DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
DevSecOps (short for development, security, and operations) is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Here is the small presentation on DevOps to DevSecOps Journey..
- What is DevOps and their best practices.
- Practical Scenario of DevOps practices.
- DevOps transformation Journey.
- Transition to DevSecOps and why we need it.
- Enterprise CI/CD Pipeline.
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
DevSecOps (short for development, security, and operations) is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Here is the small presentation on DevOps to DevSecOps Journey..
- What is DevOps and their best practices.
- Practical Scenario of DevOps practices.
- DevOps transformation Journey.
- Transition to DevSecOps and why we need it.
- Enterprise CI/CD Pipeline.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations.
The “Sec” of DevSecOps introduces changes into the following:
• Engineering
• Operations
• Data Science
• Compliance
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
How to build security into the DevOps environment. Introduction to DevSecOps for DevOps / Agile enthusiasts and practitioners. Presented on Czech DevOps meet-up.
Collaborative security : Securing open source softwarePriyanka Aash
There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL.
(Source : RSA Conference USA 2017)
As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations.
The “Sec” of DevSecOps introduces changes into the following:
• Engineering
• Operations
• Data Science
• Compliance
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
How to build security into the DevOps environment. Introduction to DevSecOps for DevOps / Agile enthusiasts and practitioners. Presented on Czech DevOps meet-up.
Collaborative security : Securing open source softwarePriyanka Aash
There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL.
(Source : RSA Conference USA 2017)
As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Secure application deployment in the age of continuous deliveryTim Mackey
As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Software security often evokes negative feelings among software developers because it is associated with additional programming effort, uncertainty, and road-blocking activity on a fast release cycle. Secure software developers must follow a number of guidelines that, while intended to satisfy regulations, can be very restrictive and difficult to understand. Hasan Yasar believes that the Secure DevOps movement combats this negative view by shifting the paradigm. Rather than blindly following required security practices and identified security controls, Secure DevOps developers learn how to think about making their applications more secure and better able to absorb attacks while continuing to function. This shift in thinking from a “prevent” to a “bend, don’t break” mind-set provides more flexibility when dealing with attacks. Join Hasan as he explores how to integrate secure coding into your DevOps process—with a focus on continuous integration, infrastructure as code, continuous deployment, and an automated integrated development platform.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Automotive safety has been a major concern for manufacturers everywhere and now the threat of automotive hacking looms. Your team may be familiar with safety standards and defensive coding techniques but do you know how to handle security threats at the code level? What can you do next to transform your processes and development strategies?
Join automotive experts from Rogue Wave Software for the first in a three-part series on securing your code and solidifying processes to ensure safe, defect-free software. By educating teams and understanding proven techniques, you’ll be able to take the next step towards less risk and more value for your applications.
In this first one-hour webinar you'll learn:
- Techniques to protect your automotive software systems from risk
- Tools that accelerate compliance with security and safety standards
- Tips to ensure defects are eliminated as early as possible
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
Waterfall is based on the concept of sequential software development—from conception to ongoing maintenance—where each of the many steps flowed logically into the next.
Join this webinar presentation to learn:
- Why DevOps cannot effectively work in waterfall
- How to use DevOps tools to optimize processes in either development or operations through automation
We will also discuss what is needed to support full DevOps
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Solutions (Formerly Automic) and CA Privileged Access Manager
For more information on DevSecOps, please visit: http://ow.ly/u2pN50g63tN
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
With this presentation you'll learn how to:
-Protect your systems from risk
-Comply with security standards
-Ensure the entire codebase is bulletproof
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Dos and Don'ts of DevSecOps
1. SESSION ID:
#RSAC
Hasan Yasar
DOS AND DON'TS OF DEVSECOPS
DEV-F01
Technical Manager, Adjunct Faculty Member
CERT | Software Engineering Institute | Carnegie Mellon University
@SecureLifeCycle
2. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Notices
Copyright 2018 Carnegie Mellon University. All Rights Reserved.
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie
Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE
MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT,
TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for
non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting
formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at
permission@sei.cmu.edu.
Carnegie Mellon® and CERT® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
DM18-0424
4. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
4
2017 Incident Highlights
• 159,700 total cyber incidents
• 7 billion records exposed in first 3 Qtr
• $5 billion financial impact
• 93% of breaches could have been prevented
*Online Trust Alliance report 2018
5. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Software Vulnerabilities (CVEs) by Year
Source: cve.mitre.org as of August 2017
6. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
The world we live in..
Software is eating up the world !
Marc Andreessen
https://www.wsj.com/articles/SB10001424053111903480904576512250915629460
7. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
How We Manage Software Security -
Application Security Metrics , Financial Institutes
Source: “Managing Application Security”, Security Compass, 2017.
8. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Challenges with Secure Software Development
• Writing code is hard
• Lack of security skills
• Legacy software
• Best practices are insufficient
• Lack of risk focus, lack of audit
and control points
• Wrong automated tools
8
• Unsupervised collaboration
• Emphasis on speed
• Vulnerabilities in deployment
pipeline
• Unprotected production
environment
• Lack of security requirements
traceability
9. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
So we all do “Last Minute Security”…
https://dzone.com/articles/last-minute-security-comic
11. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Three Pillars , p3
DevOps enables “Continuous Everything” on
People
Process
Platform
12. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
BLUF(Bottom Line Up Front) : People
• Heavy collaboration between all stakeholders
• Secure Design / Architecture decisions
• Secure Environment / Network configuration
• Secure Deployment planning
• Secure Code Review
• Constantly available open communication channels:
• Dev and OpSec together in all project decision meeting
• Chat/e-mail/Wiki services available to all team members
13. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
BLUF: Process
• Establish a process to enable people to succeed using
the platform to develop secure application
• Such that;
• Constant communication and visible to all
• Ensures that tasks are testable and repeatable
• Frees up human experts to do challenging, creative
work
• Allows tasks to be performed with minimal effort or
cost
• Creates confidence in task success, after past
repetitions
• Faster deployment , frequent quality release
14. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
BLUF: Platform
• Where people use process to build secure
software
• Automated environment creation and
provisioning
• Automated infrastructure testing
• Parity between Development, QA, Staging,
and Production environments
• Sharing and versioning of environmental
configurations
• Collaborative environment between all
stakeholders
16. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Enhancing SDLC Security
Secure
DevOps Lifecycle
17. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Security must be addressed without
breaking the rapid delivery, continuous
feedback model
Security must be addressed without breaking the rapid delivery,
continuous feedback model
Security must be addressed without breaking the
rapid delivery, continuous feedback model!
18. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Devs
Enhancing SDLC Security
Secure
DevOps Lifecycle
19. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Devs
Continuous Feedback
to Developer and others
Enhancing SDLC Security
Secure
DevOps Lifecycle
21. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Automation
• Don’t leave security automation out of your DevOps automation strategy
• Automated security testing removes human error, infrequent execution, and
excuses
• Don’t try to avoid open source with policies, it is coming whether you like it or
not!
• InfoSec must maintain awareness of open source vulnerabilities and
continuously check for them
22. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Automation
You automate…
…builds
…functional tests
…deployment
…reporting
…the coffee machine (as we do)
23. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Multiverse: Environment Parity
• When environments are not the same,
• app may never behave predictably.
• Environment parity (between dev, test, prod) is critical for controlling opportunity
for security gaps
24. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Multiverse: Environment Parity
• Automate manual steps to the extent possible
• Make development environment parity a priority
• Get Ops involved in creating all environments, including Dev
• Focus on providing fast easy-to-use automation tools for developers everyone to
keep environments in synch
25. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Configuration: IaC
• Uncontrolled configuration changes will
lead to an unmanageable, unpredictable,
and unrepeatable solution
• Easy for info security to get out of synch; For
example, change in DNS and you have security
hole.
• Avoid the manual quick fix particularly for
configuration changes
• Put configuration files under configuration
controls
26. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Infiltrator – Insider Threat
• He sneaks in…
• …and alters production …but he works for you!
• Set up roles and revoke administrative access to
manually edit production
• Configure prod environment to alert the entire
team when manually accessed. Transparency is
key.
27. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Incident:
We have all been there…
Intrusions overnight…
…cascading system failures…
…it’s all crashing…
…help…me..…
28. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Response
• But you survive…
• Glad its over. Going to go sleep for 18 hours…and then back to the normal
cycle.
• When do we analyze what went wrong?
• How do we prevent similar failures in the future?
• Just forget it is over!
• All failures must result in codified change to DevOps process
• Understand exactly what went wrong
• Never let the same failure happen twice
• Propagate fixes across the enterprise
• Ensure that you teach the next generation
29. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Open Source Technology
98% of developers use open source tools (*)
Do you know
what’s in your app?
Code we wrote
Code someone else wrote
(*) https://about.gitlab.com/2017/03/03/why-choose-open-source/
30. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Open Source Technology
• Place infosec outside of the dev workflow
• When UI/UX, infosec and accessibility requirements conflict and never get resolved
• Dictate policy to not use open source
• Document-driven checking is not going catch
• Infosec must enable constant (read: automated) checking for open source
vulnerabilities
• Create a centralized private repositories of vetted 3rd party components for all
developers
• Establish good product distribution practices
• Minimize variation of components to make things easier (multiple versions,
duplicated utility)
Prepare for what is coming….
31. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Continuous Delivery: Rollback
• Once you jump, you can’t return to the
plane.
• You are committed. Permanently.
• This is not how we should model our
deployments
• Rollback is essential; Never be left without
an escape route to completely working
software
• Strive for approaches that support “one
button” rollback (e.g, feature flags or A/B)
32. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
SLS team GitHub Projects
• Once Click DevOps deployment
https://github.com/SLS-ALL/devops-microcosm
• Sample app with DevOps Process
https://github.com/SLS-ALL/flask_api_sample
• Tagged checkpoints
• v0.1.0: base Flask project
• v0.2.0: Vagrant development configuration
• v0.3.0: Test environment and Fabric deployment
• v0.4.0: Upstart services, external configuration files
• v0.5.0: Production environment
• On YouTube:
https://www.youtube.com/watch?v=5nQlJ-FWA5A
33. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
For more information…
• SEI – Carnegie Mellon University
• DevOps Blog: https://insights.sei.cmu.edu/devops
• Webinar : https://www.sei.cmu.edu/publications/webinars/index.cfm
• Podcast : https://www.sei.cmu.edu/publications/podcasts/index.cfm
• DevSecOps: http://www.devsecops.org
• Rugged Software: https://www.ruggedsoftware.org
34. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Let us Apply what we have learned today
34
Next week,
Change your mindset say “We all are responsible for security” not “You, I or
somebody else!”
Share what you have learned from failure
Next Month(s)
Start to build Integrated DevOps pipeline
Made incremental security integration as part of application lifecycle
Measure the results and keep iterating
By End of 2018!
Continuous learning on “how and where we need to improve security of our app”
Use DevOps to deploy secure application: DevSecOps
35. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Any Question?
Hasan Yasar
Technical Manager,
Secure Lifecycle Solutions
hyasar@sei.cmu.edu
@securelifecycle
37. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
What is DevOps?
DevOps is a set of principles and practices emphasizing collaboration and
communication between software development teams and IT operations staff along
with acquirers, suppliers and other stakeholders in the life cycle of a software
system [1]
[1] IEEE P2675 DevOps Standard for Building Reliable and Secure Systems Including Application Build, Package and Deployment
The history of DevOps
• Patrick Debois, “Agile infrastructure and operations: how infra-gile are you?”, Agile 2008
• John Allspaw, “ 10+Deploys per Day: Dev and Ops Cooperation”, Velocity 2009
• DevOpsDays, October 30th 2009, #DevOps term born
38. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
• Follow Agile methodologies
• Using Scrum, Kanban and modern
development approaches
• Self directing, self managed, self
organized
• Using any new technology
• Each Dev has own development strategy
• OpenSource,
• Allowed to have
• Close relationships with the business
• Software driven economy
Who are Dev?
Want to deliver software faster with new requirements…
39. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
• Operations
• Runs the application
• Manages the infrastructure
• Support the applications
• Operations provides
• Service Strategy
• Service Design
• Service Transition
• Service Operations
• Secure systems
Who are Ops?
Want to maintain stability, reliability and security…
40. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
DevOps aims to Increase…
…the pace of innovation
…responsiveness to business needs
…collaboration
…software stability and quality
... continuous feedback
41. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
DevOps has four Fundamental Principles
• Collaboration: between project team roles
• Infrastructure as Code: all assets are versioned, scripted, and shared where possible
• Automation: deployment, testing, provisioning, any manual or human-error-prone
process
• Monitoring: any metric in the development or operational spaces that can inform
priorities, direction, and policy
42. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
DevelopersDeployment
Maintenance
Security
Programming
Infrastructure
Scalability
Networks
Functional
Requirements
Performance
Testing
User Interface
Technical
Documentation
Updates
Code Review
Release
Review
User
Documentation
Data Privacy
Intrusion
Detection
User
Requirements
Business Constraints
Legal Issues
Market Needs
Budgets / Timelines
Monitoring
Incident response
IT Operations
Quality Assurance
Business Analyst
Information Security
Collaboration: Many stakeholders
43. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Collaboration: Silos Inhibit Collaboration and poor
communication
44. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Infrastructure as Code (IaC)
A program that creates infrastructure,
A concretely defined description of the environment is good
material for conversation between team members.
45. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Automation : Continuous Integration (CI)
46. #RSAC
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution
Shift Left Operational Concerns Enforced by Continuous Delivery
Automation : Continuous Delivery /
Deployment (CD)