The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Learn what devsecops really means! See why security is in crisis and how it can find a new path forward.
Talk from DevSecOps Leadership Forum in Dallas, Texas, April 22nd, 2018.
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
In this webinar, GitLab’s Product Manager, Victor Wu, dives into how GitLab helps you ship secure code, the tools they use, and a few industry best practices they follow to protect data and secrets. Then, GitLab Security Lead, Brian Neel, will explain how they leverage their community using HackerOne to spot and prioritize security issues quickly.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Learn what devsecops really means! See why security is in crisis and how it can find a new path forward.
Talk from DevSecOps Leadership Forum in Dallas, Texas, April 22nd, 2018.
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
In this webinar, GitLab’s Product Manager, Victor Wu, dives into how GitLab helps you ship secure code, the tools they use, and a few industry best practices they follow to protect data and secrets. Then, GitLab Security Lead, Brian Neel, will explain how they leverage their community using HackerOne to spot and prioritize security issues quickly.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
DevOps aims to automate the process between software development and IT operations. This includes continuous integration, continuous delivery, and infrastructure management. The document discusses definitions of DevOps, tools for source control, continuous integration, deployment, testing, monitoring and containers/orchestration. It emphasizes creating automation to reduce errors and speed up development cycles. Automation should be implemented gradually by focusing on the most painful manual tasks each sprint.
Tired of having users email you that your web application is broken? Turns out that building reliable web applications is hard and requires a lot of testing. You can write unit tests but quite often these all pass and the application is still broken. Why? Because they test parts of the application in isolation. But for a reliable application we need more. We need to make sure that all parts work together as intended.
Cypress is a great tool to achieve this. It will test you complete web application in the browser and use it like a real user would. In this session Maurice will show you how to use Cypress during development and on the CI server. He will share tips and tricks to make your tests more resilient and more like how an actual end user would behave.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
Richard Mills discusses how DevSecOps enables continuous security in Agile development through integrating security tools and processes into CI/CD pipelines. He outlines essential categories of security tools, including static analysis, software composition analysis, vulnerability scanning, dynamic testing, and monitoring. These tools can run tests at various stages of the pipeline to catch issues early. Mills also stresses the importance of integrating security teams with development teams through structures like technical guilds to build a culture of security.
Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett
Presentation from SpringOne Platform 2017 conference by Pivotal.
DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed.
Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps:
Treat all systems and infrastructure as code
Change the engineering culture to orient around delivery
Favor a fast delivery cadence
Create feedback loops across the organization
With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas.
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
Delivering small and fast means we are more frequently introducing new vulnerabilities. We're facing new threats that come from cloud computing and the internet of things.Traditional cycles of pentests and code reviews are not keeping up. DevSecOps focuses on integrating security in our processes and teams. Automate first and fail fast will help build security in, and will also support the growth of awareness in the teams. Kim will show the practical lessons learned from her journey. Get an overview of the current continuous security landscape and the practical insights and pitfalls.
Delivered at DevSecOps Days 2018, RSA Conference
j. Wolfgang Goerlich
About J. Wolfgang Goerlich
About J Wolfgang Goerlich
CBI (Creative Breakthroughs, Inc.)
Cyber Security Strategist
J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
OWASP AppSec California 2018
Eight tips are provided for deploying DevSecOps:
1. Embrace automation and prepare security teams for automated integration with DevOps initiatives.
2. Enable security testing tools and processes earlier in the development process.
3. Prioritize automated tools that can quickly triage critical issues to reduce false positives.
4. Start identifying open source components and vulnerabilities in development as a high priority.
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
This document summarizes ABN AMRO's DevSecOps journey and initiatives. It discusses their implementation of continuous integration and delivery pipelines to improve software quality, reduce lead times, and increase developer productivity. It also covers their work to incorporate security practices like open source software management, container security, and credentials management into the development lifecycle through techniques like dependency scanning, security profiling, and a centralized secrets store. The presentation provides status updates on these efforts and outlines next steps to further mature ABN AMRO's DevSecOps capabilities.
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...Codemotion
Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
The document discusses how traditional application security testing is inefficient and outlines a need for a seismic shift left towards more integrated and automated security. It describes how traditional tools operate as separate silos and struggle with modern development practices like DevOps. The key to meaningful change is tightly integrating security scans and results directly into the development workflow via the CI/CD pipeline, allowing automatic testing of all code changes with no additional configuration or friction in the process. This enables more comprehensive and continuous security testing throughout the development lifecycle.
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
This document discusses the challenges of secure software development at an industrial scale. It describes SAP's secure software development lifecycle process, which includes training, threat modeling, security testing, validation, and response. It then discusses some of the key challenges for industrial software development, including scalability issues due to large codebases, maintenance challenges due to modular code, and the difficulty of achieving complete security or automation. The document argues for more research in risk-based and economic approaches to security, as well as techniques for composable, automated security testing of integrated software systems.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
DevOps aims to automate the process between software development and IT operations. This includes continuous integration, continuous delivery, and infrastructure management. The document discusses definitions of DevOps, tools for source control, continuous integration, deployment, testing, monitoring and containers/orchestration. It emphasizes creating automation to reduce errors and speed up development cycles. Automation should be implemented gradually by focusing on the most painful manual tasks each sprint.
Tired of having users email you that your web application is broken? Turns out that building reliable web applications is hard and requires a lot of testing. You can write unit tests but quite often these all pass and the application is still broken. Why? Because they test parts of the application in isolation. But for a reliable application we need more. We need to make sure that all parts work together as intended.
Cypress is a great tool to achieve this. It will test you complete web application in the browser and use it like a real user would. In this session Maurice will show you how to use Cypress during development and on the CI server. He will share tips and tricks to make your tests more resilient and more like how an actual end user would behave.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
Richard Mills discusses how DevSecOps enables continuous security in Agile development through integrating security tools and processes into CI/CD pipelines. He outlines essential categories of security tools, including static analysis, software composition analysis, vulnerability scanning, dynamic testing, and monitoring. These tools can run tests at various stages of the pipeline to catch issues early. Mills also stresses the importance of integrating security teams with development teams through structures like technical guilds to build a culture of security.
Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett
Presentation from SpringOne Platform 2017 conference by Pivotal.
DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed.
Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps:
Treat all systems and infrastructure as code
Change the engineering culture to orient around delivery
Favor a fast delivery cadence
Create feedback loops across the organization
With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas.
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
Delivering small and fast means we are more frequently introducing new vulnerabilities. We're facing new threats that come from cloud computing and the internet of things.Traditional cycles of pentests and code reviews are not keeping up. DevSecOps focuses on integrating security in our processes and teams. Automate first and fail fast will help build security in, and will also support the growth of awareness in the teams. Kim will show the practical lessons learned from her journey. Get an overview of the current continuous security landscape and the practical insights and pitfalls.
Delivered at DevSecOps Days 2018, RSA Conference
j. Wolfgang Goerlich
About J. Wolfgang Goerlich
About J Wolfgang Goerlich
CBI (Creative Breakthroughs, Inc.)
Cyber Security Strategist
J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
OWASP AppSec California 2018
Eight tips are provided for deploying DevSecOps:
1. Embrace automation and prepare security teams for automated integration with DevOps initiatives.
2. Enable security testing tools and processes earlier in the development process.
3. Prioritize automated tools that can quickly triage critical issues to reduce false positives.
4. Start identifying open source components and vulnerabilities in development as a high priority.
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
This document summarizes ABN AMRO's DevSecOps journey and initiatives. It discusses their implementation of continuous integration and delivery pipelines to improve software quality, reduce lead times, and increase developer productivity. It also covers their work to incorporate security practices like open source software management, container security, and credentials management into the development lifecycle through techniques like dependency scanning, security profiling, and a centralized secrets store. The presentation provides status updates on these efforts and outlines next steps to further mature ABN AMRO's DevSecOps capabilities.
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...Codemotion
Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
The document discusses how traditional application security testing is inefficient and outlines a need for a seismic shift left towards more integrated and automated security. It describes how traditional tools operate as separate silos and struggle with modern development practices like DevOps. The key to meaningful change is tightly integrating security scans and results directly into the development workflow via the CI/CD pipeline, allowing automatic testing of all code changes with no additional configuration or friction in the process. This enables more comprehensive and continuous security testing throughout the development lifecycle.
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
This document discusses the challenges of secure software development at an industrial scale. It describes SAP's secure software development lifecycle process, which includes training, threat modeling, security testing, validation, and response. It then discusses some of the key challenges for industrial software development, including scalability issues due to large codebases, maintenance challenges due to modular code, and the difficulty of achieving complete security or automation. The document argues for more research in risk-based and economic approaches to security, as well as techniques for composable, automated security testing of integrated software systems.
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
The document discusses product security and how it relates to application security, infrastructure security, and security operations for a specific product or system. It argues that applying DevOps methodologies to traditional application security practices can help make security part of everyday work for developers and operations teams. This will help change an organization's security culture to focus on designing security into products from the start.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
This document contains a presentation about DevSecOps given by Diego Cardoso from GFT. The presentation discusses how security has traditionally been separated from development and operations in the software development lifecycle. It then outlines how DevSecOps aims to integrate security from the beginning through practices like shifting security left to earlier phases, establishing a security mindset across teams, and implementing security testing tools and processes that allow for rapid yet secure delivery. Trends discussed include the growing DevSecOps landscape and focus on topics like cloud security and compliance with data protection regulations like LGPD.
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
This document discusses how security needs to adapt to keep up with rapid changes in technology and development practices. As internet usage and the number of developers have grown massively, the development process has become more complex, involving tools like AWS and DevOps. However, security has struggled to integrate effectively. The document argues security must improve its developer experience by focusing on high-impact issues, speaking the same language as developers, making tools easy to use, and tightly integrating with development workflows. By learning from how quality evolved, security can become a commodity that developers respect and rely on.
Developers Driving DevOps at Scale: 5 Keys to SuccessDevOps.com
As DevOps adoption matures in organizations, DevOps teams are leading the charge for enabling enterprises to scale their DevOps efforts to support increasingly complex application delivery requirements.
Tooling and processes that might have worked for more simple use cases often fail when applied across large-scale software delivery -- needing to support ALL teams, GEOs, point-tools, applications, processes, regulatory requirements, environments, and more.
How do you improve developer productivity and release velocity, without sacrificing governance, security, and org efficiency?
How do you streamline your processes and organizational alignment, without sacrificing flexibility and freedom of choice?
How do you support thousands of developers, applications and pipelines - both legacy and cloud-native - without getting buried in plugins/tools/spaghetti-scripts hell?
Join guest speaker Charles Betz, lead DevOps analyst at Forrester Research, and Loreli Cadapan, Sr. Director Product Management at JFrog, as they share architectural patterns, best practices and proven tips for scaling DevOps in the enterprise.
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
O futuro das empresas passa pelas constantes transformações digitais e, para isso, é fundamental manter aplicações que atendam às exigências dos clientes e, sobretudo, seguras. Nesse cenário, nasceu o conceito de DevSecOps, descrevendo um conjunto de práticas para integração entre as equipes de desenvolvimento de software. Nesta palestra, entenderemos mais sobre conceitos e como aplicar DevSecOps na prática. Provocaremos discussões “saudáveis” sobre o modelo tradicional de desenvolvimento e este modelo ágil que está trazendo uma grande mudança de paradigma na construção de aplicações.
1. The document discusses how security is changing with new technologies like cloud computing, DevOps, and agile development. Traditional security practices are no longer effective.
2. It advocates migrating security left in the development process so it is designed into applications from the beginning. This allows for a faster security feedback loop.
3. Security needs to be automated and tested using tools and data platforms. Monitoring and inspecting everything is important for the new dynamic environments. Security decisions and controls are also changing to adapt to these new realities.
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
"Shift Lef Security" What the funk does that mean?
In the agile, lean, DevOps communities people talk about improving security by "shifting left". Patterns and tools are emerging, or re-emerging, that make security less of a pain in the development process while also making applications more secure.
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be safe and secure. Join us virtually for our upcoming "Emphasizing Value of Prioritizing AppSec" Meetup to learn how to build a cost effective application security program, implement secure coding analysis and how to manage software security risks.
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development'" and "offering the product to customers.'"
On the one hand, learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated into the daily development activities. On the other hand, developing software for the cloud and offering software in the cloud raises the need for security testing in a "close-to-production" or even production environment. Consequently, we need an end-to-end integration of security testing into the software lifecycle.
In this talk, we will report on our experiences on integrating security testing ``end-to-end'' into SAP's software development lifecycle in general and, in particular, SAP's Secure Software Development Lifecycle (S2DL). Moreover, we will discuss different myths, challenges, and opportunities in the are security testing.
This talk will be focused on discussing war stories from a product architect/engineer who lives within an information security department and is passionate about driving change. Attendees will get to experience a few different routes that have lead to success and others that might need to avoided. As an ever-evolving space, when reducing risk and deploy safe products to the market, we all have to find the correct gear to get us down the road.
Palestra sobre Cybersecurity para Startups no CUBO Talks - Realizada em 09/Ab...PhishX
Pedro Ivo apresentou sobre cybersecurity para startups e pessoas. Ele discutiu a importância de ter políticas de segurança cibernética e educar colaboradores, parceiros e clientes sobre riscos como phishing. Também recomendou medidas como firewalls, proteção de endpoints, backups e monitoramento 24/7 para proteger startups contra ameaças emergentes.
Palestra sobre Cybersecurity para o Evento NEXT 2019PhishX
O documento discute os riscos cibernéticos enfrentados por pessoas e empresas, especialmente phishing e engenharia social. Ele fornece estatísticas sobre ataques cibernéticos e prejuízos financeiros, e oferece dicas sobre como as pessoas e empresas podem se proteger melhor, incluindo treinamento de segurança e cumprimento da LGPD.
Tendência virou realidade | Pedro WaengertnerPhishX
Apresentação sobre inovação e transformação digital do Pedro Waengertner, ocorrida no PhishX Summit de Junho/2018.
Realizada em: 28/06/2018
Idioma: Português
Seguro Cyber | Ativos intangíveis e o valor na sua empresaPhishX
Apresentação Seguro Cyber | Ativos intangíveis e o valor na sua empresa, realizada pela Marta Schuh, JLT Group, ocorrida no PhishX Summit de Agosto/2018.
Data da apresentação: 29/08/2018.
Linguagem: português.
GDPR na nova plataforma PhishX - PhishX Summit de Maio2018PhishX
O documento discute como a plataforma PhishX está se adaptando ao GDPR ao tratar dados pessoais de forma legal, justa e transparente. Ele explica os princípios e direitos do GDPR, como os dados são armazenados e protegidos na plataforma, e as ações que estão sendo tomadas para cumprir com a lei.
Cybersecurty for People - PhishX Summit de Maio/2018PhishX
Cybersecurity for People: os impactos das ameaças digitais em nossa sociedade, como o phishing e o ransomware, no Brasil e no mundo. Descubra as estatísticas mais recentes sobre os ataques e o comportamento humano frente a estas ameaças, saiba como se defender pessoalmente e defender a sua empresa, frente ao panorama atual e tendências tecnológicas globais.
Apresentação realizada no PhishX Summit de Maio/2018, no inovaBra habitat, pelo Pedro Ivo, CEO e Co-Founder da PhishX.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
2. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
agenda
● about me
● why devsecops?
● quick concepts
● myths
● cultural change
● tips
● responsabilities
● q&a
3. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
about me
● 97 / helpdesk internet provider
● 00 / sysadm / web developer
● 06 / it manager
● 09 / sysadm / infra developer
● 12 / backend developer
● 14 / security architect
● 18 / head of appsec
1
● tech data processing
● grad industrial design
● mba it management
● ms production engineering [aborted]
● itil / cobit / project management
/ lean / cybersecurity / cloud
computing / opensource experience
professional experience education
4. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
why devsecops?
2
cybersecurity:
technologies
+ processes
+ practices
= protect enterprise goods
application security
+ information security
+ network security
+ disaster recovery
+ business continuity
+ operational security
+ end user education
source: http://whatis.techtarget.com/definition/cybersecurity
5. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
why devsecops?
3
fix a web application ranges
from $400 to $4000 depending on
vulnerability
source: http://www.darkreading.com/risk/the-cost-of-fixing-an-
application-vulnerability/d/d-id/1131049?
$$ �
it is not about computers. it
is about branding and
reputation.
6. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
why devsecops?
4
sox
handle requirements from
regulators and introduce
maturity models concepts on
sdlc.
pci
hipaacsa
iso
27001
opensamm
bsimm
bacen
7. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
why devsecops?
5
understand security metrics
during the sdlc.
great opportunity to get the
“time to fix” from the teams
and handle risks accurately.
it is a lead time question.
8. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
why devsecops?
6
dev
repo
build
deploy
blackhat
simple
attack scenario
vulnerability
fix development vulnerabilities
before being deployed in prod.
9. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
why devsecops?
7
dev
repo
build
deploy
blackhat
advanced
attack scenario
confidential
files
ops
vulnerability
malware
help to protect information
leakage.
10. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
quick concepts
8
•
sast – static analysis security
testing
•
dast – dynamic analysis security
testing
•
waf – web application firewall
•
pentesting – security penetration
tests
•
rasp – runtime application self-
protection
•
owasp – open web application
security project
•
asvs – application security
verification standard
•
soc – security operations center
•
iast – interactive appsec testing
11. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
myths
9
people often sell devops like
they are selling bananas.
devops is a complex ecosystem
and demands many hours of
implementation.
there is no silver bullet.
it's hard to scale devops in
big companies.
“
”
12. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
myths
10
problems? just install docker
to get the things done.
support containers on high
availability is not a piece of
cake.
problems like networking
policies and data volumes are
not too easy to be implemented.
all the people “layers” must be
solved to implement containers.
take care about using
containers, it could host a
malware on that.
“
”
13. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
myths
11
static analysis of security
testing are enough to keep you
protected.
it's hard to make devs
understand all the threats that
they could be vulnerable.
fix vulnerabilities can take a
long time.
fix vulnerabilities might
generate new vulnerabilities.
consider have a waf or rasp to
be covered.
“
”
14. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
myths
12
12factors. Whaaattt?
that's not easy to find
developers that can absorb the
12factors and deliver them.
it is a big challenge to
maintain a devsecops process
running. it demands massive
comunication and iteration with
the crew.
“ ”
15. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
cultural change
13
developers think that they will
deliver software in production
easely.
devsecops is much more
responsability than
facilitation.
apply different gates to
different teams based on
maturity of them. create KPIs
to measure the maturity.
great power comes with great
responsabilities.
“
”
16. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
cultural change
14
the team members don't
understand about the data
classification and what they
need to protect.
your company should have a good
aproach about data
classification and awareness
the team about what they
handle.
a good education program about
risks can help the team to
understand the value of the
information.
“
”
17. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
cultural change
15
product owners must consider
security tests as 'valuable
deliverable' onto their
products.
security is still considered a
pain in the ass to many people.
some applications need manual
tests to go deeper in some
attacks scenarios.
automated dynamic analysis can
speedy the releases, but that's
not enough.
“
”
18. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
tips
16
know your enemies and threats.
* must know about OWASP Top 10
* must know about SANS 25
if you don't know how to
attack, how could you defend?
sql injection appeared in 98
and it still continues on the
top vulnerabilities.
19. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
tips
16
start everything classifying
risks and validating
requirements
owasp asvs can help you to
validate your technical
security controls
keep your application inventory
updated.
ref: https://github.com/aparsons/bag-of-holding
ref: https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf
OWASP
ASVS
20. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
tips
17
add sast to your pipeline
* save money and time to grab
and fix vulnerabilities
* sast helps to scale your team
knowledge and understanding
* it keeps your code safer,
even the best makes mistakes.
* establish a code reviewing
process to critical code.
double checking really matters.
ref: https://www.owasp.org/index.php/Source_Code_Analysis_Tools
GAS
21. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
tips
18
invest time coding automated
tests whatever the layer you
should guarantee.
* automate functional tests
* automate vulnerability tests
* automate infra-structure
scans
* prioritize your efforts by
the risks.
NAPALM
22. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
tips
19
threat modeling can help you to
understand threats and risks on
your solution and to apply the
correct countermeasures.
* keep your solutions'
documentation and diagrams
updated
* perform express threat
modeling sessions with your
team
* create a security check list
and try to automate that
23. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
tips
20
always automate infra-structure
to keep hardening itens in
place.
good aproach to make inventory
management and apply patches in
a risk situation.
* pay attention to
microsegmentation and guarantee
free access to your
vulnerability scanners.
* always consider automation as
a defensive factor.
24. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
tips
21
continuous logging can help you
to handle loglevels in
different rbac scenarios.
interface to help developers to
figure out application
debugging without login to
production.
integrate OPS logs to behavior
analysis can help you to
mitigate attacks or trigger
automatic fixes. availability
is part of security.
amplifying SOC visibility.
25. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
tips
22
building enterprise secure
components can help you to
scale security inside your
company.
put the smart people to
generate smart solutions and
distribute them over the
organization.
libraries and software
dependencies are 80% of the
whole application.
26. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
education and support
23
establish a security champions
program.
invest time and money to
guarantee the continuous
learning about security and new
threats to your crew.
start internal initiatives to
share knowledge with team: tech
talks, lightining talks, etc.
work together with human
resources to create
gamification programs.
27. dev
sec
ops
HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit
q&a
?? ??
??
??
thanks!
get in touch on my twitter or
github.