Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.
Havex is the second ICS malware ever seen in the wild.
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...Akond Rahman
In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to lack of adequate reviews. The goal of this paper is to aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment. We analyzed a selected set of Internet artifacts and surveyed representatives of nine organizations that are using DevOps to systematically explore experiences in utilizing security practices. We observe that the majority of the software practitioners have expressed the potential of common DevOps activities, such as automated monitoring, to improve the security of a system. Furthermore, organizations that integrate DevOps and security utilize additional security activities, such as security requirements analysis and performing security configurations. Additionally, these teams also have established collaboration between the security team and the development and operations teams.
Splitting The Check On Compliance and SecurityNew Relic
Often times, developers and auditors can be at odds. The agile, fast-moving environments that developers enjoy will typically give auditors heartburn. The more controlled and stable environments that auditors prefer to demonstrate and maintain compliance are traditionally not friendly to developers or innovation. We'll walk through how Netflix moved its PCI and SOX environments to the cloud and how we were able to leverage the benefits of the cloud and agile development to satisfy both auditors and developers.
Integrating the Alphabet Soup of StandardsJim Gilsinn
Presented @ 2014 ICS Cyber Security Conference
October 21, 2014
It’s been over a year since the NIST Cybersecurity Framework and ISA-62443-3-3 were published, ISA-62443-2-1 has been out for almost 5 years, and ISO/IEC 27001 & 27002 have been out for nearly a decade. NIST has already started their process for revisions, ISA is actively working to overhaul 62443-2-1, and ISO/IEC just published a major revision to their standard. In addition to these cross-domain standards, there are a multitude of local and sector-specific standards as well. As a consultant, we are often asked to use one of these as a baseline to help our customers generate an ICS cyber security program. This presentation will discuss some of the strengths and weaknesses of these different standards and the effort to integrate them into a realistic set of ICS cyber security program requirements.
Key Findings from the 2019 State of DevOps ReportPuppet
Learn how to make security work in your DevOps practice.
We already know that advanced DevOps companies release software faster, with fewer errors. Did you know they also have the best security? (To be fair, we didn’t either until we got the analysis back from our 8th annual State of DevOps survey.)
In this webinar, the authors of the 2019 State of DevOps Report will walk you through the most important things they learned about how organizations are successfully integrating security into their DevOps practices — and the results they’re seeing.
We hope you’ll join us at this APAC timezone webinar on Wednesday, 23 October 2019 at 11 a.m. SGT | 2 p.m. AEST where you can expect to learn:
Which DevOps practices are most important for improving your security posture.
How security integration affects everything from your ability to deploy on demand to the time it takes to remediate vulnerabilities.
What to expect as you integrate security into the software delivery lifecycle. (Hint: It’s not all sunshine and rainbows.)
Webinar presenters and 2019 State of DevOps Report authors: Alanna Brown and Nigel Kersten of Puppet, Andi Mann of Splunk, and Michael Stahnke of CircleCI
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
Technology in ICS environments lags the Enterprise by 10-15yr. This often leads to ICS companies having to stand by while other more nimble institutions are able to take advantage of new technology. What few people realize, is that our industry gets to watch the future happen out on the Internet and then pick and choose the best techniques to adapt and bring back in time. In this session Mr. Kitchel will look at what is new in the IT world and forecast what should and will be applied to OT.
Scott M. Johnson, Lead PM - Technical Compliance presented, "How Docusign uses Black Duck for DevOps, AppSec and Compliance." For more information, visit our website at www.blackducksoftware.com.
Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.
Havex is the second ICS malware ever seen in the wild.
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...Akond Rahman
In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to lack of adequate reviews. The goal of this paper is to aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment. We analyzed a selected set of Internet artifacts and surveyed representatives of nine organizations that are using DevOps to systematically explore experiences in utilizing security practices. We observe that the majority of the software practitioners have expressed the potential of common DevOps activities, such as automated monitoring, to improve the security of a system. Furthermore, organizations that integrate DevOps and security utilize additional security activities, such as security requirements analysis and performing security configurations. Additionally, these teams also have established collaboration between the security team and the development and operations teams.
Splitting The Check On Compliance and SecurityNew Relic
Often times, developers and auditors can be at odds. The agile, fast-moving environments that developers enjoy will typically give auditors heartburn. The more controlled and stable environments that auditors prefer to demonstrate and maintain compliance are traditionally not friendly to developers or innovation. We'll walk through how Netflix moved its PCI and SOX environments to the cloud and how we were able to leverage the benefits of the cloud and agile development to satisfy both auditors and developers.
Integrating the Alphabet Soup of StandardsJim Gilsinn
Presented @ 2014 ICS Cyber Security Conference
October 21, 2014
It’s been over a year since the NIST Cybersecurity Framework and ISA-62443-3-3 were published, ISA-62443-2-1 has been out for almost 5 years, and ISO/IEC 27001 & 27002 have been out for nearly a decade. NIST has already started their process for revisions, ISA is actively working to overhaul 62443-2-1, and ISO/IEC just published a major revision to their standard. In addition to these cross-domain standards, there are a multitude of local and sector-specific standards as well. As a consultant, we are often asked to use one of these as a baseline to help our customers generate an ICS cyber security program. This presentation will discuss some of the strengths and weaknesses of these different standards and the effort to integrate them into a realistic set of ICS cyber security program requirements.
Key Findings from the 2019 State of DevOps ReportPuppet
Learn how to make security work in your DevOps practice.
We already know that advanced DevOps companies release software faster, with fewer errors. Did you know they also have the best security? (To be fair, we didn’t either until we got the analysis back from our 8th annual State of DevOps survey.)
In this webinar, the authors of the 2019 State of DevOps Report will walk you through the most important things they learned about how organizations are successfully integrating security into their DevOps practices — and the results they’re seeing.
We hope you’ll join us at this APAC timezone webinar on Wednesday, 23 October 2019 at 11 a.m. SGT | 2 p.m. AEST where you can expect to learn:
Which DevOps practices are most important for improving your security posture.
How security integration affects everything from your ability to deploy on demand to the time it takes to remediate vulnerabilities.
What to expect as you integrate security into the software delivery lifecycle. (Hint: It’s not all sunshine and rainbows.)
Webinar presenters and 2019 State of DevOps Report authors: Alanna Brown and Nigel Kersten of Puppet, Andi Mann of Splunk, and Michael Stahnke of CircleCI
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
Technology in ICS environments lags the Enterprise by 10-15yr. This often leads to ICS companies having to stand by while other more nimble institutions are able to take advantage of new technology. What few people realize, is that our industry gets to watch the future happen out on the Internet and then pick and choose the best techniques to adapt and bring back in time. In this session Mr. Kitchel will look at what is new in the IT world and forecast what should and will be applied to OT.
Scott M. Johnson, Lead PM - Technical Compliance presented, "How Docusign uses Black Duck for DevOps, AppSec and Compliance." For more information, visit our website at www.blackducksoftware.com.
Putting the Sec into DevOps
DevOps enables companies to deliver innovations faster to market. But with multiple functional teams collaborating on development, and so many moving parts, security is often left out of the DevOps process and then tacked on at the end - delaying deployment into production and negating many of the benefits of DevOps.
Presented by renowned industry expert Prof. Avishai Wool, this new technical webinar will cover best practices for incorporating security into the DevOps lifecycle. This insight will help ensure better collaboration between security and the development teams right from the start and reduce the time, cost and risk of deploying applications into production.
In this webinar Professor Wool will cover how to:
• Identify and map existing applications and their connectivity flows to establish a baseline
• Adjust application connectivity for each stage of the DevOps lifecycle – without coding
• Automatically deploy connectivity throughout the development lifecycle using templates
• Proactively assess risk and compliance throughout the DevOps process
• Manage and maintain security in the production environment
Vulnerability Inheritance in ICS (English)Digital Bond
Reid Wightman of Digital Bond Labs shows how software libraries integrated into ICS can bring vulnerabilities along with them.
In this case it is the CoDeSys library bringing vulnerabilities to more than 200 products including PLC's from Hitachi and Sanyo-Denki. Reid goes into the vulnerabilities and shows the tools that can exploit the vulnerabilities.
Equally important is the vendor misrepresenting the fact that the vulns were fixed, when they were not. And the vendors, Hitachi and Sanyo-Denki to name two, that did not test the security of the libraries before including them in their products and selling them to customers.
Practical Application of Agile Techniques in Developing Safety Related SystemsAdaCore
David Nicoll will present some of his experiences of applying Agile techniques to improve the effective development and delivery of software projects including their use in developing safety related systems within a regulatory frameworks. David will also show how the safety engineering process and generation of evidence are not adversely impacted by this approach.
Applying formal methods to existing software by B.MonateMahaut Gouhier
"Applying formal methods to existing software: what can you expect?" Talk by Benjamin Monate, Co-founder and CTO of TrustInSoft, at the 2018 Sound Static Analysis for Security Workshop, in the NIST, USA, on June 27th.
This work has been supported by the Core Infrastructure Initiative of the Linux foundation.
Learn more about TrustInSoft
https://trust-in-soft.com/
Agile methods and safety critical software - Peter GardnerAdaCore
This talk surveys Agile methods and formulates a list of features that occur in these methods, then considers whether each of the features can be applied in the field of safety-critical software development. The talk concludes that almost all of the features of Agile methods are applicable to safety-critical software but that existing standards are a problem for Agiles de-emphasis of design and documentation. The talk will also look for quantitative evidence in the published literature for the benefits of Agile methods in software development in general, and surveys various published opinions on Agiles application to safety-critical software development.
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
What to Do When You Don’t Know What to Do: Control System Patching Problems a...EnergySec
FoxGuard Solutions has encountered and resolved a wide variety of problems in our monthly work of patching control systems for our OEM clients and hundreds of power utility sites. In this presentation, we will cover a list of problems you might encounter and some real-world strategies that we have helped our clients implement to deal with them.
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
Tatsuaki Takebe of Yokogawa Electric Corporation provides the closing keynote with a focus on international standards activity and how it affects the Japanese ICS community.
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
Presenter: Joseph Loomis, Southwest Research Institute (SwRI)
Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Using Assessment Tools on ICS (English)Digital Bond
Dale Peterson of Digital Bond describes the methodology of using security assessment tools on an operational ICS. He also discusses how to best use the features and functions of these tools.
Presented @ ISA Process Control & Safety Symposium
October 8, 2014
Description of the Kenexis project to build a ICS performance and security lab-in-a-box. This talk accompanies a live demo of the lab equipment.
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
Abstract:
See how an Ottawa company has built a SOC2 Type 2 audited software delivery system with less pain, and more value.
Build security, and compliance into the way software is delivered and operated to
* Make secure development easier
* Provide real customer value
* Avoid security theatre
* Reduce security and audit bottlenecks
Bio:
Dag Rowe is a BA in security and compliance. Passionate about improving systems of work, he is actively involved in the local software community. Dag helps to organize the Agile Ottawa Meetup group, and the Gatineau-Ottawa Agile Tour conference.
Putting the Sec into DevOps
DevOps enables companies to deliver innovations faster to market. But with multiple functional teams collaborating on development, and so many moving parts, security is often left out of the DevOps process and then tacked on at the end - delaying deployment into production and negating many of the benefits of DevOps.
Presented by renowned industry expert Prof. Avishai Wool, this new technical webinar will cover best practices for incorporating security into the DevOps lifecycle. This insight will help ensure better collaboration between security and the development teams right from the start and reduce the time, cost and risk of deploying applications into production.
In this webinar Professor Wool will cover how to:
• Identify and map existing applications and their connectivity flows to establish a baseline
• Adjust application connectivity for each stage of the DevOps lifecycle – without coding
• Automatically deploy connectivity throughout the development lifecycle using templates
• Proactively assess risk and compliance throughout the DevOps process
• Manage and maintain security in the production environment
Vulnerability Inheritance in ICS (English)Digital Bond
Reid Wightman of Digital Bond Labs shows how software libraries integrated into ICS can bring vulnerabilities along with them.
In this case it is the CoDeSys library bringing vulnerabilities to more than 200 products including PLC's from Hitachi and Sanyo-Denki. Reid goes into the vulnerabilities and shows the tools that can exploit the vulnerabilities.
Equally important is the vendor misrepresenting the fact that the vulns were fixed, when they were not. And the vendors, Hitachi and Sanyo-Denki to name two, that did not test the security of the libraries before including them in their products and selling them to customers.
Practical Application of Agile Techniques in Developing Safety Related SystemsAdaCore
David Nicoll will present some of his experiences of applying Agile techniques to improve the effective development and delivery of software projects including their use in developing safety related systems within a regulatory frameworks. David will also show how the safety engineering process and generation of evidence are not adversely impacted by this approach.
Applying formal methods to existing software by B.MonateMahaut Gouhier
"Applying formal methods to existing software: what can you expect?" Talk by Benjamin Monate, Co-founder and CTO of TrustInSoft, at the 2018 Sound Static Analysis for Security Workshop, in the NIST, USA, on June 27th.
This work has been supported by the Core Infrastructure Initiative of the Linux foundation.
Learn more about TrustInSoft
https://trust-in-soft.com/
Agile methods and safety critical software - Peter GardnerAdaCore
This talk surveys Agile methods and formulates a list of features that occur in these methods, then considers whether each of the features can be applied in the field of safety-critical software development. The talk concludes that almost all of the features of Agile methods are applicable to safety-critical software but that existing standards are a problem for Agiles de-emphasis of design and documentation. The talk will also look for quantitative evidence in the published literature for the benefits of Agile methods in software development in general, and surveys various published opinions on Agiles application to safety-critical software development.
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
What to Do When You Don’t Know What to Do: Control System Patching Problems a...EnergySec
FoxGuard Solutions has encountered and resolved a wide variety of problems in our monthly work of patching control systems for our OEM clients and hundreds of power utility sites. In this presentation, we will cover a list of problems you might encounter and some real-world strategies that we have helped our clients implement to deal with them.
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
Tatsuaki Takebe of Yokogawa Electric Corporation provides the closing keynote with a focus on international standards activity and how it affects the Japanese ICS community.
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
Presenter: Joseph Loomis, Southwest Research Institute (SwRI)
Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Using Assessment Tools on ICS (English)Digital Bond
Dale Peterson of Digital Bond describes the methodology of using security assessment tools on an operational ICS. He also discusses how to best use the features and functions of these tools.
Presented @ ISA Process Control & Safety Symposium
October 8, 2014
Description of the Kenexis project to build a ICS performance and security lab-in-a-box. This talk accompanies a live demo of the lab equipment.
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
Abstract:
See how an Ottawa company has built a SOC2 Type 2 audited software delivery system with less pain, and more value.
Build security, and compliance into the way software is delivered and operated to
* Make secure development easier
* Provide real customer value
* Avoid security theatre
* Reduce security and audit bottlenecks
Bio:
Dag Rowe is a BA in security and compliance. Passionate about improving systems of work, he is actively involved in the local software community. Dag helps to organize the Agile Ottawa Meetup group, and the Gatineau-Ottawa Agile Tour conference.
Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:
Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
Efforts in Scaling Application Security ProgramsEric Fay
With organizational success comes the exciting period of ever-increasing scale and scope. This talk will cover some of the past and current efforts that Eric personally took on while creating and scaling the application security program at Hulu. A retrospective look will be taken at the focus points, tradeoffs and decisions made by the application security team while keeping up with the growth and continued success of Hulu. (Talk given at OWASP San Francisco on 7/26/2018)
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
DevSecOps means considering application and infrastructure security from the beginning. This also means automating some security doors to prevent the DevOps workflow from slowing down.
The goal of DevSecOps (development, security, and operations) is to make everyone responsible for security, with the main target on implementing security decisions and actions at an equivalent scale and speed as development and operations decisions and actions.
Implementing DevSecOps are often an elaborate process for a corporation , but well worthwhile when considering the advantages .
Implementation usually includes the subsequent stages:
Planning and development
Building and testing
Deployment and operation
Monitoring and scaling
Tonex's DevSecOps Training Bootcamp
DevSecOps training Bootcamp is a practical DevSecOps course, participants can acquire in-depth knowledge and skills to apply, implement and improve IT security in modern DevOps.
Participants understand DevOps and DevSecOps to take full advantage of the agility and responsiveness of the secure DevOps method, IT security on SDLC, and the entire life cycle of the application.
DevSecOps Training Bootcamp focuses on:
Concepts
Principles
Processes
Policies
Guidelines
Mitigation
Applied Risk Management Framework (RMF)
Technical Skills
Audience:
Security Staff
IT Leadership
IT Infrastructure
CIOs / CTOs /CSO
Configuration Managers
Developers and Application Team Members and Leads
IT Operations Staff
IT Project & Program Managers
Product Owners and Managers
Release Engineers
Agile Staff and ScrumMasters
Software Developers
Software Team Leads
System Admin
Training Objectives:
Identify and explain the phases of the DevOps life cycle
Define the roles and responsibilities that support the DevOps environment
Describe the security components of DevOps and determine its risk principles
Analyze, evaluate and automate DevOps application security across SDLC
Identify and explain the characteristics required to meet the definition of DevOps computing security
Discuss strategies for maintaining DevOps methods
Perform gap analysis between DevOps security benchmarks and industry standard best practices
Evaluate and implement the safety controls necessary to make sure confidentiality, integrity and availability (CIA) in DevOps environments
Perform risk assessments of existing and proposed DevOps environments
Integrate RMF with DevOps
Explain the role of encryption in protecting data and specific strategies for key management
And more.
Course Content:
DevOps vs. DevSecOps
DevOps Security Requirements
DevOps Typical Security Activities
Tools for Securing DevOps
Principles Behind DevSecOps
DevSecOps and Application Security
How to DevSecOps
DevSecOps Maturity
RMF, DevOps and DevSecOps
For More Information:
https://www.tonex.com/training-courses/devsecops-training-bootcamp/
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
For many energy companies, readying for compliance with the latest version of NERC Critical Infrastructure Protection (CIP) standards, whether they be v5, v6, v7 or beyond is not the first priority – delivering reliable energy to the BES is. So, how does a company deal not only with the impending changes of CIP v5, but do so in a manner that best positions them for compliance with future versions and secures their cyber environment?
Join our live webcast on Thursday February 5 to hear from ICF, Tripwire, and AssurX industry experts who are helping organizations already grappling with the new and upcoming CIP requirements, implementing a risk based approach, the steps they are taking to get ahead of the curve, and addressing the uncertainty.
Key Takeaways - Regarding Readiness for NERC CIPv5 (and beyond):
•Best approaches for achieving compliance in a changing environment. (i.e. v5, v6, v7).
•How to save time, resources, and achieve automation with practical guidance on compliance efforts for current and future CIP requirements.
•Practical highlights and key controls from those already working on the most pressing issues.
Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products.
During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
2. Tehama
• Delivers privileged technical services
over the internet with
– Transparency
– Security
– Auditability
• Ensures trust while enabling quick
onboarding and connectivity
3. Tehama and SOC2
• Decided early on that SOC2 was
mandatory to build trust with clients
– Demonstrates robust security practices
via a trusted 3rd party
5. Compliance Basics
• Say what you’re going to do
– Done via Security Controls, plans, and
processes
• Do it
– Hard
• Prove that you did it
– Evidence
• Hardest ... if you haven’t planned for it
6. Control Example
• A vulnerability management plan is
maintained to identify potential threats.
Threats are triaged and mitigated as
required. Remediation plans are developed
to address risks.
7. DevSecOps
• DevOps used to deliver and run systems in a
secure and reliable way
• Bringing in Security and Compliance
increases the focus on Ops
– “You build it, you run it”
8. DevSecOps
• Look at security and compliance as a
– Release problem
– Test problem
– Monitoring and observability problem
• Leverage security and compliance expertise
in building out the system
– This is the secret sauce
9. Tehama and DevSecOps
• Security and compliance can’t be “the office
of no”
• Make it secure in order to demonstrate
compliance
– Keep it valuable
– Don’t make it a checkbox exercise
– E.g. continuous vuln mgmt is much better
than a monthly review cycle
10. There is no Magic
• It’s just mature DevOps
– DevSecOps
– DevOpsSec
– Rugged DevOps
• But it is a good phrase to search with
11. DevOps Patterns
• Infrastructure as Code
• Continuous Delivery
• Continuous Monitoring
• Learning from Failure
• Collaborative Culture
13. Policy Designed for CI/CD
Change Management
• Standard Change
– Pre-approved
– Move most changes here
– High success rate, low MTTR
• High Risk Change
– Classic security approval
• Emergency Change
– Post release approval
– Don’t block an emergency change
14. Policy Requires Vulnerability
Management
Common categorization between tools
• Tools find CVEs
– Common Vulnerabilities and Exposures
• Classified via Common Vulnerability Scoring
System
– CVSS
• Includes remediation timelines (SLA)
15. Implementation
Security is everyone’s job, all the time
• Design it into the system, then it is just how
the software is delivered
• Audit evidence is generated during daily
work
– Not a scramble before an audit
16. Implementation
Secure software supply chain
• All images and OSs are from trusted repos
– Hardened
• All software dependencies are scanned
• Patch management is a priority
– Custom software dependencies
– EC2 OS
– Docker images
– Open source applications
17. Implementation - SDLC
The SDLC is based on a CI/CD pipeline
Automatic
• SAST
– Static Application Security Testing
• DAST
– Dynamic Application Security Testing
• SCA
– Software Component Analysis
• Container vulnerability analysis
18. Implementation - SDLC
Manual
• Prioritization and planning
• Pull requests and code review
– Code review guidelines call out security
concerns with a standard checklist
• PR approval, and release authorization
19. Implementation - Monitoring
Vulnerability plan includes intrusion detection
Requires monitoring and alerting to detect
incidents
• Alerting will launch Incident Response (IR)
• Note, manual detection is still in scope
– Strange system behaviour
– Customer reports
– AWS security
– Law enforcement
20. Implementation - IR
Vulnerability plan includes intrusion detection
Requires monitoring and alerting to detect
incidents
• Alerting will launch Incident Response (IR)
• Manual detection is still in scope
– Noticing strange system behaviour
– Customer reports
– AWS security
– Law enforcement
21. Implementation - IR and Logging
DevOps includes a focus on monitoring and
observability
• This is adds big value
• Enables robust Incident Response and
troubleshooting capabilities
23. Results
• Last pen test had no findings
• Security and compliance dev work is not exceptional
• First audit (Type 1) passed without complications
– Kudos from auditors
• Second audit (Type 2) had no major out of band work
for developers or compliance
• Continuous improvement on logging and monitoring
• IR and post-mortem process well established
24. References
• DevOpsSec: Securing software through continuous delivery
– https://www.safaribooksonline.com/library/view/devopssec/978149197
1413/
• DevOps Audit Defense Toolkit
– https://itrevolution.com/devops-audit-defense-toolkit/
• The DevOps Handbook: How to Create World-Class Agility, Reliability, and
Security in Technology Organizations
– Chapter 19
– Section VI
– Appendix 9
– https://www.amazon.ca/DevOps-Handbook-World-Class-Reliability-
Organizations/dp/1942788002
25. References
• Accelerate: The Science of Lean Software and DevOps: Building and
Scaling High Performing Technology Organizations
– Chapter 6
– https://www.amazon.ca/Accelerate-Software-Performing-Technology-
Organizations/dp/1942788339/
• Incident Management for Operations
– https://www.amazon.ca/Incident-Management-Operations-Rob-
Schnepp/dp/1491917628/
• Pagerduty Incident Response
– https://response.pagerduty.com/
• Incident Response: Trade-offs Under Pressure
– https://www.slideshare.net/InfoQ/incident-response-tradeoffs-under-
pressure
26. References
• Blameless PostMortems and a Just Culture
– https://codeascraft.com/2012/05/22/blameless-postmortems/
• The infinite hows
– https://www.oreilly.com/ideas/the-infinite-hows
• Debriefing Facilitation Guide
– https://extfiles.etsy.com/DebriefingFacilitationGuide.pdf
• Was it technical failure or human error?
– https://www.youtube.com/watch?v=Ygx2AI2RtkI
• AWS Monitoring & Logging
– https://www.slideshare.net/JasonPoley/aws-monitoring-logging
• Container & Microservice Security
– https://www.youtube.com/watch?v=8tDpGyVV8OQ