthcare, IT consulting, and R&D.
The latest version, Odoo 17, has been available since October 2023. Key highlights of this update include:
Enhanced user experience with improvements to the command bar, faster backend page loading, and multiple dashboard views.
Instant report generation, credit limit alerts for sales and invoices, separate OCR settings for invoice creation, and an auto-complete feature for forms in the accounting module.
Improved image handling and global attribute changes for mailing lists in email marketing.
A default auto-signature option and a refuse-to-sign option in HR modules.
Options to divide and merge manufacturing orders, track the status of manufacturing orders, and more in the MRP module.
Dark mode in Odoo 17.
Now that the Odoo 17 announcement is official, let’s look at what’s new in Odoo 17!
What is Odoo ERP 17?
Odoo 17 is the latest version of one of the world’s leading open-source enterprise ERPs. This version has come up with significant improvements explained here in this blog. Also, this new version aims to introduce features that enhance time-saving, efficiency, and productivity for users across various organisations.
Odoo 17, released at the Odoo Experience 2023, brought notable improvements to the user interface and added new functionalities with enhancements in performance, accessibility, data analysis, and management, further expanding its reach in the market.
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
ACE - Team 24 Wrapup event at ahmedabad.
Atlassian Team 24 event wrap-up Ahmedabad. Recap of Atlassian team24 event.
Using Query Store in Azure PostgreSQL to Understand Query Performance
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Closing talk for the Performance Engineering track at Community Over Code EU (Bratislava, Slovakia, June 5 2024) https://eu.communityovercode.org/sessions/2024/why-apache-kafka-clusters-are-like-galaxies-and-other-cosmic-kafka-quandaries-explored/ Instaclustr (now part of NetApp) manages 100s of Apache Kafka clusters of many different sizes, for a variety of use cases and customers. For the last 7 years I’ve been focused outwardly on exploring Kafka application development challenges, but recently I decided to look inward and see what I could discover about the performance, scalability and resource characteristics of the Kafka clusters themselves. Using a suite of Performance Engineering techniques, I will reveal some surprising discoveries about cosmic Kafka mysteries in our data centres, related to: cluster sizes and distribution (using Zipf’s Law), horizontal vs. vertical scalability, and predicting Kafka performance using metrics, modelling and regression techniques. These insights are relevant to Kafka developers and operators.
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
Energy consumption of Database Management - Florina Jonuzi
Presentation from Florina Jonuzi at the GSD Community Stage Meetup on June 06, 2024
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
Recently uploaded (20)
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
DevSecOps: A New Hope for Security in CI/CD
- 1. DevSecOpsDevSecOps A New Hope for Security in CI/CDA New Hope for Security in CI/CD Featuring Franklin Mosley Senior Application Security Engineer PagerDuty 1
- 2. “Fear is the path to the dark side…fear“Fear is the path to the dark side…fear leads to anger…anger leads to hate…hateleads to anger…anger leads to hate…hate leads to suffering.”leads to suffering.” 2
- 3. ThenThen 3
- 4. NowNow 4
- 5. 5
- 6. ““I find your lack of securityI find your lack of security disturbing.disturbing.”” 6
- 7. 21% of all data breach incidents occur from attacks on web applications Source: Verizon Data Breach Investigations Report - http://www.verizonenterprise.com/verizon-insights-lab/dbir/tool/pattern/web-applications 7
- 8. import re re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps') Automated Speed Scale People 8
- 9. How do we get there?How do we get there? 9
- 10. Change the security mindsetChange the security mindset 10
- 11. Change the security mindsetChange the security mindset Security: Stop being the organization of "No" Security: Walk in a developer's shoes Developer: 48%* know security is important Shift left and integrate throughout the SDLC * Source: Sonatype "2018 DevSecOps Community Survey" - https://www.sonatype.com/2018survey 11
- 13. Change the security mindsetChange the security mindset Security: Stop being the organization of "No" Security: Walk in a developer's shoes Developer: 48%* know security is important Shift left and integrate throughout the SDLC * Source: Sonatype "2018 DevSecOps Community Survey" - https://www.sonatype.com/2018survey 13
- 14. Who's responsible for security?Who's responsible for security? SecurityDevelopers Operations 14
- 15. You code it. You own it.You code it. You own it. 45% increase in number of changes deployed to production 25% reduction in major incidents that impact customers 50% reduction in Mean Time To Resolution (MTTR) of major incidents Less silo-based knowledge centers Source: PagerDuty "Owning Your Code is Better" - https://www.pagerduty.com/blog/developers-own-code/ 15
- 16. ““Do. Or do not. There is no try.Do. Or do not. There is no try.”” 16
- 17. 17
- 18. Application ScanningApplication Scanning Long scan timesLong scan times False PositivesFalse Positives Did not scaleDid not scale 100% coverage?100% coverage? 18
- 19. “I assure you, Lord Vader.“I assure you, Lord Vader. My men are working asMy men are working as fast as they can.”fast as they can.” 19
- 20. Application ScanningApplication Scanning Targeted testingTargeted testing Integrate with Q/AIntegrate with Q/A ScaleScale 20
- 21. 21
- 22. 22
- 23. 23
- 24. Make it easy to do the rightMake it easy to do the right thingthing 24
- 25. 25
- 26. Source Code ScanningSource Code Scanning Use the right tool for the jobUse the right tool for the job Full scansFull scans 26
- 27. Source Code ScanningSource Code Scanning Incremental scansIncremental scans Use the right tool for the jobUse the right tool for the job 27
- 28. 28
- 29. Container/AMI ValidationContainer/AMI Validation Early in the pipelineEarly in the pipeline Learn to use the toolsLearn to use the tools Golden imagesGolden images 29
- 30. 30
- 31. Security OperationsSecurity Operations Be Reactive and ResponsiveBe Reactive and Responsive Learn normal from abnormal behaviorLearn normal from abnormal behavior Act on it!Act on it! 31
- 32. TL;DRTL;DR Security is a shared responsibilitySecurity is a shared responsibility Change the security mindsetChange the security mindset Owning the code is betterOwning the code is better Be FrictionlessBe Frictionless 32
- 33. “You must“You must unlearnunlearn what youwhat you havehave learned.”learned.” 33
- 34. Thank You!Thank You! Franklin MosleyFranklin Mosley @fpmosley3 /in/franklinmosley 34