DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.
In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.
Slides for web-vulnerabilities talk I had at Evo Summer Python Lab'17 (Internship at EVO.company).
Overview of main types of vulnerabilities in the web applications as well as ways to prevent them. Damn Vulnerable Web Application (http://dvwa.co.uk/) and Damn Vulnerable Python Web Application (https://github.com/anxolerd/dvpwa) were used as demonstration software.
This is a presentation give to the Vancouver Drupal users group about moving to GIT as a version control system for a small development team. The presentation details the workflow we settled on, and the git flow method for branch management. You can see a video of the presentation here - http://www.ustream.tv/recorded/13544036
What is DevOps, why do we need it and how do I get started with it? Certainly it is the new buzz world in the world of Agile is "DevOps".
This presentation will help you get started with DevOps.
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainedSemaphore
Continuous integration and continuous delivery (CI/CD) is widely used by development teams, even in open-source communities. It offers a sustainable way to test and deploy code many times a day without the hurdle of doing it manually.
In this guide, you’ll learn the foundations of getting started with CI/CD for iOS.
To introduce and motivate some best practice around version control and Git.
Resources:
https://en.wikipedia.org/wiki/Version_control
https://git-scm.com/
https://try.github.io
http://rogerdudler.github.io/git-guide/
http://ohshitgit.com/
https://www.atlassian.com/git/tutorials
https://www.datacamp.com/courses/introduction-to-git-for-data-science
Slides for web-vulnerabilities talk I had at Evo Summer Python Lab'17 (Internship at EVO.company).
Overview of main types of vulnerabilities in the web applications as well as ways to prevent them. Damn Vulnerable Web Application (http://dvwa.co.uk/) and Damn Vulnerable Python Web Application (https://github.com/anxolerd/dvpwa) were used as demonstration software.
This is a presentation give to the Vancouver Drupal users group about moving to GIT as a version control system for a small development team. The presentation details the workflow we settled on, and the git flow method for branch management. You can see a video of the presentation here - http://www.ustream.tv/recorded/13544036
What is DevOps, why do we need it and how do I get started with it? Certainly it is the new buzz world in the world of Agile is "DevOps".
This presentation will help you get started with DevOps.
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainedSemaphore
Continuous integration and continuous delivery (CI/CD) is widely used by development teams, even in open-source communities. It offers a sustainable way to test and deploy code many times a day without the hurdle of doing it manually.
In this guide, you’ll learn the foundations of getting started with CI/CD for iOS.
To introduce and motivate some best practice around version control and Git.
Resources:
https://en.wikipedia.org/wiki/Version_control
https://git-scm.com/
https://try.github.io
http://rogerdudler.github.io/git-guide/
http://ohshitgit.com/
https://www.atlassian.com/git/tutorials
https://www.datacamp.com/courses/introduction-to-git-for-data-science
CI/CD Best Practices for Your DevOps JourneyDevOps.com
The journey to realizing DevOps in any organization is fraught with a number of obstacles for developers and other stakeholders. These challenges are often caused by key CI/CD practices being misunderstood, partially implemented or even completely skipped. Now, as the industry positions itself to build on DevOps practices with a Software Delivery Management strategy, it’s more important than ever that we implement CI/CD best practices, and prepare for the future.
Join host Mitchell Ashely, and CloudBees’ Brian Dawson, DevOps evangelist, and Doug Tidwell, technical marketing director, as they explore and review the CI/CD best practices which serve as your stepping stones to DevOps and a successful Software Delivery Management strategy.
The webinar will cover CI/CD best practices including:
Containers and environment management
Continuous delivery or deployment
Movement from Dev to Ops
By the end of the webinar, you’ll understand the key steps for implementing CI/CD and powering your journey to DevOps and beyond.
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Edureka!
This DevOps Tutorial takes you through what is Configuration Management all about and basic concepts of Infrastructure as code. It also compares the four most widely used Configuration Management tools i.e. Chef, Puppet, Ansible and SaltStack.
Check our complete DevOps YouTube playlist here: http://goo.gl/O2vo13
DevOps Tutorial Blog Series here: https://goo.gl/P0zAfF
Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...Edureka!
** DevOps Engineer Masters Program: https://www.edureka.co/masters-program/devops-engineer-training **
This Edureka PPT on "DevOps Engineer" will explain what does it take to become a successful DevOps Engineer, and what industries are looking for in a DevOps Professional. We have included various DevOps job roles that you can apply for. Below are the topics included in the PPT:
1. Who is a DevOps Engineer?
2. DevOps Engineer Skills
3. DevOps Engineer Job Description
4. DevOps Masters Course At Edureka
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Gitlab - Creating C++ applications with Gitlab CIUilian Ries
Gitlab is a complete tool that integrates everything from project management to product construction. In this talk I will present how a C ++ project can be analyzed, built, tested and deployed using Gitlab.
Amsterdam, May 2018
Even DevOps purists are now embracing the DevSecOps term as they’ve recognized how siloed security often remains. Security still gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. Distributed development teams and rapid iterative releases require a commitment to security approaches that are continuous, adaptive, and heavily automated.
In this session, Red Hat Technology Evangelist Gordon Haff will discuss successful practices for using a rich ecosystem of open source and other software to bake security into the development and deployment pipeline to both iterate quickly and minimize business risk. He’ll discuss how container platforms and other cloud-native tooling can serve as the foundation for DevSecOps. Finally, he’ll look at good practices for integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
CI/CD Best Practices for Your DevOps JourneyDevOps.com
The journey to realizing DevOps in any organization is fraught with a number of obstacles for developers and other stakeholders. These challenges are often caused by key CI/CD practices being misunderstood, partially implemented or even completely skipped. Now, as the industry positions itself to build on DevOps practices with a Software Delivery Management strategy, it’s more important than ever that we implement CI/CD best practices, and prepare for the future.
Join host Mitchell Ashely, and CloudBees’ Brian Dawson, DevOps evangelist, and Doug Tidwell, technical marketing director, as they explore and review the CI/CD best practices which serve as your stepping stones to DevOps and a successful Software Delivery Management strategy.
The webinar will cover CI/CD best practices including:
Containers and environment management
Continuous delivery or deployment
Movement from Dev to Ops
By the end of the webinar, you’ll understand the key steps for implementing CI/CD and powering your journey to DevOps and beyond.
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Edureka!
This DevOps Tutorial takes you through what is Configuration Management all about and basic concepts of Infrastructure as code. It also compares the four most widely used Configuration Management tools i.e. Chef, Puppet, Ansible and SaltStack.
Check our complete DevOps YouTube playlist here: http://goo.gl/O2vo13
DevOps Tutorial Blog Series here: https://goo.gl/P0zAfF
Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...Edureka!
** DevOps Engineer Masters Program: https://www.edureka.co/masters-program/devops-engineer-training **
This Edureka PPT on "DevOps Engineer" will explain what does it take to become a successful DevOps Engineer, and what industries are looking for in a DevOps Professional. We have included various DevOps job roles that you can apply for. Below are the topics included in the PPT:
1. Who is a DevOps Engineer?
2. DevOps Engineer Skills
3. DevOps Engineer Job Description
4. DevOps Masters Course At Edureka
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Gitlab - Creating C++ applications with Gitlab CIUilian Ries
Gitlab is a complete tool that integrates everything from project management to product construction. In this talk I will present how a C ++ project can be analyzed, built, tested and deployed using Gitlab.
Amsterdam, May 2018
Even DevOps purists are now embracing the DevSecOps term as they’ve recognized how siloed security often remains. Security still gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. Distributed development teams and rapid iterative releases require a commitment to security approaches that are continuous, adaptive, and heavily automated.
In this session, Red Hat Technology Evangelist Gordon Haff will discuss successful practices for using a rich ecosystem of open source and other software to bake security into the development and deployment pipeline to both iterate quickly and minimize business risk. He’ll discuss how container platforms and other cloud-native tooling can serve as the foundation for DevSecOps. Finally, he’ll look at good practices for integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Ernest Mueller, Karthik Gaekwad, and James Wickett, the Agile Admins (http://theagileadmin.com) delivered this presentation on what's hot in DevOps in 2015 for the BrightTALK Summit. The video is online at https://www.brighttalk.com/webcast/5742/154715
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Here is the small presentation on DevOps to DevSecOps Journey..
- What is DevOps and their best practices.
- Practical Scenario of DevOps practices.
- DevOps transformation Journey.
- Transition to DevSecOps and why we need it.
- Enterprise CI/CD Pipeline.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free.
More details here - https://www.practical-devsecops.com/
As DevOps practices have been put into wide use, it's become evident that developers and operations aren't merging to become one discipline. Nor is operations simply going away. Rather, DevOps is leading software development and operations - together with other practices such as security - to collaborate and coexist with less overhead and conflict than in the past.
In his session at @DevOpsSummit at 19th Cloud Expo, Gordon Haff, Red Hat Technology Evangelist, will discuss what modern operational practices look like in a world in which applications are more loosely coupled, are developed using DevOps approaches, and are deployed on software-defined, and often containerized, infrastructures - and where operations itself is increasingly another "as a service" capability from the perspective of developers.
How does the operations tool chest change? How does the required skill set differ? How are the interactions between operations and other IT and business organizations different from in the past? How can operations provide the confidence to the entire organization that this new pipeline is still delivering non-functional requirements such as regulatory compliance and a secure and certified operating environment? How does operations safely consume vendor and upstream dependencies while meeting developer desires for the latest and greatest?
Operations is more important than ever for a business to derive value from its IT organization. But the roles and the goals of operations are significantly different than they were historically.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
Explores how DevSecOps can enable continuous security assessment in Agile development by integrating various categories of security tools into your continuous integration / continuous delivery (CI/CD) pipeline.
Presented at OWASP Global AppSec DC, Sept 2019.
De facto DevOps, de facto Agile. Today DevOps is the Manufacturing Revolution of Our Age. There is no escape for us. When got a DevOps, you got a DevOps.
DevOps simply is the combination of cultural philosophies,practices,and tools that increase an organization’s ability to deliver applications and services at high velocity : evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
For today’s digital organizations, even a few minutes of downtime can mean millions of dollars lost and customers who go elsewhere. To keep up with customer expectations, organizations must handle and prioritize real-time operations at a scale that didn’t exist before. However, developing this competency is easier said than done, especially without a solid understanding of the capabilities needed to drive real-time operations across cloud and on-premises environments. In this session, we explore how innovations around machine learning, automation, and analytics, when combined with modern incident management best practices, can improve operational performance, team productivity, and drive business results. This session is brought to you by AWS partner, PagerDuty, Inc.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys
Utsav Sanghani, Product Manager, Integrations and Alliance at Synopsys presented on how to "Black Duck your Code Faster with Black Duck Integrations." For more information, please visit www.blackducksoftware.com
Black Duck On-Demand-Audits von über 1.100
kommerziellen Anwendungen im Jahr 2017
verdeutlichen die ständigen Herausforderungen, vor
denen Unternehmen stehen, um Open Source effektiv
zu erkennen und zu sichern.
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys
At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
Flight Amsterdam Presentation by Daniel Hedley and Georgie Collins, Partners, Irwin Mitchell looked at the intersection of the GDPR and open source software management and the laws which govern how organisations must respond to data breaches (including GDPR and NISD), how to prepare for a data breach, and what to do if the worst happens.
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group
Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source Insight!
2018 is the Open Source Rookies report’s 10th anniversary, brought to you by Black Duck by Synopsys. This infographic shows the impressive number of projects started in 2017 and the distribution across the world and a wide range of categories. Narrowing them down was hard! The open source community continues to produce innovative and influential open source projects.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys
This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions.
Read on for all the open source security and cybersecurity news you need to know this week.
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk.
Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
2. ● DevOps “purists” point out that security was
always part of DevOps
● Did people just not read the book?
● Did people not understand the book?
● Are practitioners just skipping security
anyway?
WHY DevSecOps?
7. ● A new silo
● Devs (often) don’t grok (even) traditional security
● Assembled applications and supply chains
● Security not integrated into pipeline
What’s the Problem?
12. 2017 RC2
Injection
Broken authentication
Sensitive data exposure
XML External Entities (XXE)
Broken access control
Security misconfiguration
Cross-site scripting (XSS)
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging & monitoring
OWASP Top 10
2007
Cross-site scripting (XSS)
Injection flaws
Malicious file execution
Insecure direct object reference
Cross-site request forgery (CSRF)
Information leakage & improper error handling
Broken authentication & session management
Insecure cryptographic storage
Insecure communications
Failure to restrict URL access
13. 2017 RC2
Injection
Broken authentication
Sensitive data exposure
XML External Entities (XXE)
Broken access control
Security misconfiguration
Cross-site scripting (XSS)
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging & monitoring
OWASP Top 10
2007
Cross-site scripting (XSS)
Injection flaws
Malicious file execution
Insecure direct object reference
Cross-site request forgery (CSRF)
Information leakage & improper error handling
Broken authentication & session management
Insecure cryptographic storage
Insecure communications
Failure to restrict URL access
14. …utilizing billions of available libraries,
frameworks and utilities
● Not all are created equal, some are
healthy and some are not
● All go bad over time, they age like milk,
not like wine
● Enterprises consume an average 229,000
software components annually, of which
17,000 had a known security vulnerability
Applications are ‘assembled’...
22. What are containers?
● Sandboxed application processes
on a shared Linux OS kernel
● Simpler, lighter, and denser than
virtual machines
● Portable across different
environments
● Package my application and all of
its dependencies
● Deploy to any environment in
seconds and enable CI/CD
● Easily access and share
containerized components
Sys-Admins / Ops Developers
It Depends on Who You Ask
23. Containers technical timeline
LXC Initial
release
Aug ‘08
OpenShift
online
May
‘11
Docker Initial
release
Mar
‘13
OpenShift
Enterprise 3.0
Jun‘
15
Open
Container
Initiative
Initial release,
Buildah
Jun
‘17
Moby
Apr
‘17
Sep
‘17
CRI-O
24. Open source, leadership, and standards
● Docker/Moby
● Kubernetes/OpenShift
● OCI Specifications
● Cloud Native Technical Leadership
● Vendor/partner ecosystem
The community landscape
25. ● Docker, Red Hat et al. June 2015
● Two Specifications
● Runtime
○ How to run a “filesystem bundle” that is unpacked on disk
● Image Format
○ How to create an OCI Image that contains sufficient information
to launch the application on the target platform
Open Container Initiative (OCI)
26. “Containers are an easy way to get a reasonable
percentage of security built in.”
John Willis
co-Author, DevOps Handbook
ServerlessConf 2017
30. Securing the assets
● Building code
○ Watching for changes in how things get built
○ Signing the builds
● Built assets
○ Scripts, binaries, packages (RPMs), containers
(OCI images), machine images (ISOs, etc.)
○ Registries (Service, Container, App)
○ Repositories (Local on host images assets)
Safe at Titan Missile Museum
https://upload.wikimedia.org/wikipedia/commons/5/59/Red_Safe%2C_Titan_Missile_Museum.jpg
31. Registries
● Do you require a private registry?
● What security meta-data is available
for your images?
● Are the images in the registry
updated regularly?
● Are there access controls on the
registry? How strong are they? Who
can push images to the registry?
32. ● Potentially lots of parallel builds
● Source code
● Where is it coming from?
● Who is it coming from?
● Supply Chain Tooling
● CI tools (e.g. Jenkins)
● Testing tools
● Scanning Tools (e.g. Black Duck)
Securing the development process
Boeing's Everett factory near Seattle
https://upload.wikimedia.org/wikipedia/commons/c/c8/At_Boeing%27s_Everett_factory_near_Seattle_%289130160595%29.jpg
Creative Commons
33. Ensure the application code is compliant
Ensure the pipeline is not compromised
Systematic, on-going, and automated
Securing the development process
Repo Scan
Image
Build
Scan
Dev
Deploy
Test
34. ● How do ensure that all these
variations are working and
supported together?
● Containers and container
ecosystems help vendors to
continuously secure their
software
Track third-party development technologies
35. ● Trusted registries and repos
● Signature authenticating and authorizing
● Image scanning
● Policies
● Ongoing assessment with automated
remediation
Securing the operations: Deployment
Mission Control - Apollo 13
https://c1.staticflickr.com/4/3717/9460197822_9f6ab3f30c_b.jpg
36. ● Blue Green or A/B or Canary,
continuous deployments
● Monitoring deployments
● Possibly multiple environments
Securing the operations: Lifecycle
37. ● Log (most) things
● Alarm few things
● Establish relevant metrics
● Root cause analysis (reactive)
● Detect patterns/trends (proactive)
● Context and distributions matter
● Incentives drive behavior
Securing the operations: Monitoring and metrics
38. “... we estimate that fewer than 20% of enterprise security architects
have engaged with their DevOps initiatives to actively and systematically
incorporate information security into their DevOps initiatives; and fewer still
have achieved the high degrees of security automation required to qualify as
DevSecOps.”
“By 2019, more than 70% of enterprise DevOps initiatives will have
incorporated automated security vulnerability and configuration
scanning for open source components and commercial packages, up from
less than 10% in 2016.”
How are we doing?
DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016