Devsecops at Cimpress
•
1 like•284 views
This document discusses DevSecOps at Cimpress, an online printing company. It outlines some of the challenges of their worldwide and decentralized operations with varying technology stacks. Their approach involves threat modeling to identify threats, assets, and controls. They create security assertions based on the threat model and assure test case coverage. The focus is on integrating security into development in a way that is not burdensome to developers. The expected deliverables include automated unit test coverage and tool scans to address the threat model.
Report
Share
Report
Share
Download to read offline
Recommended
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
This document discusses how the goal of security perfection can be an enemy of DevSecOps. It argues that perfection is unattainable, can result in analysis paralysis, and does not work with an agile DevOps model. Instead, it advocates embracing a "good enough" approach where security teams focus on addressing critical risks, empower developers, shift testing left, and use compensating controls to mitigate remaining risks. The document encourages security teams to challenge whether they always require thorough vulnerability reviews, fixing of all issues, and sign-off before production to determine if they truly enable DevSecOps practices.
DevOps
The document discusses DevSecOps, which combines DevOps and network security. It outlines the stages of a DevSecOps pipeline including continuous integration, delivery, and deployment. It presents a DevSecOps manifesto advocating for open collaboration, security as a service, exploit testing, and compliance as operations. The document also provides examples of integrating security practices at different stages of the software development lifecycle and approaches for legacy versus new applications.
Legacy-SecDevOps (AppSec Management Debrief)
This document summarizes a debrief presentation on appsec management given in London in December 2016. It notes that the organization's applications currently have high security risks that have not been fixed, there is no appsec team, and the security of the applications and ability to detect attacks cannot be assured. It proposes creating a "Legacy-SecDevOps" team to focus on fixing security issues, refactoring code, and improving testing and deployment over 6 months to help kickstart an appsec program for 2017. The team would work to improve security practices like threat modeling, reviews, and monitoring across the organization.
Application Security at DevOps Speed - DevOpsDays Singapore 2016
The document discusses how to integrate security practices into DevOps workflows at speed. It recommends a three step approach: 1) Make security part of agile planning and processes like Scrum, including security training, requirements, testing and demos. 2) Implement a "DevSecOps" pipeline that automates security checks and testing at each stage of development. 3) Continuously measure and reduce security debt and improve app robustness and security skills over time. The goal is to shift security left and make it part of fast-paced DevOps cycles.
Principles of Chaos Engineering
Slide deck from my talk about "Principles of Chaos Engineering" at the first ever Chaos Engineering Hamburg meet up.
Come join us at http://www.meetup.com/Chaos-Engineering-Hamburg/ and stay up to date with new events and other news.
Security Champions - Introduce them in your Organisation
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
Using threat models to control project brief
The document discusses using threat models to control project scope and manage business requests. It provides information on what threat modeling is, why it is useful, and how to conduct threat modeling. Key points include:
- Threat models can help "lock" the project brief and scope by requiring any new features or changes to be evaluated in updated threat models.
- Threat models should be set up as the authoritative source of truth about security considerations and implications.
- Creating threat models for individual features allows for a tighter analysis of each component's risks and connections between components.
- Chaining multiple threat models together can help identify overarching vulnerabilities across the system.
- Penetration tests should be used to validate the
Overcoming Security Challenges in DevOps
This document discusses taking a DevOps approach to security. It outlines how DevOps practices like automation, immutable infrastructure, and infrastructure as code can improve an organization's security posture by reducing vulnerabilities and ensuring consistent configurations. It also addresses some of the challenges of integrating security into DevOps environments and proposes moving towards software-defined security models that provide real-time visibility, automatic protection, and continuous assessment.
Recommended
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
This document discusses how the goal of security perfection can be an enemy of DevSecOps. It argues that perfection is unattainable, can result in analysis paralysis, and does not work with an agile DevOps model. Instead, it advocates embracing a "good enough" approach where security teams focus on addressing critical risks, empower developers, shift testing left, and use compensating controls to mitigate remaining risks. The document encourages security teams to challenge whether they always require thorough vulnerability reviews, fixing of all issues, and sign-off before production to determine if they truly enable DevSecOps practices.
DevOps
The document discusses DevSecOps, which combines DevOps and network security. It outlines the stages of a DevSecOps pipeline including continuous integration, delivery, and deployment. It presents a DevSecOps manifesto advocating for open collaboration, security as a service, exploit testing, and compliance as operations. The document also provides examples of integrating security practices at different stages of the software development lifecycle and approaches for legacy versus new applications.
Legacy-SecDevOps (AppSec Management Debrief)
This document summarizes a debrief presentation on appsec management given in London in December 2016. It notes that the organization's applications currently have high security risks that have not been fixed, there is no appsec team, and the security of the applications and ability to detect attacks cannot be assured. It proposes creating a "Legacy-SecDevOps" team to focus on fixing security issues, refactoring code, and improving testing and deployment over 6 months to help kickstart an appsec program for 2017. The team would work to improve security practices like threat modeling, reviews, and monitoring across the organization.
Application Security at DevOps Speed - DevOpsDays Singapore 2016
The document discusses how to integrate security practices into DevOps workflows at speed. It recommends a three step approach: 1) Make security part of agile planning and processes like Scrum, including security training, requirements, testing and demos. 2) Implement a "DevSecOps" pipeline that automates security checks and testing at each stage of development. 3) Continuously measure and reduce security debt and improve app robustness and security skills over time. The goal is to shift security left and make it part of fast-paced DevOps cycles.
Principles of Chaos Engineering
Slide deck from my talk about "Principles of Chaos Engineering" at the first ever Chaos Engineering Hamburg meet up.
Come join us at http://www.meetup.com/Chaos-Engineering-Hamburg/ and stay up to date with new events and other news.
Security Champions - Introduce them in your Organisation
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
Using threat models to control project brief
The document discusses using threat models to control project scope and manage business requests. It provides information on what threat modeling is, why it is useful, and how to conduct threat modeling. Key points include:
- Threat models can help "lock" the project brief and scope by requiring any new features or changes to be evaluated in updated threat models.
- Threat models should be set up as the authoritative source of truth about security considerations and implications.
- Creating threat models for individual features allows for a tighter analysis of each component's risks and connections between components.
- Chaining multiple threat models together can help identify overarching vulnerabilities across the system.
- Penetration tests should be used to validate the
Overcoming Security Challenges in DevOps
This document discusses taking a DevOps approach to security. It outlines how DevOps practices like automation, immutable infrastructure, and infrastructure as code can improve an organization's security posture by reducing vulnerabilities and ensuring consistent configurations. It also addresses some of the challenges of integrating security into DevOps environments and proposes moving towards software-defined security models that provide real-time visibility, automatic protection, and continuous assessment.
Introduction to DevSecOps
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
Security champions v1.0
This document provides information about security champions and their role in an application security (AppSec) team. It explains that security champions are developers who help bridge the gap between security and development teams by focusing on application security activities like threat modeling, code reviews, and security testing. They spend 20% of their time on these security responsibilities. The benefits of being a security champion include career advancement opportunities through learning more about application security. Security champions receive training and support from a central AppSec team. They also participate in weekly meetings and hackathons to improve security skills and find issues in applications.
PIACERE - DevSecOps Automated
This document summarizes the PIACERE project, which aims to integrate security into DevSecOps processes. It receives funding from the EU Horizon 2020 program. The project develops tools like the DevSecOps Modeling Language (DOML) and Verification Tool to integrate security principles into infrastructure modeling and deployment. It also includes a Canary Sandbox Environment for testing deployments and an Infrastructure Optimization Platform for optimizing cloud resources. The overall goal is to provide a unified platform for secure, automated deployment to multiple clouds.
Principles Of Chaos Engineering - Chaos Engineering Hamburg
This document discusses chaos engineering and its principles. It provides an agenda for a talk on AWS basics, the evolution of chaos testing, tooling for chaos engineering, and chaos engineering itself. It describes how chaos engineering experiments are used to test systems by simulating failures like instance or availability zone outages. The key principles of chaos engineering are to understand normal system behavior, build hypotheses around steady states, vary real-world events by conducting experiments in production, and automate experiments continuously. Popular tools for chaos engineering include Chaos Monkey, Chaos Gorilla, and Chaos Kong.
From Gates to Guardrails: Alternate Approaches to Product Security
1. Jason Chan, an engineering director at Netflix, gave a presentation about product security approaches at Netflix.
2. Netflix has an agile development culture with over 200 daily production pushes across 1000+ supported devices in 40 countries. This results in a need for security approaches that can handle Netflix's scale and speed.
3. Netflix employs approaches like visibility into security-related data, automation through over 1000 tests, and an immutable server pattern to enable security in their fast-paced, cloud-based environment.
Chaos Engineering - Limiting Damage During Chaos Experiments
When doing chaos experiments, how can we avoid damage and how can we limit experiments to certain infrastructure/application parts.
Integrating DevOps and Security
This document discusses integrating DevOps and security by bringing development, operations, QA, and security teams together. It outlines where security currently stands, emphasizing the need to change from a "rugged" security model that acts as a bottleneck. The document proposes tactics to scale security through empathy, automation, and feedback loops. Specific tactics include integrating security into defect tracking, preventative controls, deployment pipelines, monitoring, and emphasizing that security says "we could do it this way" rather than only saying no. The overall goal is to improve security while making work easier.
The Challenges of Scaling DevSecOps
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
Integrating Security into DevOps
This document discusses integrating security into DevOps practices. It notes that while DevOps embraces cloud automation and agility, security can slow things down. Traditional security approaches are ill-suited for cloud environments. The document introduces CloudPassage Halo as a security-as-a-service platform that provides automated security controls like firewall management, intrusion detection and vulnerability scanning across cloud infrastructure in a self-service manner. It also describes the CloudPassage Halo architecture and demostrates some of its features. Finally, it promotes the CloudPassage Halo API toolbox and offers six months of free developer access to the platform.
A journey from dev ops to devsecops
Veritis helps organizations in proactively adopting DevSecOps and redefining their operations, engineering and security to work in cohesion towards business success.
Turning security into code by Jeff Williams
Jeff Williams discusses turning security into code by adopting a DevOps approach to application security. He outlines three "ways" to do this: 1) Establish a continuous security workflow, 2) Ensure instant security feedback loops, and 3) Encourage a security-focused culture. The goal is to make security work an integral part of the development process through automation, integration, and cultural changes.
Security in a Continuous Delivery World
This document discusses security in a continuous delivery world. It covers the following key points:
1. Two important aspects of information security are understanding limitations of controls and communicating security recommendations simply.
2. Agile security practices include tracking security issues in a bug tracker with attributes like risk level, testing continuous delivery practices like automated deployments, and using an "app sec radar" to guide adoption of secure technologies.
3. Resources like OWASP provide guidance, libraries, tools and training to help implement secure development practices in continuous delivery.
Embracing the Rise of SecDevOps
SecDevOps is a set of business methodologies, operational procedures, & cultural practices proven to increase security, improve software quality, improve release frequency, & provide immediate insight into organizational exposures.
This presentation was accepted to the ASIA 2018 conference, authored by Thomas Cappetta.
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
Threat modeling can be challenging in agile environments where processes need to be lightweight and adaptable. The presentation discusses the OWASP STAYPUFT methodology for integrating threat modeling into agile development. It involves three phases - ascertain threats from user stories, identify threats to components, and select mitigations from common controls. Examples are given for how threat modeling can be incorporated into scrum and kanban processes by updating diagrams and assumptions during planning and reviews. The goal is to perform threat modeling iteratively to keep security risks understood and addressed throughout development.
DevSecCon London 2017: when good containers go bad by Tim Mackey
This document summarizes Tim Mackey's presentation at DevSecCon. It discusses the importance of security driven development practices like using trusted components, continuous integration processes that include security testing, and digitally signing container images. It warns that while infrastructure teams aim to provide security, vulnerabilities can still exist, and advocates continually evaluating the trust of components used. The document predicts disclosure of security issues will increase and outlines penalties for data breaches under new regulations like GDPR. It emphasizes automating awareness of open source dependencies to keep pace with DevOps.
Vulnerabilities are bugs, Let's Test For Them!
The document introduces VAddy, a continuous security testing service that allows development teams to easily integrate automated vulnerability scans into their development workflows. It highlights issues with existing security testing tools, such as difficulty of setup and maintenance. VAddy aims to simplify continuous security testing through a SaaS model that requires no installation and supports various integration methods. It uses machine learning to scan applications automatically without extensive configuration.
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec applies DevOps principles like decentralization, shared resources, and transparency to security. It focuses on reducing the mean time to detect (MTTD) security issues and mean time to resolve (MTTR) them. Automating security testing and integrating it into continuous integration helps detect attacks and issues earlier. Treating security operations like other services improves culture.
DevSecOps for you Full Stack
The document discusses DevSecOps and how it adds security as a fundamental part of the development process. It introduces Polyverse's polymorphing technology which immunizes software stacks through continuous diversity, creating unique versions of Linux without impacting performance. The polymorphing build farm compiles source code in multiple ways to generate diverse binaries, providing benefits like reduced patching time and protection against zero-days.
Dos and Don'ts of DevSecOps
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
How to Get Started with DevSecOps
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
SCS DevSecOps Seminar - State of DevSecOps
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
In this session, you learn pragmatic steps to integrate security controls into DevOps processes in your AWS environment at scale. Cyber security expert and founder of Alert Logic Misha Govshteyn shares insights from high performing teams who are embracing the reality that an agile security program can enable faster and more secure workload deployments. Joining Misha is Joey Peloquin, Director of Cloud Security Operations at Citrix, who discusses Citrix’s DevOps experiences and how they manage their cyber security posture within the AWS Cloud.
Session sponsored by Alert Logic
More Related Content
What's hot
Introduction to DevSecOps
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
Security champions v1.0
This document provides information about security champions and their role in an application security (AppSec) team. It explains that security champions are developers who help bridge the gap between security and development teams by focusing on application security activities like threat modeling, code reviews, and security testing. They spend 20% of their time on these security responsibilities. The benefits of being a security champion include career advancement opportunities through learning more about application security. Security champions receive training and support from a central AppSec team. They also participate in weekly meetings and hackathons to improve security skills and find issues in applications.
PIACERE - DevSecOps Automated
This document summarizes the PIACERE project, which aims to integrate security into DevSecOps processes. It receives funding from the EU Horizon 2020 program. The project develops tools like the DevSecOps Modeling Language (DOML) and Verification Tool to integrate security principles into infrastructure modeling and deployment. It also includes a Canary Sandbox Environment for testing deployments and an Infrastructure Optimization Platform for optimizing cloud resources. The overall goal is to provide a unified platform for secure, automated deployment to multiple clouds.
Principles Of Chaos Engineering - Chaos Engineering Hamburg
This document discusses chaos engineering and its principles. It provides an agenda for a talk on AWS basics, the evolution of chaos testing, tooling for chaos engineering, and chaos engineering itself. It describes how chaos engineering experiments are used to test systems by simulating failures like instance or availability zone outages. The key principles of chaos engineering are to understand normal system behavior, build hypotheses around steady states, vary real-world events by conducting experiments in production, and automate experiments continuously. Popular tools for chaos engineering include Chaos Monkey, Chaos Gorilla, and Chaos Kong.
From Gates to Guardrails: Alternate Approaches to Product Security
1. Jason Chan, an engineering director at Netflix, gave a presentation about product security approaches at Netflix.
2. Netflix has an agile development culture with over 200 daily production pushes across 1000+ supported devices in 40 countries. This results in a need for security approaches that can handle Netflix's scale and speed.
3. Netflix employs approaches like visibility into security-related data, automation through over 1000 tests, and an immutable server pattern to enable security in their fast-paced, cloud-based environment.
Chaos Engineering - Limiting Damage During Chaos Experiments
When doing chaos experiments, how can we avoid damage and how can we limit experiments to certain infrastructure/application parts.
Integrating DevOps and Security
This document discusses integrating DevOps and security by bringing development, operations, QA, and security teams together. It outlines where security currently stands, emphasizing the need to change from a "rugged" security model that acts as a bottleneck. The document proposes tactics to scale security through empathy, automation, and feedback loops. Specific tactics include integrating security into defect tracking, preventative controls, deployment pipelines, monitoring, and emphasizing that security says "we could do it this way" rather than only saying no. The overall goal is to improve security while making work easier.
The Challenges of Scaling DevSecOps
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
Integrating Security into DevOps
This document discusses integrating security into DevOps practices. It notes that while DevOps embraces cloud automation and agility, security can slow things down. Traditional security approaches are ill-suited for cloud environments. The document introduces CloudPassage Halo as a security-as-a-service platform that provides automated security controls like firewall management, intrusion detection and vulnerability scanning across cloud infrastructure in a self-service manner. It also describes the CloudPassage Halo architecture and demostrates some of its features. Finally, it promotes the CloudPassage Halo API toolbox and offers six months of free developer access to the platform.
A journey from dev ops to devsecops
Veritis helps organizations in proactively adopting DevSecOps and redefining their operations, engineering and security to work in cohesion towards business success.
Turning security into code by Jeff Williams
Jeff Williams discusses turning security into code by adopting a DevOps approach to application security. He outlines three "ways" to do this: 1) Establish a continuous security workflow, 2) Ensure instant security feedback loops, and 3) Encourage a security-focused culture. The goal is to make security work an integral part of the development process through automation, integration, and cultural changes.
Security in a Continuous Delivery World
This document discusses security in a continuous delivery world. It covers the following key points:
1. Two important aspects of information security are understanding limitations of controls and communicating security recommendations simply.
2. Agile security practices include tracking security issues in a bug tracker with attributes like risk level, testing continuous delivery practices like automated deployments, and using an "app sec radar" to guide adoption of secure technologies.
3. Resources like OWASP provide guidance, libraries, tools and training to help implement secure development practices in continuous delivery.
Embracing the Rise of SecDevOps
SecDevOps is a set of business methodologies, operational procedures, & cultural practices proven to increase security, improve software quality, improve release frequency, & provide immediate insight into organizational exposures.
This presentation was accepted to the ASIA 2018 conference, authored by Thomas Cappetta.
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
Threat modeling can be challenging in agile environments where processes need to be lightweight and adaptable. The presentation discusses the OWASP STAYPUFT methodology for integrating threat modeling into agile development. It involves three phases - ascertain threats from user stories, identify threats to components, and select mitigations from common controls. Examples are given for how threat modeling can be incorporated into scrum and kanban processes by updating diagrams and assumptions during planning and reviews. The goal is to perform threat modeling iteratively to keep security risks understood and addressed throughout development.
DevSecCon London 2017: when good containers go bad by Tim Mackey
This document summarizes Tim Mackey's presentation at DevSecCon. It discusses the importance of security driven development practices like using trusted components, continuous integration processes that include security testing, and digitally signing container images. It warns that while infrastructure teams aim to provide security, vulnerabilities can still exist, and advocates continually evaluating the trust of components used. The document predicts disclosure of security issues will increase and outlines penalties for data breaches under new regulations like GDPR. It emphasizes automating awareness of open source dependencies to keep pace with DevOps.
Vulnerabilities are bugs, Let's Test For Them!
The document introduces VAddy, a continuous security testing service that allows development teams to easily integrate automated vulnerability scans into their development workflows. It highlights issues with existing security testing tools, such as difficulty of setup and maintenance. VAddy aims to simplify continuous security testing through a SaaS model that requires no installation and supports various integration methods. It uses machine learning to scan applications automatically without extensive configuration.
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec applies DevOps principles like decentralization, shared resources, and transparency to security. It focuses on reducing the mean time to detect (MTTD) security issues and mean time to resolve (MTTR) them. Automating security testing and integrating it into continuous integration helps detect attacks and issues earlier. Treating security operations like other services improves culture.
DevSecOps for you Full Stack
The document discusses DevSecOps and how it adds security as a fundamental part of the development process. It introduces Polyverse's polymorphing technology which immunizes software stacks through continuous diversity, creating unique versions of Linux without impacting performance. The polymorphing build farm compiles source code in multiple ways to generate diverse binaries, providing benefits like reduced patching time and protection against zero-days.
Dos and Don'ts of DevSecOps
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
How to Get Started with DevSecOps
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
What's hot (20)
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering Hamburg
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
Chaos Engineering - Limiting Damage During Chaos Experiments
Chaos Engineering - Limiting Damage During Chaos Experiments
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Similar to Devsecops at Cimpress
SCS DevSecOps Seminar - State of DevSecOps
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
In this session, you learn pragmatic steps to integrate security controls into DevOps processes in your AWS environment at scale. Cyber security expert and founder of Alert Logic Misha Govshteyn shares insights from high performing teams who are embracing the reality that an agile security program can enable faster and more secure workload deployments. Joining Misha is Joey Peloquin, Director of Cloud Security Operations at Citrix, who discusses Citrix’s DevOps experiences and how they manage their cyber security posture within the AWS Cloud.
Session sponsored by Alert Logic
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
Cncf checkov and bridgecrew
This document discusses a webinar about integrating infrastructure as code (IaC) security into the development lifecycle using Checkov. It notes that nearly half of open source Terraform and CloudFormation templates contain security issues. Checkov is introduced as an open source IaC scanning tool that supports multiple frameworks and cloud providers. The benefits of Checkov include lower remediation times, reduced security incidents, and simplifying compliance. Integrations with DevOps tools and the Cloud Native Application Platform Approach (CNAPP) are also discussed. A demo of Checkov is then shown including using it with VS Code and Azure DevOps.
Serverless security - how to protect what you don't see?
Protecting serverless is a new topic. This presentation aims at showing what new security challenges it brings, and how CISO and security teams should approach it.
The serverless space evolves fast and there is no convergence on best practices yet. The switch to a serverless architecture involves several changes, for instance developers doing much more ops with serverless, deploying 20 times more services than previously...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Serverless security: how to protect what you don't see?
Jean Baptiste Aviat, Co-founder and CTO at Sqreen.io
Agile and Secure SDLC
This document discusses implementing a secure software development lifecycle (SDLC) to improve application security. It outlines why the traditional approach of only involving security experts does not work. Instead, it proposes integrating security practices throughout each phase of the development process, including requirements, design, implementation, verification, and release. This includes training developers, conducting threat modeling and security testing, using security tools in continuous integration, and analyzing results to address issues early. The goal is to reduce security defects over time by changing developer mindsets and integrating security as applications are built.
DevSecOps | DevOps Sec
DevSecOps enables organizations to deliver secure software at DevOps speed.
Development - Software releases and updates
Operations - Reliability Performance & Scaling
Security - Confidentiality, Availability, Integrity
Introduction to Chaos Engineering
General overview of what is "Chaos Engineering", the current
"perturbation models" available and the benefits of Chaos Engineering to Customers, Business and Tech.
Weaponizing Your DevOps Pipeline
Modern development teams are delivering features at a rapid pace using modern technologies such as containers, microservices, and serverless functions. Operations and infrastructure teams are supporting these rapid delivery cycles using Infrastructure as Code, Test Driven Infrastructure (TDI), and cloud automation. Yet, most security teams are still using traditional security approaches and can't keep up with the rate of accelerated change.
Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines. In this talk, attendees will take a journey through the DevSecOps Toolchain broken down into the key phases: pre-commit, commit, acceptance, production, and operations. We will explore the pre-commit and commit phases in-depth, identifying security controls, open source tools, and how to integrate these tools into a pipeline. Attendees will walk away with a practical approach for weaponizing the toolchain and building a successful DevSecOps program.
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
This document summarizes a presentation on taking a DevOps approach to security. Some key points include: DevOps improves security posture through practices like configuration management, automation, and immutable infrastructure. However, security tools have not kept pace with DevOps velocity. The presentation advocates integrating security practices into DevOps workflows, such as through continuous security testing, centralized logging, and managing vulnerabilities through standardized base images. Moving forward, software-defined security can help leverage cloud visibility and automate security responses in real-time.
Regulated Reactive - Security Considerations for Building Reactive Systems in...
This document discusses security considerations for building reactive systems in regulated industries. It provides an overview of the IBM Watson and Cloud Platform, and background on the presenter. It then discusses examples like the Equifax data breach and Abbott pacemaker recall that demonstrate the need for risk aversion in these industries. The document proposes moving from a monolithic patient vitals application to a reactive one using event sourcing and CQRS patterns. It outlines how these patterns can help with compliance, recovery from incidents, and reducing risk according to the NIST Cybersecurity Framework categories of Identify, Protect, Detect, Respond and Recover. A demo of the reactive patient vitals app is proposed to show how it reduces risk. The document concludes
For Business's Sake, Let's focus on AppSec
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
The document discusses moving from traditional to modern operational models using real-time operations and DevSecOps. It promotes adopting PagerDuty to help with real-time operations by providing a platform for on-call management, event intelligence, visibility across 300+ integrations. Adopting cloud technologies provides an opportunity to redefine operational models to be more collaborative, automated, proactive and learning-focused.
Introduction to DevSecOps
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
The document provides an overview of the Amazon Inspector security assessment service. It discusses how Amazon Inspector can automate vulnerability assessments for DevSecOps workflows, complementing AWS's shared security model. The session demonstrates how to quickly assess an entire Amazon EC2 fleet using Amazon Inspector, tailor assessments by tuning rules and schedules, and scale assessments using CloudFormation templates.
Building an application security program
With 73% of all cyber attacks happening on web applications* last year, there’s little doubt application layers and web-related attacks pose a significant risk to most organizations. However typical investment to protect common attack targets (content management systems and ecommerce platforms) don’t correspond.
This webinar examines the growth of applications in enterprise architecture and the risks associated with agile development, plus expert advice and real world examples on how to scope and build an successful application security program that will maximize coverage and optimize your limited resource
SecDevOps Risk Workflow - v0.6
Slides from presentation delivered at InfoSecWeek in London (Oct 2016) about making developers more productive, embedding security practices into the SDL and ensuring that security risks are accepted and understood.
The focus is on the Dev part of SecDevOps, and on the challenges of creating Security Champions for all DevOps stages.
Security and Advanced Automation in the Enterprise
As the complexity of your AWS environment grows, automating security is a crucial step in protecting your data from malicious attacks and unintentional vulnerabilities. Automation and security practices must work hand-in-hand in order to effectively protect your environment. In this session, you will learn how to leverage AWS tools and best-in-class 3rd party services to automate access control, security configuration, and monitoring in order to improve your overall security posture. Using real-life examples, you will come away with an understanding of how to secure your deployments while minimizing the work it takes to keep them secure – all while simplifying your compliance audit process. Topics include:
· Controlling access to your environment with automation tools
· Maintaining security during high velocity deployment cycles
· Protecting data from malicious attacks with automated security controls
· Monitoring and measuring configuration, access, and policy changes
Similar to Devsecops at Cimpress (20)
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
More from Iftach Ian Amit
Cyber Risk Quantification - CyberTLV
Quantitative Risk Analysis Workshop - focused on working with business risk and factoring in cyber elements, and how to optimize the application of controls for the most effective risk management.
BSidesTLV Closing Keynote
What have you done?
Communities, hacking, sharing. What's wrong with today's hacker community, and the many simple ways to fix it.
Social Media Risk Metrics
Risk metric frameworks cover most of the elements that organizations deal with from an operational perspective. We have identified a gap in those, in which social media activities are not represented well (albeit being the highest growing attack vector). In this talk we’ll present a social media risk metric framework that allows organizations to measure and track both individuals as well as 3rd party entities risk to the organization.
ISTS12 Keynote
The keynote address for ISTS12 (Information Security Talent Search) at RIT (Rochester Institute of Technology).
From your Pocket to your Heart and Back
This document discusses cyber security risks in the financial and healthcare industries and their impact on homeland security. It covers three parts: examples of information disclosure vulnerabilities in access points; connecting these vulnerabilities to critical infrastructure protection and homeland security; and arguing that an asset-centric rather than product-centric approach is needed to address industry-specific security challenges.
Painting a Company Red and Blue
The document discusses the roles and techniques of red teams and blue teams, with the red team focusing on simulating real threats through activities like social engineering and identifying vulnerabilities, while the blue team aims to assess risks, minimize damage from attacks, and apply lessons learned to strengthen processes, people, and technology. It provides examples of tactics for each team and emphasizes the importance of collaboration between red and blue teams to continuously improve an organization's security.
"Cyber" security - all good, no need to worry?
This document discusses cyber security risks and incidents over time. It notes that 52% of all incidents are from businesses, with government, medical, and education each accounting for around 15-20% of incidents. The majority (57%) of incidents are caused by outside actors, while 20% are from insider threats and 10% are accidental insider incidents. The number of reported data loss incidents has increased significantly over time from just over 100 in 2004 to over 1600 in 2013. The document advocates returning to basic risk management practices, including prioritizing remediation based on risk, impact, costs, and addressing the most critical gaps in assets, processes, technologies and threats based on priority. It warns against overspending on products and focusing
Armorizing applications
This document discusses the importance of application logs for security purposes. It notes that while network, system and other logs have improved, application logs are still often lacking crucial context about user actions and application state. To effectively investigate issues, security analysts need a unified view of all log data, including details applications have about user sessions, access and functionality used. The document urges application developers to make more of this type of contextual log data available to defenders to help connect dots between different system components and entities.
Seeing Red In Your Future?
Derbycon 2013 - Seeing Red in Your Future?
This talk is designed to complement the “Fifty Shades of Red” talk tomorrow, and provide context for organizations who either think about engaging in a red team test, or have been doing red teaming and want to see more value out of it. In this talk we’ll cover some of the basic elements of what red teaming is, and specifically how it benefits an organization engaging in such a practice. Red teaming by itself is a high-interaction test. Unlike many other tests (namely penetration testing, compliance engagements, vulnerability assessments and other IT related practices), red team is not limited to the technical scope of the organization’s security infrastructure. As such, it is imperative to be able to extract as much value out of a red team engagement as possible, and see return on that investment in as many different areas of the organization as possible. Based on years of experience in conducting red team tests, training and helping organizations improve their security through red teaming, these insights will be applicable to everyone who is seeing red in their future (and you all should in order to really address security in an organization that has people working in it and not just machines).
Hacking cyber-iamit
Hacking involves a single target and shallow attacks using common tools and techniques, motivated by financial or political goals. Cyber attacks are part of cyber warfare involving strategic targets across physical, social, intelligence and electronic domains using custom tools in a coordinated campaign. Cyber defenses require a strategic defense in depth approach across all domains with awareness training, unlike typical IT security products. Hacking is an individual battle while cyber attacks are part of a larger warfare strategy.
Passwords good badugly181212-2
This document discusses best practices for securely storing passwords. It notes that passwords are often stored insecurely, such as in plain text. To securely store passwords, it recommends encrypting them using cryptographic hash functions with salts. Specifically, it advises using functions such as SHA-2, bcrypt, and scrypt, which can include salts and be slowed down through key stretching to make passwords very difficult to hack or crack. Following these guidelines helps protect users and companies by securing password data.
Bitcoin
This document provides an introduction to bitcoin, including what it is, how it works, advantages, disadvantages, weaknesses, history, data, mining process over time, physical representations, and future possibilities. Bitcoin is described as a decentralized digital currency based on cryptography, without a central authority. Transactions are confirmed by miners who are rewarded with new bitcoins. Key aspects covered include how users can send and receive bitcoins, security issues, increasing difficulty of mining over time, and the currency's value and adoption over its history.
Sexy defense
The document discusses strategies for maximizing home-field advantage in cybersecurity defense. It argues that defenders should flip the perspective of red team attackers by mapping assets and security issues, correlating internal and external threat data over time, and taking proactive measures like counterintelligence operations. Examples given include infiltrating hacker communities to booby-trap tools and using attackers' own tools against them. The presentation calls on vendors to develop integrative security products and defenders to own their security data and intelligence in order to focus defenses on real risks rather than compliance.
Cyber state
A presentation on the state of cyber security, current threats and opportunities at the national level.
An overview of current readiness analysis for countries, along-with a recommended strategic approach to developing capabilities and partnerships locally, regionally, and globally.
Advanced Data Exfiltration - the way Q would have done it
An updated version of my data exfiltration talk. Much more "visual" in nature.
Used it at Hashdays, Govcert.NL, SourceBCN, and SecurityZone.
Infecting Python Bytecode
A method of infecting python bytecode with self-spreading mechanism.
Presented at the November 2011 meeting of the DC9723.
Exploiting Second life
Second Life is a free online virtual world where users can generate content. Users can exchange the virtual currency, Linden Dollars, for real money. Key industries include real estate, adult entertainment, and fashion. Some users exploit the system by creating weapons to annoy others or using third-party viewers to crash clients and copy content illegally. In response, Linden Lab banned over 10,000 users and tightened policies around virtual weapons and third-party viewers.
Cheating in Computer Games
This document discusses cheating in games and the techniques used. It covers reasons for cheating such as fun, profit, and gaining knowledge. It also discusses common cheating methods like bots, trainers, patching, and hooking. It provides examples of how to hook into the Windows API and examples of anti-cheating techniques used by game developers. Overall, the document is about cheating techniques in games and the ongoing challenge for developers to create uncheatable games.
More from Iftach Ian Amit (20)
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done it
Recently uploaded
Truck Loading Conveyor Manufacturers Chennai
https://conveyorManufacturersManufacturers.com/
#bangalore #hyderabad #cochin #chennai #munnar #ooty #mysore #alappuzha #pondicherry #madurai #karnataka #tirupati #visakhapatnam #coimbatore #kerala #thanjavur #thiruvananthapuram #andhra #telangana #tamilnadu #andamanandnicobar #lakshadweep #hubli #secunderabad #kozhikode #mangaluru #trichy #palakkad #dharwad #kurnool #kottayam #raichur #amravati #vijayawada #kanyakumari #rameshwaram #warangal #mahabalipuram #mumbai #pune #nashik
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
SATTA MATKA DPBOSS KALYAN MATKA RESULTS KALYAN CHART KALYAN MATKA MATKA RESULT KALYAN MATKA TIPS SATTA MATKA MATKA COM MATKA PANA JODI TODAY BATTA SATKA MATKA PATTI JODI NUMBER MATKA RESULTS MATKA CHART MATKA JODI SATTA COM INDIA SATTA MATKA MATKA TIPS MATKA WAPKA ALL MATKA RESULT LIVE ONLINE MATKA RESULT KALYAN MATKA RESULT DPBOSS MATKA 143 MAIN MATKA KALYAN MATKA RESULTS KALYAN CHART INDIA MATKA KALYAN SATTA MATKA 420 INDIAN MATKA SATTA KING MATKA FIX JODI FIX FIX FIX SATTA NAMBAR MATKA INDIA SATTA BATTA
8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN KALYAN MATKA | MATKA RESULT | KALYAN MATKA TIPS | SATTA MATKA | MATKA.COM | MATKA PANA
Kalyan Chart Satta Matka Dpboss Kalyan Matka Results
KALYAN CHART SATTA MATKA DPBOSS KALYAN MATKA RESULTS KALYAN MATKA MATKA RESULT KALYAN MATKA TIPS SATTA MATKA MATKA COM MATKA PANA JODI TODAY BATTA SATKA MATKA PATTI JODI NUMBER MATKA RESULTS MATKA CHART MATKA JODI SATTA COM INDIA SATTA MATKA MATKA TIPS MATKA WAPKA ALL MATKA RESULT LIVE ONLINE MATKA RESULT KALYAN MATKA RESULT DPBOSS MATKA 143 MAIN MATKA KALYAN MATKA RESULTS KALYAN CHART
Stainless Steel Conveyor Manufacturers Chennai
https://conveyorManufacturersManufacturers.com/
#bangalore #hyderabad #cochin #chennai #munnar #ooty #mysore #alappuzha #pondicherry #madurai #karnataka #tirupati #visakhapatnam #coimbatore #kerala #thanjavur #thiruvananthapuram #andhra #telangana #tamilnadu #andamanandnicobar #lakshadweep #hubli #secunderabad #kozhikode #mangaluru #trichy #palakkad #dharwad #kurnool #kottayam #raichur #amravati #vijayawada #kanyakumari #rameshwaram #warangal #mahabalipuram #mumbai #pune #nashik
AI Transformation Playbook: Thinking AI-First for Your Business
I dive into how businesses can stay competitive by integrating AI into their core processes. From identifying the right approach to building collaborative teams and recognizing common pitfalls, this guide has got you covered. AI transformation is a journey, and this playbook is here to help you navigate it successfully.
MECE (Mutually Exclusive, Collectively Exhaustive) Principle
[To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Unlock the full potential of the MECE (Mutually Exclusive, Collectively Exhaustive) Principle with this comprehensive PowerPoint deck. Designed to enhance your analytical skills and strategic decision-making, this presentation guides you through the fundamental concepts, advanced techniques, and practical applications of the MECE framework, ensuring you can apply it effectively in various business contexts.
The MECE Principle, developed by Barbara Minto, an ex-consultant at McKinsey, is a foundational tool for structured thinking. Minto is also renowned for the Minto Pyramid Principle, which emphasizes the importance of logical structuring in writing and presenting ideas. This presentation includes a clear explanation of the MECE principle and its significance. It offers a detailed exploration of MECE concepts and categories, highlighting how to create mutually exclusive and collectively exhaustive segments. You will learn to combine MECE with other powerful business frameworks like SWOT, Porter's Five Forces, and BCG Matrix. Discover sophisticated methods for applying MECE in complex scenarios and enhancing your problem-solving abilities. The deck also provides a step-by-step guide to performing thorough and structured MECE analyses, ensuring no aspect is overlooked. Insider tips are included to help you avoid common mistakes and optimize your MECE applications.
The presentation features illustrative examples from various industries to show MECE in action, providing practical insights and inspiration. It includes engaging group activities designed for the practice of the MECE principle, fostering collaborative learning and application. Key takeaways and success factors for mastering the MECE principle and applying it in your professional work are also covered.
The MECE Principle presentation is meticulously designed to provide you with all the tools and knowledge you need to master the MECE principle. Whether you're a business analyst, manager, or strategist, this presentation will empower you to deliver insightful and actionable analysis, drive better decision-making, and achieve outstanding results.
LEARNING OBJECTIVES:
1. Understand the MECE Principle
2. Improve Analytical Skills
3. Apply MECE Framework
4. Enhance Decision-Making
5. Optimize Resource Allocation
6. Facilitate Strategic Planning
Enabling Digital Sustainability by Jutta Eckstein
This is a New Zealand wide meetup event with meetup groups from Auckland, Wellington and Christchurch attending and open to anyone with an interest in digital sustainability or agile. All welcome. Joke, this is how it started. Jutta is now also available in Germany, i.e. hosted by Berlin/Brandenburg
According to the World Economic Forum, digital technologies can help reduce global carbon emissions by up to 15%. However, digitalization also comes with some challenges. Thus, if we want to make a positive impact by increasing sustainability, we need to address challenges like the digital divide, energy consumption of IT, or the rise of electronic waste. In this talk, I want to explore how Agile can help to leverage Digital Sustainability.
Easy Earnings Through Refer and Earn Apps Without KYC.pptx
Learn how to make extra money with refer and earn apps that don’t require KYC. Find out the advantages, top apps, and strategies to boost your earnings quickly and easily.
High-Quality IPTV Monthly Subscription for $15
Experience high-quality entertainment with our IPTV monthly subscription for just $15. Access a vast array of live TV channels, movies, and on-demand shows with crystal-clear streaming. Our reliable service ensures smooth, uninterrupted viewing at an unbeatable price. Perfect for those seeking premium content without breaking the bank. Start streaming today!
https://rb.gy/f409dk
Adani Group Requests For Additional Land For Its Dharavi Redevelopment Projec...
It will bring about growth and development not only in Maharashtra but also in our country as a whole, which will experience prosperity. The project will also give the Adani Group an opportunity to rise above the controversies that have been ongoing since the Adani CBI Investigation.
Revolutionizing Surface Protection Xlcoatings Nano Based Solutions
Excelcoating Transforming surface protection with their cutting-edge, eco-friendly nano-based coatings. This presentation delves into their innovative product lineup, including Excel CoolCoat for roof cooling, Excel NanoSeal for cement surfaces, Excel StayCool for UV-filtering glass, Excel StayClean for solar panels, Excel CoolTile for heat-reflective tiles, and Excel InsulX for film insulation.
NewBase 20 June 2024 Energy News issue - 1731 by Khaled Al Awadi_compressed.pdf
Greetings,
Hawk Energy is pleased to present you with the latest energy news
NewBase 20 June 2024 Energy News issue - 1731 by Khaled Al Awadi
Regards.
Founder & S.Editor - NewBase Energy
Khaled M Al Awadi, Energy Consultant
MS & BS Mechanical Engineering (HON), USAGreetings,
Hawk Energy is pleased to present you with the latest energy news
NewBase 20 June 2024 Energy News issue - 1731 by Khaled Al Awadi
Regards.
Founder & S.Editor - NewBase Energy
Khaled M Al Awadi, Energy Consultant
MS & BS Mechanical Engineering (HON), USAGreetings,
Hawk Energy is pleased to present you with the latest energy news
NewBase 20 June 2024 Energy News issue - 1731 by Khaled Al Awadi
Regards.
Founder & S.Editor - NewBase Energy
Khaled M Al Awadi, Energy Consultant
MS & BS Mechanical Engineering (HON), USAGreetings,
Hawk Energy is pleased to present you with the latest energy news
NewBase 20 June 2024 Energy News issue - 1731 by Khaled Al Awadi
Regards.
Founder & S.Editor - NewBase Energy
Khaled M Al Awadi, Energy Consultant
MS & BS Mechanical Engineering (HON), USAGreetings,
Hawk Energy is pleased to present you with the latest energy news
NewBase 20 June 2024 Energy News issue - 1731 by Khaled Al Awadi
Regards.
Founder & S.Editor - NewBase Energy
Khaled M Al Awadi, Energy Consultant
MS & BS Mechanical Engineering (HON), USAGreetings,
Hawk Energy is pleased to present you with the latest energy news
NewBase 20 June 2024 Energy News issue - 1731 by Khaled Al Awadi
Regards.
Founder & S.Editor - NewBase Energy
Khaled M Al Awadi, Energy Consultant
MS & BS Mechanical Engineering (HON), USA
Kirill Klip GEM Royalty TNR Gold Copper Presentation
Tesla Energy rEVolution And The Golden Age For Copper: Kirill Klip GEM Royalty TNR Gold Copper Presentation
Adani Group's Active Interest In Increasing Its Presence in the Cement Manufa...
Time and again, the business group has taken up new business ventures, each of which has allowed it to expand its horizons further and reach new heights. Even amidst the Adani CBI Investigation, the firm has always focused on improving its cement business.
Lukas Rycek - GreenChemForCE - project structure.pptx
Projekt GreenChemForCE
Podporujeme zelený chemický průmysl ve střední Evropě
Recently uploaded (20)
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Kalyan Chart Satta Matka Dpboss Kalyan Matka Results
Kalyan Chart Satta Matka Dpboss Kalyan Matka Results
AI Transformation Playbook: Thinking AI-First for Your Business
AI Transformation Playbook: Thinking AI-First for Your Business
MECE (Mutually Exclusive, Collectively Exhaustive) Principle
MECE (Mutually Exclusive, Collectively Exhaustive) Principle
Easy Earnings Through Refer and Earn Apps Without KYC.pptx
Easy Earnings Through Refer and Earn Apps Without KYC.pptx
Adani Group Requests For Additional Land For Its Dharavi Redevelopment Projec...
Adani Group Requests For Additional Land For Its Dharavi Redevelopment Projec...
Revolutionizing Surface Protection Xlcoatings Nano Based Solutions
Revolutionizing Surface Protection Xlcoatings Nano Based Solutions
NewBase 20 June 2024 Energy News issue - 1731 by Khaled Al Awadi_compressed.pdf
NewBase 20 June 2024 Energy News issue - 1731 by Khaled Al Awadi_compressed.pdf
Kirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip GEM Royalty TNR Gold Copper Presentation
Adani Group's Active Interest In Increasing Its Presence in the Cement Manufa...
Adani Group's Active Interest In Increasing Its Presence in the Cement Manufa...
Lukas Rycek - GreenChemForCE - project structure.pptx
Lukas Rycek - GreenChemForCE - project structure.pptx
Devsecops at Cimpress
- 1. DevSecOps at Cimpress Ian Amit Chief Security Officer
- 3. Challenges • Worldwide operations • Decentralized (14 business units, and counting ;-) ) • Varying technology stacks (from latest and greatest, to factory IT/OT running legacy software) • Rapid deployment cycles • Major cloudification (AWS, Azure and GCP)
- 4. Our approach - the road to DevSecOps Threat Modeling Threats Assets Prioritization/ Execution Controls Assertions Response Tests
- 5. Threat Modeling • STRIDE? DREAD? • MITRE ATT&CK Framework [1] • CAPEC [2] https://attack.mitre.org/wiki/Main_Page https://capec.mitre.org/ What are you protecting? What’s the value of it? Who/what are you protecting it from? Threats Assets Controls Assertions Tests
- 6. DevSecOps Controls Assertions Tests • Create assertions based on threat model • What is supposed to happen? What’s not supposed to happen?… • Assure test case coverage in dev. • Add external validation through scanners. SAST/DAST. • Integrate controls over assertions/tests.
- 7. But forget all of that
- 8. Think about the developer first
- 9. This is how developers want/need to see us security people Minus the suit of course. Everyone knows we wear hoodies ;-)
- 10. The Sec in DevSecOps • Every additional interaction needed from dev is a speed bump • Every additional interface is a traffic light • Every new language/term is a “calculating new route”…
- 11. Expected Deliverables Unit Test Coverage Automated tool scans Implies existence of unit testing that address the threat model scenarios Implies fixes to the code where applicable and coverage for the “hygiene” elements of the threat model