DevSecOps: Securing Applications with DevOps

•

0 likes•59 views

DevOps is all about delivering new features as fast as possible. But what if this means that you're also shipping security issues faster than ever? Security practices must speed up to keep pace with DevOps. This session shows you how you can increase your deployment frequency while still making sure that you ship secure applications. You'll learn best practices and principles for securing your application in a cloud world. You’ll also learn about tooling such as Whitesource and Azure Security Center. In the end, you’ll have a good idea of how to integrate security checks into DevOps and deliver more secure applications.

Wouter de Kort
Securing applications with DevOps

Speaker
Principal
Consultant
Microsoft
MVP
EliseAuthor
Blogger
Architect
ALM
Ranger
#Technology
Leaders
Trainer

How real is the threat?
Our team is good, right?
I don’t think that’s possible.
We’ve never been breached.
Endless debates about value
Let’s talk about how we change the conversation…
The Security Conversation

“FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN,
THEY'RE GETTING IN…ACCEPT THAT.
WHAT WE TELL CLIENTS IS:
NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU
THOUGHT YOU WERE OR NOT. NUMBER TWO,
YOU ALMOST CERTAINLY ARE PENETRATED. ”
Michael Hayden
Former Director of NSA & CIA

The Mindset Shift
Assume Breach
War game exercises
Central security monitors
Live site penetration test
Prevent Breach
Threat model
Code review
Security development
lifecycle (SDL)
Security testing

Cloud Mindset
Server Services
Domain Subscription
Domain Admin Subscription Admin
Private IPs Public IPs
RDP / SSH Management APIs

What is Red vs. Blue?
Blue
Team
Exercises ability to
detect & respond
Enhances situational
awareness
Measures readiness
& impact
Red
Team
Model
real-world attacks
Identify gaps
in security story
Demonstrable
impact

Every time someone viewed the dashboard…

Sample Guidelines
Code of Conduct
Both the Blue Team and the Red Team will do no harm.
The Red Team should not compromise more than needed to capture target assets.
Common sense rules apply to physical attacks (no printing badges, harassing people, etc.)
Do not disclose the name of the person who was compromised in a social engineering attack.
Rules of Engagement
Do not impact availability of any system.
Do not access external customer data.
Do not significantly weaken in-place security protections on any service.
Do not intentionally perform destructive actions against any resources.
Safeguard credentials, vulnerabilities and other critical information obtained.
Deliverables
Backlog of repair items (security item SLA)
Report “read out” with entire organization as a learning opportunity.

“Defenders think in lists. Attackers
think in graphs. As long as this is
true, attackers win”
John Lambert (MSTIC)

One pipeline to rule them all
https://azure.com/devops

Feature
Flags
Process
Monitor and improve
Code Repository TestingBuild + Deploy
End to End
User Feedback

$Everything as Code "resources": [ { "apiVersion": "2016-01-01", "type": "Microsoft.Storage/storageAccounts", "name": "mystorageaccount", "location": "westus", "sku": { "name": "Standard_LRS" }, "kind": "Storage", "properties": { } } ]$

No secrets in code: Azure Key Vault
ServiceInstance
Run-time vaults
Deployment-specific
vault
Service-wide vault
Global vault
Deploy-time vaults
Deployment-specific
vault
Service-wide vault
Global vault

Managed Identies
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
// ...
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await
azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net");

Networking
Virtual Networks
Avoid Public IPs
Azure Front Door with Web Application Firewall

Don’t take your on-premises
security to the cloud

Get in touch!
@wouterdekort
wouter@wouterdekort.com
https://wouterdekort.com

Programmers aren’t perfect. Testing and manual code reviews can’t find every problem in code. So, bugs persist. And it’s only going to get worse as your systems grow larger and more complex. How can you find critical problems in your code? And still release a quality product on time? Static code analysis might be the answer you’re looking for. Find out why: -Bug-free software is hard to achieve. -Automated tools are the way to go. -Safe, secure, and reliable software can be achieved at lower costs. Plus, you’ll see examples of bugs easily missed by manual code reviews. And you’ll learn how static code analysis and manual code reviews work together.

Static Code Analysis

Geneva, Switzerland

Static source code analysis tools can help developers find bugs early by analyzing code without executing it. The document recommends several free, open source tools for different programming languages that can find security issues, reliability problems, and other bugs. It emphasizes that while tools are useful, manual code reviews by experts are still needed, as no tool can find all issues or guarantee code is bug-free.

Java Code Review Checklist

Mahesh Chopker

Sast 2021

Felix Dobslaw

Static Code Analysis

Obika Gellineau

Java Code Quality Tools

Orest Ivasiv

This document discusses several Java code quality tools, including CodeProAnalytix for code analysis and metrics, PMD for detecting bugs and suboptimal code, FindBugs for finding correctness bugs and bad practices, and Cobertura/EMMA for code coverage analysis. It also mentions Checkstyle for checking code against coding standards, Tattletale for dependency analysis, and consolidated tools like Sonar and Xradar. Finally, it describes UCDetector for finding unnecessary public code.

This document discusses manual code review. It begins by introducing the author and their background and interests in security. It then asks why code review is important, noting that finding bugs early is cheaper and code review allows different visibility into code than other methods. Both automated and manual code review are discussed, saying they should be used complementarily. Manual review provides a 10,000 foot view by understanding the application and security controls. Specific vulnerabilities are then looked for. The document ends by stating manual code review can be done in 60 seconds by understanding the application, reviewing a security control, and looking for specific vulnerabilities.

Static Analysis Techniques For Testing Application Security - Houston Tech Fest

Denim Group

Static Analysis of software refers to examining source code and other software artifacts without executing them. This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FXCop and the beta version of Microsoft’s XSSDetect tool. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.

Server Side Template Injection by Mandeep Jadon

Mandeep Jadon

This document discusses server-side template injection (SSTI) vulnerabilities that can allow remote code execution on modern web applications. It begins with an introduction to templating engines and SSTI vulnerabilities. It then covers detecting, identifying, and exploiting SSTI vulnerabilities, providing examples using the Python Flask framework. It concludes with recommendations for preventing SSTI, such as not allowing user-modified templates and executing user code in a restricted sandbox.

Static code analysis

Rune Sundling

Static code analysis involves using tools to analyze source code for potential issues. It can find bugs, code quality issues, and other problems but is not a replacement for testing. Several experts note that combining static analysis, inspections, and testing leads to better defect removal than only using testing. Common static analysis tools include FxCop, StyleCop, ReSharper, and NDepend. Integrating static analysis into the development process can provide benefits but obstacles like resources and unrealistic expectations must be addressed.

SAST vs. DAST: What’s the Best Method For Application Security Testing?

Cigital

High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks. Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack. The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running. Let us guide you through your application security testing journey with more key differences between SAST and DAST:

Open Source Libraries - Managing Risk in Cloud

Suman Sourav

In recent months we have seen several critical security threat because of third party libraries used in software products and services, Heartbleed, POODLE is a great example of it but things are not limited here since we have large threat landscape because of huge consumption of external third party components in cloud application development. Security threat will not stop ever since new attack vectors will keep coming in these open/external sources components but what is important here is how we handle risks due to these third party libraries.

Java Defects

Erika Barron

GNUCITIZEN Dwk Owasp Day September 2007

guest20ab09

The document discusses challenges with automated web application security testing tools and introduces the Technika Security Framework as a potential solution. It notes that over 90% of applications have vulnerabilities and most attacks now target the client-side. Automated tools have limitations around business logic, custom URLs, and false positives/negatives. A hybrid approach combining automated scanning and manual testing is suggested. The Technika Framework includes tools like a DOM spider, form parser, and mini-Nikto for automated scanning within a browser environment.

Static code analysis

Rushana Bandara

This document discusses static code analysis and tools like SonarQube and Coverity. Static code analysis examines code without executing it to find bugs. Monitoring and fixing code quality issues improves application quality and delivery. SonarQube is an open source platform for managing code quality. It provides continuous inspection, reporting, and community support. Coverity also helps developers find defects early through static analysis of concurrency, security, and other issues. Both tools analyze code to find bugs and improve code quality and development processes.

Continuous and Visible Security Testing with BDD-Security

Stephen de Vries

DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations

iAppSecure Solutions

Current security testing approaches like DAST, SAST, and IAST have limitations including a lack of complete visibility into applications and missing valuable information that could improve accuracy. While early hybrid approaches used correlation between techniques, correlation does not overcome fundamental analyzer deficiencies. A more effective solution would use an accurate application model as the foundation, providing a wealth of information about the application that could drastically improve analysis and vulnerability detection capabilities.

What Good is this Tool? A Guide to Choosing the Right Application Security Te...

Kevin Fealey

Abstract: Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are: • An understanding the real value of each type of AST tool (SAST, DAST, IAST); • How to leverage your tools for better security visibility and process efficiency; • Steps to find the right tool for your security program; • Keys to finding the best stage of the SDLC to implement each tool type within your security program; • How to integrate new tools with your existing DevOps or Agile environments and processes Additional Takeaways: • Examine the strengths and limitations of SAST, DAST, and IAST tools • Learn how to choose the right tools for your security program • Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes • Provide security visibility to developers, managers, and executives by enhancing your existing technology • Learn to use your tools to improve the efficiency of security tasks that are currently manual

Code review

Abhishek Sur

A Successful SAST Tool Implementation

Checkmarx

The document discusses implementing a static application security testing (SAST) tool. It recommends starting with a central scanning model where a security team scans code and reports vulnerabilities. Over time, the organization can transition to a full software development lifecycle model where developers use the tool during coding. Key factors for a successful implementation include choosing the right scanning model, training users, and establishing processes for fixing and verifying issues. The document also provides tips on maximizing returns and reducing costs such as licensing the tool granularly and keeping deployment and training short.

Blackhat Europe 2009 - Detecting Certified Pre Owned Software

Tyler Shields

The document discusses detecting "certified pre-owned" software, or software containing backdoors. It describes how static analysis of software binaries can detect various types of application backdoors, including special credentials, unintended network activity, and deliberate information leakage. The document focuses on detecting indicators that software is trying to hide its behavior, such as rootkit behavior and anti-debugging techniques, through static analysis of the software code. Rules can be developed for static analyzers to inspect software for these types of backdoor behaviors and indicators.

Static Analysis of Your OSS Project with Coverity

Samsung Open Source Group

The document discusses static analysis tools for finding bugs in source code. It summarizes the Coverity Scan service, which allows open source projects to have their code scanned for defects free of charge. The document outlines how to integrate Coverity Scan into a project's workflow, including using the cov-build wrapper to package code for analysis and submitting builds through services like Travis CI. It also provides tips for fine-tuning scans and examples of how the Linux and EFL projects use Coverity Scan in their development.

Code Review

rantav

The document discusses code review tools and processes. It describes formal in-person code review meetings, challenges with scheduling and concentrating, and more efficient alternatives like email and web-based code review tools. It also covers motivations for code review like finding defects early and improving coding standards, and tips for effective code reviews like preparing, focusing on understanding rather than criticism, and keeping reviews short.

Code review for secure web applications

silviad74

The document discusses best practices for code review of secure web applications. It covers strategies like manual review using checklists focused on authentication, authorization, session management, input validation, output sanitization, and other topics. Sample code snippets are provided to demonstrate proper and insecure implementations for these areas. The checklist topics to be covered in the next meeting include preventing cross-site request forgery, implementing cryptographic controls, handling errors properly, logging appropriately, and avoiding race conditions.

Issue Tracking

Software Sustainability Institute

Issue tracking allows organizations to manage changes and bugs in an ordered way. An issue can represent any query, occurrence, or task that may impact a project, such as a software bug, request for change, or action item from a meeting. When an issue is reported, it goes through a typical workflow of being assigned, accepted, worked on, and eventually closed or reopened. Popular open source bug trackers include Bugzilla, Trac, and JIRA, with Trac being a good example of a lightweight yet powerful option that allows cross-referencing with wikis and version control systems.

Peer Code Review An Agile Process

gsporar

Peer code review is one of the most effective ways to find defects – but is it agile? Because agile teams loathe heavy process, code review practices can easily fail. However, lightweight peer code review aligns well with the central tenets of agile—keeping feedback close to the point of creation, increasing team velocity by finding defects faster, and improving collective code ownership through frequent collaboration. Gregg Sporar shares recent research on code review practices and describes an agile code review approach—how much time to spend, which code to review, how much code to review at a time, how to set goals, the value of annotation, and more. After comparing four styles of code review—pair programming, over-the-shoulder, email, and tool-assisted—Gregg gives specific advice for creating review checklists and dealing with the social effects of code review in an agile environment.

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

Mark Simos

Securing the “Weakest Link”

Priyanka Aash

Security professionals often call people “the weakest link.” We claim that they'll always make mistakes, however hard we try, and throw up our hands. But the simple truth is that we can help people do well at a wide variety of security tasks, and it’s easy to get started. Building on work in usable security and threat modeling, this session will give you actionable, proven ways to secure people. (Source: RSA USA 2016-San Francisco)

What's hot

Manual Code Review

n|u - The Open Security Community

Static Analysis Techniques For Testing Application Security - Houston Tech Fest

Denim Group

Server Side Template Injection by Mandeep Jadon

Mandeep Jadon

Static code analysis

Rune Sundling

SAST vs. DAST: What’s the Best Method For Application Security Testing?

Cigital

Open Source Libraries - Managing Risk in Cloud

Suman Sourav

Java Defects

Erika Barron

GNUCITIZEN Dwk Owasp Day September 2007

guest20ab09

Static code analysis

Rushana Bandara

Continuous and Visible Security Testing with BDD-Security

Stephen de Vries

DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations

iAppSecure Solutions

What Good is this Tool? A Guide to Choosing the Right Application Security Te...

Kevin Fealey

Code review

Abhishek Sur

A Successful SAST Tool Implementation

Checkmarx

Blackhat Europe 2009 - Detecting Certified Pre Owned Software

Tyler Shields

Static Analysis of Your OSS Project with Coverity

Samsung Open Source Group

Code Review

rantav

Code review for secure web applications

silviad74

Issue Tracking

Software Sustainability Institute

Peer Code Review An Agile Process

gsporar

What's hot (20)

Manual Code Review

Static Analysis Techniques For Testing Application Security - Houston Tech Fest

Server Side Template Injection by Mandeep Jadon

Static code analysis

SAST vs. DAST: What’s the Best Method For Application Security Testing?

Open Source Libraries - Managing Risk in Cloud

Java Defects

GNUCITIZEN Dwk Owasp Day September 2007

Static code analysis

Continuous and Visible Security Testing with BDD-Security

DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations

What Good is this Tool? A Guide to Choosing the Right Application Security Te...

Code review

A Successful SAST Tool Implementation

Blackhat Europe 2009 - Detecting Certified Pre Owned Software

Static Analysis of Your OSS Project with Coverity

Code Review

Code review for secure web applications

Issue Tracking

Peer Code Review An Agile Process

Similar to DevSecOps: Securing Applications with DevOps

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

Mark Simos

Securing the “Weakest Link”

Priyanka Aash

Security Best Practices

Clint Edmonson

Understanding Application Threat Modelling & Architecture

Priyanka Aash

Threat Modeling to Reduce Software Security Risk

Security Innovation

Application Security Architecture and Threat Modelling

Priyanka Aash

Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...

EC-Council

CSF18 - Incident Response in the Cloud - Yuri Diogenes

NCCOMMS

This document discusses how Azure Security Center (ASC) can help security operations centers (SOCs) with incident response in the cloud. ASC provides initial triage of security alerts and incidents, performs investigations across cloud and on-premises data sources, and gives SOC teams contextual awareness of incidents through linked alerts and machines. The document demonstrates ASC's capabilities through examples of detecting malware, exploiting processes, and responding to attacks.

Security Training: #3 Threat Modelling - Practices and Tools

Yulian Slobodyan

This document provides an overview of threat modeling practices and tools. It begins with an introduction that defines threat modeling and outlines its benefits. It then covers threat modeling basics like principles, approaches and reasons it is avoided. The main threat modeling process is described, including creating diagrams, identifying threats and planning mitigations. Popular threat modeling tools and a demo are discussed. Standard mitigation techniques and a sample threat model appendix are also included.

Security engineering 101 when good design & security work together

Wendy Knox Everette

Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go? Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why. She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies. Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.

Cyber Security Management in a Highly Innovative World

SafeNet

Cyber attacks are reaching pandemic levels. State-sponsored groups and organized crime are successfully stealing valuable intellectual property—including critical infrastructure and operational readiness information, businesses’ and consumers’ financial data—often without anyone realizing the attack has occurred! But preparedness cannot be delegated solely to the IT department. The involvement of the entire enterprise, armed with an understanding of the highly dynamic landscape, is vital for warding off potential threats. Author: David Etue, VP of CorpDev Strategy, SafeNet Watch the webcast on demand: https://www.brighttalk.com/webcast/6319/75109

[Bucharest] Attack is easy, let's talk defence

OWASP EEE

Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing

Software Guru

CrowdSec - Smart Money Round deck

CrowdSec

The Role of Application Control in a Zero-Day Reality

Lumension

With end users often downloading unwanted and unknown applications, more than 1.6 million new malware signatures appearing every month and a rising tide of zero-day attacks, there is more risk to your systems and information than ever before. Find out: * How to defend against zero-day threats - without waiting for the latest anti-virus signatures * Why application control / whitelisting should be a central component of your security program * How application control has evolved to enforce effective security in dynamic environments

SensePost Threat Modelling

SensePost

Splunk für Security

Splunk

Sie haben viel Geld für Ihre Security Infrastruktur ausgegeben. Wie führen Sie nun all die verschiedenen Systeme zusammen, damit Sie Ihre Ziele erreichen: Bedrohungen schnelle entdecken, darauf reagieren und sie zukünftig zu verhindern. Gleichzeitg soll es Ihrem Security Team natürlich möglich sein, im Sinne Ihre Geschäftstätigkeit und Strategie zu handeln. Erfahren Sie hier, wie Sie Ihre Security Ressources am effektivsten einsetzen. Wir zeigen Ihnen das Ganze in einer Live Demo.

5 Ways To Fight A DDoS Attack

RedZone Technologies

This document summarizes a virtual event about preventing DDoS attacks against credit unions. The event covers 5 types of DDoS attacks and discusses practical steps credit unions can take to prepare for and prevent attacks. Presenters from RedZone Technologies discuss reviewing a credit union's security portfolio, identifying gaps, and developing a long-term investment roadmap to strengthen defenses against DDoS and other cyber threats. The event provides an overview of vendor solutions that can help protect against different attack types and questions attendees should consider.

Online Gaming Cyber security and Threat Model

Eoin Keary

"Evolving Cybersecurity Strategies" - Threat protection and incident managment

Dean Iacovelli

As the volume and sophistication of attacks has increased, it has become even more critical for organizations to be able to rapidly and accurately identify malicious attack vectors and payloads at time of delivery. This session will explore Microsoft’s unique approach to dealing with this problem and also how we approach tracing and deconstructing a successful attack in order to prevent its’ next iteration.

Similar to DevSecOps: Securing Applications with DevOps (20)

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

Securing the “Weakest Link”

Security Best Practices

Understanding Application Threat Modelling & Architecture

Threat Modeling to Reduce Software Security Risk

Application Security Architecture and Threat Modelling

Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...

CSF18 - Incident Response in the Cloud - Yuri Diogenes

Security Training: #3 Threat Modelling - Practices and Tools

Security engineering 101 when good design & security work together

Cyber Security Management in a Highly Innovative World

[Bucharest] Attack is easy, let's talk defence

Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing

CrowdSec - Smart Money Round deck

The Role of Application Control in a Zero-Day Reality

SensePost Threat Modelling

Splunk für Security

5 Ways To Fight A DDoS Attack

Online Gaming Cyber security and Threat Model

"Evolving Cybersecurity Strategies" - Threat protection and incident managment

Recently uploaded

Empowering Growth with Best Software Development Company in Noida - Deuglo

Deuglo Infosystem Pvt Ltd

Do you want Software for your Business? Visit Deuglo Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions. Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC). Requirement — Collecting the Requirements is the first Phase in the SSLC process. Feasibility Study — after completing the requirement process they move to the design phase. Design — in this phase, they start designing the software. Coding — when designing is completed, the developers start coding for the software. Testing — in this phase when the coding of the software is done the testing team will start testing. Installation — after completion of testing, the application opens to the live server and launches! Maintenance — after completing the software development, customers start using the software.

Using Xen Hypervisor for Functional Safety

Ayan Halder

Transform Your Communication with Cloud-Based IVR Solutions

TheSMSPoint

Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony

Energy consumption of Database Management - Florina Jonuzi

Green Software Development

GraphSummit Paris - The art of the possible with Graph Technology

Neo4j

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Neo4j

Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition

Envertis Software Solutions

Odoo ERP software Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth. The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently. This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.

Mobile App Development Company In Noida | Drona Infotech

Drona Infotech

Webinar On-Demand: Using Flutter for Embedded

ICS

Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Neo4j

Enterprise Resource Planning System in Telangana

NYGGS Automation Suite

Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics. To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/

Need for Speed: Removing speed bumps from your Symfony projects ⚡️

Łukasz Chruściel

No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception. In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed. We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.

Atelier - Innover avec l’IA Générative et les graphes de connaissances

Neo4j

Atelier - Innover avec l’IA Générative et les graphes de connaissances Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement. Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.

Orion Context Broker introduction 20240604

Fermin Galan

Microservice Teams - How the cloud changes the way we work

Sven Peters

A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams? Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.

openEuler Case Study - The Journey to Supply Chain Security

Shane Coughlan

Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx

rickgrimesss22

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

Peter Muessig

The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.

What is Augmented Reality Image Tracking

pavan998932

Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management

Utilocate

Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly. The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.

Recently uploaded (20)

Empowering Growth with Best Software Development Company in Noida - Deuglo

Using Xen Hypervisor for Functional Safety

Transform Your Communication with Cloud-Based IVR Solutions

Energy consumption of Database Management - Florina Jonuzi

GraphSummit Paris - The art of the possible with Graph Technology

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition

Mobile App Development Company In Noida | Drona Infotech

Webinar On-Demand: Using Flutter for Embedded

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Enterprise Resource Planning System in Telangana

Need for Speed: Removing speed bumps from your Symfony projects ⚡️

Atelier - Innover avec l’IA Générative et les graphes de connaissances

Orion Context Broker introduction 20240604

Microservice Teams - How the cloud changes the way we work

openEuler Case Study - The Journey to Supply Chain Security

Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

What is Augmented Reality Image Tracking

Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management

DevSecOps: Securing Applications with DevOps

1. Wouter de Kort Securing applications with DevOps

2. Speaker Principal Consultant Microsoft MVP EliseAuthor Blogger Architect ALM Ranger #Technology Leaders Trainer

3. How real is the threat? Our team is good, right? I don’t think that’s possible. We’ve never been breached. Endless debates about value Let’s talk about how we change the conversation… The Security Conversation

4. “FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN, THEY'RE GETTING IN…ACCEPT THAT. WHAT WE TELL CLIENTS IS: NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU THOUGHT YOU WERE OR NOT. NUMBER TWO, YOU ALMOST CERTAINLY ARE PENETRATED. ” Michael Hayden Former Director of NSA & CIA

5. The Mindset Shift Assume Breach War game exercises Central security monitors Live site penetration test Prevent Breach Threat model Code review Security development lifecycle (SDL) Security testing

6. Cloud Mindset Server Services Domain Subscription Domain Admin Subscription Admin Private IPs Public IPs RDP / SSH Management APIs

8. What is Red vs. Blue? Blue Team Exercises ability to detect & respond Enhances situational awareness Measures readiness & impact Red Team Model real-world attacks Identify gaps in security story Demonstrable impact

9. Show Don’t tell Prove it!

10. Every time someone viewed the dashboard…

11. Sample Guidelines Code of Conduct Both the Blue Team and the Red Team will do no harm. The Red Team should not compromise more than needed to capture target assets. Common sense rules apply to physical attacks (no printing badges, harassing people, etc.) Do not disclose the name of the person who was compromised in a social engineering attack. Rules of Engagement Do not impact availability of any system. Do not access external customer data. Do not significantly weaken in-place security protections on any service. Do not intentionally perform destructive actions against any resources. Safeguard credentials, vulnerabilities and other critical information obtained. Deliverables Backlog of repair items (security item SLA) Report “read out” with entire organization as a learning opportunity.

12. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win” John Lambert (MSTIC)

13.

14. One pipeline to rule them all https://azure.com/devops

15. Feature Flags Process Monitor and improve Code Repository TestingBuild + Deploy End to End User Feedback

16. Everything as Code "resources": [ { "apiVersion": "2016-01-01", "type": "Microsoft.Storage/storageAccounts", "name": "mystorageaccount", "location": "westus", "sku": { "name": "Standard_LRS" }, "kind": "Storage", "properties": { } } ]

17.

18. No secrets in code: Azure Key Vault ServiceInstance Run-time vaults Deployment-specific vault Service-wide vault Global vault Deploy-time vaults Deployment-specific vault Service-wide vault Global vault

19. Managed Identies using Microsoft.Azure.Services.AppAuthentication; using Microsoft.Azure.KeyVault; // ... var azureServiceTokenProvider = new AzureServiceTokenProvider(); string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net");

20. Networking Virtual Networks Avoid Public IPs Azure Front Door with Web Application Firewall

21.

22. Azure Security Center

23. Azure Policy

24. Azure Sentinel

25.

26. Don’t take your on-premises security to the cloud

27.

28. Get in touch! @wouterdekort wouter@wouterdekort.com https://wouterdekort.com