Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
DevOps and Continuous Delivery practices are attracting the attention of many organizations looking to increase the speed of their application delivery, yet doing so the wrong way can risk both quality and security. In this webinar, Forrester analysts Kurt Bittner and Rick Holland will share their insights on how DevOps and Security teams can work better together to meet these challenges, along with best practices for bringing greater security to product development and delivery.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
There are many ways to manage whether a service can talk to another service. It can be tempting to over-use one segmentation mechanism to implement policy when the real problem is how to coordinate and manage many mechanisms in the physical, cloud and container spaces. This talk summarizes the problem space and opportunities rather than offers solutions.
Presented at the Docker Palo Alto meetup Feb 16th 2016 http://www.meetup.com/Docker-Palo-Alto/events/228277181/
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
DevOps and Continuous Delivery practices are attracting the attention of many organizations looking to increase the speed of their application delivery, yet doing so the wrong way can risk both quality and security. In this webinar, Forrester analysts Kurt Bittner and Rick Holland will share their insights on how DevOps and Security teams can work better together to meet these challenges, along with best practices for bringing greater security to product development and delivery.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
There are many ways to manage whether a service can talk to another service. It can be tempting to over-use one segmentation mechanism to implement policy when the real problem is how to coordinate and manage many mechanisms in the physical, cloud and container spaces. This talk summarizes the problem space and opportunities rather than offers solutions.
Presented at the Docker Palo Alto meetup Feb 16th 2016 http://www.meetup.com/Docker-Palo-Alto/events/228277181/
From DevOps to DevSecOps, access control vulnerabilities and misconfigurations are the top security issues in infrastructure management. This workshop will introduce how to improve security in CI/CD to avoid privilege escalation and harden K8s security based on kube-bench (CIS Kubernetes Benchmark) and kubesec tools.
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
How to get along with HATEOAS without letting the bad guys steal your lunch?
It’s a cool idea - decouple the client from the server and let the application tell the client what it can do dynamically. This approach should allow much more flexibility and resilience as the client and server can evolve separately. Unfortunately, the HATEOAS approach can be a free lunch for cybercriminals unless you understand the simple steps needed to secure your design.
The question is - how to achieve the balance of design flexibility and security in practice?
This session will show you how to create a secure hypermedia-driven RESTful web service using HATEOAS principles. You’ll learn how HATEOAS works, understand how it can be exploited by the bad guys and discover why HATEOAS is still a really good approach .
With code and examples this session will leave you more informed and possibly a little wiser.
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
Kubernetes has become the default way for many organizations to scale and orchestrate their use of containers. However, organizations are starting to find themselves needing to take the necessary steps to protect their containers. Automating security checks throughout the development life cycle can help reduce risk and allow organizations to develop and deploy securely.
Join Shiri Ivstan, Senior Product Manager at WhiteSource and Yaniv Peleg Tsabari, Senior Director of Product Management at Alcide, as they explore the world of security in Kubernetes and discuss:
The security risks associated with open-source code and Kubernetes environments
Supply Chain: Continuous Security throughout the CI/CD pipeline
Security aspects throughout the development cycle, such as Image Scanning, Image Assurance, K8s Configuration hygiene and more.
How to automate policies with respect to the above techniques throughout the CI/CD pipeline in order to facilitate more secure application deployments.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
There are a variety of high-quality open source security-related tools available in penetration testing tools, forensics tools, hardening tools, fuzz tools, and network monitoring tools. These tools could be used freely; however, we might face some issues while using it. Therefore, it is essential to have the ability to maintain or develop these tools. In this slide, SZ Lin introduces Security Tools Packaging Team in Debian; this team aims to maintain collaboratively many security tools and merge back tools packaged by security-oriented Debian derivatives (e.g., Kali). Also, SZ shares the experience in discussing and collaborating with open source maintainers and developers in open source security-related tools.
OpenChain, the ISO standard, defines effective open source compliance. This slide deck aims to let people get familiar with OpenChain specification from scratch.
Not Only Reactive - Data Access with Spring DataVMware Tanzu
SpringOne Platform 2017
Christoph Strobl, Pivotal; John Blum, Pivotal
"Reactive programming is one of the Core themes supported by Spring Framework 5.0 and the other ecosystem projects. Spring Data provides non blocking, reactive support that allows Spring applications to go reactive from end to end. Still, more has happened around Spring Data.
In this session we will cover efforts made towards reactive data access for those stores supporting this approach. But we will also give an update on recent additions, changes and improvements in Spring Data. Have a detailed look at the supported stores and deep dive into some of their specifics."
OpenChain - The Industry Standard for Open Source ComplianceSZ Lin
OpenChain is a legal compliance process and standard for the implementation of open source software in the enterprise supply chain. It enables the upstream and downstream of the software supply to follow and share the open source compliance obligations accordingly; moreover, it can also help the enterprises to collaborate with the open source communities positively.
Explore Jakarta EE and MicroProfile on Azure with Open Liberty & OpenShiftGraham Charters
Presentation and demonstration of a Java EE, Jakarta EE, MicroProfile application on WebSphere Liberty and Open Liberty on OpenShift on Microsoft Azure.
You can view the session recording here https://www.youtube.com/watch?v=R9y42aEfmTU
DevSecOps for Developers: How To StartPatricia Aas
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring."
The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This talk will highlight security’s place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Cisco DevNet
Join to explore concrete use cases implemented with the Administrative & Serviceability capabilities of Webex Teams (formally Cisco Spark) APIs.
We'll cover how to manage Webex Teams Users but also track Spaces activity through the recently added /events API resource. Moreover, we will dig into the possibilities offered by the xAPI for Webex Teams-registered devices: discover Company Branding, People counting, and how to initiate Video Calls to Webex Teams & SIP addresses.
This session is aimed at Webex Teams Administrators, Compliance Officers, and Cisco Collaboration Endpoints owners.
DEVNET-3610
https://www.ciscolive.com/us/learn/sessions/session-catalog/?search=DEVNET-3610
Meeting rooms are talking! are you listening?Cisco DevNet
How can you tell if meeting room A302 is occupied right now? Ask an API! The same Cisco Collab devices that provide high-quality video are also embedding a rich API where you can get real-time info and create a personalized experience with custom UI controls. In this talk, we’ll detail how to create controls to turn off the lights or take the curtains down, how to build interactive maps that show rooms occupation in React, or build a Maze game in Javascript and deploy it to the latest Cisco Collab devices. If you love modern user experiences, IoT, know a bit Javascript, come get inspired!
Marcin Grzejszczak - Contract Tests in the EnterpriseSegFaultConf
Is your legacy application talking to a service that is never up and running on your shared testing environment? Does your company waste a lot of time and money on regression testing only to see that, yet again, someone has created a typo in the API? Enough is enough. Time to fix this problem using contract tests!
In this presentation you’ll see how to migrate a legacy application to work with stubs of external applications. We’ll show different ways of increasing your test reliability by writing adding contract tests of your API. You’ll see the difference between producer and consumer driven contracts.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
From DevOps to DevSecOps, access control vulnerabilities and misconfigurations are the top security issues in infrastructure management. This workshop will introduce how to improve security in CI/CD to avoid privilege escalation and harden K8s security based on kube-bench (CIS Kubernetes Benchmark) and kubesec tools.
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
How to get along with HATEOAS without letting the bad guys steal your lunch?
It’s a cool idea - decouple the client from the server and let the application tell the client what it can do dynamically. This approach should allow much more flexibility and resilience as the client and server can evolve separately. Unfortunately, the HATEOAS approach can be a free lunch for cybercriminals unless you understand the simple steps needed to secure your design.
The question is - how to achieve the balance of design flexibility and security in practice?
This session will show you how to create a secure hypermedia-driven RESTful web service using HATEOAS principles. You’ll learn how HATEOAS works, understand how it can be exploited by the bad guys and discover why HATEOAS is still a really good approach .
With code and examples this session will leave you more informed and possibly a little wiser.
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
Kubernetes has become the default way for many organizations to scale and orchestrate their use of containers. However, organizations are starting to find themselves needing to take the necessary steps to protect their containers. Automating security checks throughout the development life cycle can help reduce risk and allow organizations to develop and deploy securely.
Join Shiri Ivstan, Senior Product Manager at WhiteSource and Yaniv Peleg Tsabari, Senior Director of Product Management at Alcide, as they explore the world of security in Kubernetes and discuss:
The security risks associated with open-source code and Kubernetes environments
Supply Chain: Continuous Security throughout the CI/CD pipeline
Security aspects throughout the development cycle, such as Image Scanning, Image Assurance, K8s Configuration hygiene and more.
How to automate policies with respect to the above techniques throughout the CI/CD pipeline in order to facilitate more secure application deployments.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
There are a variety of high-quality open source security-related tools available in penetration testing tools, forensics tools, hardening tools, fuzz tools, and network monitoring tools. These tools could be used freely; however, we might face some issues while using it. Therefore, it is essential to have the ability to maintain or develop these tools. In this slide, SZ Lin introduces Security Tools Packaging Team in Debian; this team aims to maintain collaboratively many security tools and merge back tools packaged by security-oriented Debian derivatives (e.g., Kali). Also, SZ shares the experience in discussing and collaborating with open source maintainers and developers in open source security-related tools.
OpenChain, the ISO standard, defines effective open source compliance. This slide deck aims to let people get familiar with OpenChain specification from scratch.
Not Only Reactive - Data Access with Spring DataVMware Tanzu
SpringOne Platform 2017
Christoph Strobl, Pivotal; John Blum, Pivotal
"Reactive programming is one of the Core themes supported by Spring Framework 5.0 and the other ecosystem projects. Spring Data provides non blocking, reactive support that allows Spring applications to go reactive from end to end. Still, more has happened around Spring Data.
In this session we will cover efforts made towards reactive data access for those stores supporting this approach. But we will also give an update on recent additions, changes and improvements in Spring Data. Have a detailed look at the supported stores and deep dive into some of their specifics."
OpenChain - The Industry Standard for Open Source ComplianceSZ Lin
OpenChain is a legal compliance process and standard for the implementation of open source software in the enterprise supply chain. It enables the upstream and downstream of the software supply to follow and share the open source compliance obligations accordingly; moreover, it can also help the enterprises to collaborate with the open source communities positively.
Explore Jakarta EE and MicroProfile on Azure with Open Liberty & OpenShiftGraham Charters
Presentation and demonstration of a Java EE, Jakarta EE, MicroProfile application on WebSphere Liberty and Open Liberty on OpenShift on Microsoft Azure.
You can view the session recording here https://www.youtube.com/watch?v=R9y42aEfmTU
DevSecOps for Developers: How To StartPatricia Aas
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring."
The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This talk will highlight security’s place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Cisco DevNet
Join to explore concrete use cases implemented with the Administrative & Serviceability capabilities of Webex Teams (formally Cisco Spark) APIs.
We'll cover how to manage Webex Teams Users but also track Spaces activity through the recently added /events API resource. Moreover, we will dig into the possibilities offered by the xAPI for Webex Teams-registered devices: discover Company Branding, People counting, and how to initiate Video Calls to Webex Teams & SIP addresses.
This session is aimed at Webex Teams Administrators, Compliance Officers, and Cisco Collaboration Endpoints owners.
DEVNET-3610
https://www.ciscolive.com/us/learn/sessions/session-catalog/?search=DEVNET-3610
Meeting rooms are talking! are you listening?Cisco DevNet
How can you tell if meeting room A302 is occupied right now? Ask an API! The same Cisco Collab devices that provide high-quality video are also embedding a rich API where you can get real-time info and create a personalized experience with custom UI controls. In this talk, we’ll detail how to create controls to turn off the lights or take the curtains down, how to build interactive maps that show rooms occupation in React, or build a Maze game in Javascript and deploy it to the latest Cisco Collab devices. If you love modern user experiences, IoT, know a bit Javascript, come get inspired!
Marcin Grzejszczak - Contract Tests in the EnterpriseSegFaultConf
Is your legacy application talking to a service that is never up and running on your shared testing environment? Does your company waste a lot of time and money on regression testing only to see that, yet again, someone has created a typo in the API? Enough is enough. Time to fix this problem using contract tests!
In this presentation you’ll see how to migrate a legacy application to work with stubs of external applications. We’ll show different ways of increasing your test reliability by writing adding contract tests of your API. You’ll see the difference between producer and consumer driven contracts.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Enterprise-Grade DevOps Solutions for a Start Up BudgetDevOps.com
Even though you’re a small startup or medium-sized business and just beginning your product journey, it doesn’t mean you can’t have a robust and scalable DevOps environment like the enterprise experts. It is always a good practice when building a startup or a new company to have a solid foundation and start implementing efficient and scalable solutions early. Join and learn how having a limited budget doesn’t mean you can’t have enterprise quality tools.
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free.
More details here - https://www.practical-devsecops.com/
Digitalization has become the latest hype in the current situation, encouraging every industry to incorporate the same. In this process, software plays the focal role. Consequently, a significant focus shifts to software development to make them more reliable and less time-consuming. So, the Software Development Life Cycle comes into the picture to make the software development process easy, reliable, and time-saving. This is the methodology that streamlines the entire software development process to develop effective software. So, without any further ado, let’s unveil the curtain on the intricacies of the SDLC process.
The Software Development Life Cycle (SDLC) is crucial for efficient software creation. Explore its phases and significance in development projects.
Learn more: https://www.grapestechsolutions.com/blog/what-is-software-development-life-cycle/
In this talk, you will hear the best practices from analysts at Gartner, engineers at Heroku, and experiences at VSP distilled down into a top ten list of characteristics that applications ought to have to achieve high availability, scalability and flexibility. Target audience includes developers of APIs and web-based applications, the analysts and architects that design them and the infrastructure teams that support them.
What is DevOps Services_ Tools and Benefits.pdfkomalmanu87
This closer relationship between “Dev” and “Ops” permeates every phase of the DevOps lifecycle: from initial software planning to code, build, test, and release phases and on to deployment, operations, and ongoing monitoring. This relationship propels a continuous customer feedback loop of further improvement, development, testing, and deployment. One result of these efforts can be the more rapid, continual release of necessary feature changes or additions.
What is DevOps Services_ Tools and Benefits.pdfkomalmanu87
Some people group DevOps goals into four categories: culture, automation, measurement, and sharing (CAMS), and DevOps tools can aid in these areas. These tools can make development and operations workflows more streamlined and collaborative, automating previously time-consuming, manual, or static tasks involved in integration, development, testing, deployment, or monitoring.
Working on DevSecOps culture - a team centric viewPatrick Debois
A presentation to help you better understand the context in which devsecops transformation happen. With a focus on how the teams are empowered to really care about security.
Presented at The Devops Conference - organized by Eficode
Why DevSecOps Is Necessary For Your SDLC Pipeline?Enov8
DevSecOps environment allows integration of automated security checks within your SDLC pipeline to deliver early warnings and monitor escaped security vulnerabilities consistently.
Implementing Secure DevOps on Public Cloud PlatformsGaurav "GP" Pal
Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation. This white paper by stackArmor provides an overview on how an organization can implement a Secure DevOps pipeline and its key elements.
This talk will argue that DevOps methodologies can be applied to traditional application security practices. Only when developers and operations team members are enabled to make security a part of their everyday work will an organization's security culture change. We must meet security at the sweet spot between running a marathon and sprinting towards a software deployment. So put on your running shoes; it’s time for Dev{Sec}Ops!
Similar to Dev(Sec)Ops - Architecture for Security and Compliance (20)
Testing in Production, Deploy on FridaysYi-Feng Tzeng
本議題是去年 ModernWeb'19 「Progressive Deployment & NoDeploy」的延伸。雖然已提倡 Testing in Production 多年,但至今願意或敢於實踐的團隊並不多,背後原因多是與文化及態度有些關係。
此次主要分享推廣過程中遇到的苦與甜,以及自己親力操刀幾項達成 Testing in Production, Deploy on Fridays 成就的產品。
Introduction to Redis 3.0, and it’s features and improvements. What’s difference between Redis / Memcached / Aerospike ? The strong sides of Redis, and away from the weak sides.
本議程介紹 Redis 3.0 及其歷史,探討 Redis 的特性與改進。並一併分析 Redis / Memcached / Aerospike 三者之間的差異,有助於未來面對業務場景需求提供瞭解與判斷。最後,分享 Redis 適用之場景,及其不適用場景下的備案或整合方案。議程適於 Redis 初學者、對 Redis 想深入瞭解者,及曾經莫名被 Redis 雷擊或坑殺者。
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
26. 26/90
Scrum & Product Owner
“The Product Owner is the sole person responsible for managing
the Product Backlog.” (Scrum guide)
“ 產品負責人是負責管理產品待辦清單的唯一人員。”
“The PO role is responsible for working with the customers and
stakeholders to understand their needs.”
“ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。”
Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
27. 27/90
Scrum & Product Owner
“The Product Owner is the sole person responsible for managing
the Product Backlog.” (Scrum guide)
“ 產品負責人是負責管理產品待辦清單的唯一人員。”
“The PO role is responsible for working with the customers and
stakeholders to understand their needs.”
“ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。”
Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
Who are your stakeholders ?
誰是你們的利益相關者
28. 28/90
Scrum & Product Owner
“The Product Owner is the sole person responsible for managing
the Product Backlog.” (Scrum guide)
“ 產品負責人是負責管理產品待辦清單的唯一人員。”
“The PO role is responsible for working with the customers and
stakeholders to understand their needs.”
“ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。”
Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
Security officer should start taking up
the role of security stakeholders
資安官應該開始擔任利益相關者的角色
30. 30/90
Product Backlog
Scenario: User are able to register
Given the user is on “/users/register”
When the user types the email “yftzeng@gmail.com”
When the user types the password “xxx”
When the user clicks the register button
Then the response should contains “Password must be at least 8 characters long”
...
BDD
31. 31/90
Product Backlog
Scenario: The application should not contain SQL injection vulnerabilities
And the SQL-Injection policy is enabled
And the attack strength is set to High
And the alert threshold is set to Low
When the scanner is run
And the following false positives are removed
| url | parameter | cweId | wascId |
And the XML report is written to the file output/security/sql_injection.xml
Then no Medium or Higher risk vulnerabilities should be present
Credit: https://continuumsecurity.net/bdd-security/
BDD
32. 32/90
Product Backlog
Scenario: Present the login form itself over an HTTPS connection
Given a new browser instance
And the client/browser is configured to use an intercepting proxy
And the proxy logs are cleared
And the login page is displayed
And the HTTP request-response containing the login form
Then the protocol should be HTTPS
And ...
Credit: https://continuumsecurity.net/bdd-security/
BDD
38. 38/90
DevOps & Security
SecDevOps—sometimes called “Rugged DevOps” or “security at
speed”—as a set of best practices designed to help
organizations implant secure coding deep in the heart of
their DevOps development and deployment processes. The goal
is to automate secure coding and security tests and fixes
within the workflow, making secure software an inherent
outcome of DevOps approaches.
Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/
39. 39/90
DevOps & Security
SecDevOps—sometimes called “Rugged DevOps” or “security at
speed”—as a set of best practices designed to help
organizations implant secure coding deep in the heart of
their DevOps development and deployment processes. The goal
is to automate secure coding and security tests and fixes
within the workflow, making secure software an inherent
outcome of DevOps approaches.
Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/
“SecDevOps seeks to embed security inside the development process
as deeply as DevOps has done with operations”
(SecDevOps 旨在將開發過程中的資訊安全深入到 DevOps 的操作中 )
40. 40/90
DevOps & Security
The hinge to success for DevOps security lies in changing
the underlying DevOps culture to embrace security—with no
exceptions. As with any other methodology, security must be
built into DevOps.
Credit: https://techbeacon.com/devsecops-foundations
41. 41/90
DevOps & Security
The hinge to success for DevOps security lies in changing
the underlying DevOps culture to embrace security—with no
exceptions. As with any other methodology, security must be
built into DevOps.
Credit: https://techbeacon.com/devsecops-foundations
DevOps 資訊安全成功的關鍵仰賴改變潛在的 DevOps 文化以擁抱安全性
- 沒有例外 -
55. 55/90
DevOps & Compliance
《法律訴訟》美國 (1/2)
2002
MySQL vs. Progress Software
2002
MySQL vs. Progress Software
2006-03
Jacobson vs. Katzer
2006-03
Jacobson vs. Katzer
2007-10
BusyBox vs. Monsoon
2007-10
BusyBox vs. Monsoon
2007-11
BusyBox vs. Xterasys
2007-11
BusyBox vs. Xterasys
2007-11
BusyBox vs. High-Gain
Antennas
2007-11
BusyBox vs. High-Gain
Antennas
2007-12
BusyBox vs. Verizon
2007-12
BusyBox vs. Verizon
2008-01
Trend vs. Barracuda
2008-01
Trend vs. Barracuda
2008-06
BusyBox vs. Bell Microproduct
2008-06
BusyBox vs. Bell Microproduct
56. 56/90
DevOps & Compliance
《法律訴訟》美國 (2/2)
2008-06
BusyBox vs. Super Micro
Computer
2008-06
BusyBox vs. Super Micro
Computer
2008-07
BusyBox vs. Extreme Networks
2008-07
BusyBox vs. Extreme Networks
2008-12
FSF vs. Cisco
2008-12
FSF vs. Cisco
2009-02
Microsoft vs. TomTom
2009-02
Microsoft vs. TomTom
2009-12
BusyBox vs. Best Buy 等 14 間
企業
2009-12
BusyBox vs. Best Buy 等 14 間
企業 2014-12
Ximpleware vs. Versata
2014-12
Ximpleware vs. Versata
69. 69/90
CI/CD & Pipeline
Credit: https://www.scaledagileframework.com/release-on-demand/
Develop on Cadence. Release on Demand.
- A SAFe mantra
Develop on Cadence
( 技術流程 )
Release on Demand
( 商業決策 )
70. 70/90
CI/CD & Pipeline
Credit: https://www.scaledagileframework.com/release-on-demand/
Develop on Cadence. Release on Demand.
- A SAFe mantra
Develop on Cadence
( 技術流程 )
Release on Demand
( 商業決策 )
解耦
(decoupling)
71. 71/90
CI/CD & Pipeline
Credit: https://martinfowler.com/books/continuousDelivery.html
Continuous delivery is about putting the release
schedule in the hands of the business, not in the
hands of IT.
72. 72/90
CI/CD & Pipeline
Credit: https://martinfowler.com/books/continuousDelivery.html
Continuous delivery is about putting the release
schedule in the hands of the business, not in the
hands of IT.持續交付是指將發布時程放在業務手中,而不是掌握在 IT 手中
73. 73/90
CI/CD & Pipeline
Credit: https://martinfowler.com/bliki/ContinuousDelivery.html
Continuous Delivery is sometimes confused with
Continuous Deployment. Continuous Deployment
means that every change goes through the pipeline
and automatically gets put into production, resulting
in many production deployments every day. Continuous
Delivery just means that you are able to do frequent
deployments but may choose not to do it, usually due to
businesses preferring a slower rate of deployment. In
order to do Continuous Deployment you must be doing
Continuous Delivery.
Martin Fowler
74. 74/90
CI/CD & Pipeline
Credit: https://martinfowler.com/bliki/ContinuousDelivery.html
Continuous Delivery is sometimes confused with
Continuous Deployment. Continuous Deployment
means that every change goes through the pipeline
and automatically gets put into production, resulting
in many production deployments every day. Continuous
Delivery just means that you are able to do frequent
deployments but may choose not to do it, usually due to
businesses preferring a slower rate of deployment. In
order to do Continuous Deployment you must be doing
Continuous Delivery.
Martin Fowler
持續交付只是意味著你可以進行頻繁部署 , 但可以選擇不這樣做,
通常是因為企業更喜歡較慢的部署速度
75. 75/90
CI/CD & Pipeline
Credit: https://www.scaledagileframework.com/release-on-demand/
Develop on Cadence. Release on Demand.
- A SAFe mantra
Develop on Cadence
( 技術流程 )
Release on Demand
( 商業決策 )
解耦
(decoupling)
80. 80/90
Security
Marketing
Compliance
needs
pen testing red team
regulations controlsstandards
unit / integration / performance test
unit / integration / performance test
scheduling
unit / integration / performance test
scheduling
schedule
pipeline
Develop