SlideShare a Scribd company logo

Extract Oct 2019: DSO-LG Rolling Slides

Download as PPTX, PDF
M
Michael Man

Latest version of the basic rolling slides used at DevSecOps - London Gathering evenings. Ideas for 2020 - please provide input/feedback back to Michael Man.

1 of 10
WAYS TO STAY IN TOUCH https://www.meetup.com/DevSecOps-London-Gathering https://www.linkedin.com/company/devsecops-london- gathering https://twitter.com/DevSecOps_LG https://www.youtube.com/channel/UCR4oVMkRjNN2OQa WMiBcfJA
SLIDES & REFERENCES https://www.vr- security.com/references https://www.vr- security.com/presentations
DSO-LG 2020 Topic defined below for each month; now looking for speakers • Focus sessions each month running from January – August • Microservices (backend) application architecture • Frontend browser client • Frontend mobile client • Core security application component (handling secret and/or “important data”) • Infrastructure evolution: Compute, Containers (incl K8), Serverless • “In line” and “out of band” security testing • Challenges with integrating security testing tools • Each session will give examples: • Types of pipeline, threat models, security testing and governance/guardrails ”Application Security Transformation Journey Moving From A Monolithic To Microservices Architecture”
SHOUT OUT *** Meetups *** OWASP London Chapter www.meetup.com/OWASP-London/ OWASP WIA www.meetup.com/womeninappsec/ DevSecOps Manchester www.meetup.com/DevSecOps-Manchester/ DevSecOps – Netherlands www.meetup.com/DevSecOps-Netherlands/ LLHS www.meetup.com/LLHS-Ladies-of-London-Hacking- Society/ London Code Quality Meetup *** Technology Specific *** Docker London www.meetup.com/Docker-London/ Kubernetes London www.meetup.com/Kubernetes-London/ Threat Modeling www.meetup.com/The-Threat-Modeling-Meetup/ Istio London www.meetup.com/Istio-London/
SHOUT OUT *** Conferences *** DevSecCon London* https://www.devseccon.com/london -2019/ Open Security Summit https://open-security-summit.org/ BSides London https://www.securitybsides.org.uk/ QCon London https://qconlondon.com/ * https://www.devseccon.com/scholarship-program-application/ I’ve bought a Early Bird ticket – anybody else?
Dev Workstation Build Server Centralize Report (Vulnerability Management) Server SCM Static Code Analysis (SAST) Dynamic Testing (DAST) Interactive Testing (IAST) Open Source Component Security Manual Penetration Testing – Out of Band Scope: Application and Network layer – White/Black box Defect Management AUTOMATION INTEGRATION POINTS SECURITYASSURANCEMODEL Container Security Infrastructure As Code Scanning DEVSECOPS FRAMEWORK (OCT 2019) * A framework is a pre-built general or special purpose architecture that's designed to
IDE Static Code Analysis SCM Dynamic Analysis Open Source Software Security Security Testing Framework Binary Repository Define Security Test CasesThreat Modeling Security Standards Automation Tools: Passing Criteria Risk Management Out of Band Security Testing Security Champions DevSecOps Engineer Security Audit Artifacts CI Build Server DEVSECOPS – TOOLING & ASSURANCE EXAMPLES (OCT 2019) curl nmap sslyze sqlmap Interactive Testing Infrastructure Assurance Threat Modeling Container Security
“DIFFERENT” DEVSECOPS ROLES “Terminology provides clarity and confusion.” Michael Man Throughout this year 2019, it appears that there are 3 (rightly or wrongly) types of DevSecOps roles (October 2019) that I have come across …. Food for thought: • People with experience with automating infrastructure deployments (Infrastructure as Code; Cloud Engineers). • People experienced with designing and implementing security testing tools and integrating those into pipelines (Application Security Tooling). • People who works with the development team to review, triage and remediate the security findings from the various testing conducted as part of the delivery pipeline (Security Champions, Embedded Security SME).
DEVSECOPS – PEOPLE & CULTURE • Break down the silo; no change here, just like the original DevOps movement • Not aware of what is going on – likely you are not part of the “DevSecOps” team; leave your ivory tower and build relationships • Conduct a Value Stream Mapping exercise to optimize your delivery (rinse and repeat) • Drill down and sketch out the details of each workflow before solutionising • Try new checks/controls as part of the pipeline

Recommended

Threat Modeling with Threat Dragon
Threat Modeling with Threat DragonThreat Modeling with Threat Dragon
Threat Modeling with Threat Dragon
Steven Carlson
 
Product Security
Product SecurityProduct Security
Product Security
Steven Carlson
 
Securing Devops_toolchain
Securing Devops_toolchainSecuring Devops_toolchain
Securing Devops_toolchain
Suman Chakraborty
 
Implement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comImplement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.com
SARCCOM
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
Code Review | 2010
Code Review | 2010Code Review | 2010
Code Review | 2010Klocwork
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 

Recommended

Threat Modeling with Threat Dragon
Threat Modeling with Threat DragonThreat Modeling with Threat Dragon
Threat Modeling with Threat Dragon
Steven Carlson
 
Product Security
Product SecurityProduct Security
Product Security
Steven Carlson
 
Securing Devops_toolchain
Securing Devops_toolchainSecuring Devops_toolchain
Securing Devops_toolchain
Suman Chakraborty
 
Implement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comImplement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.com
SARCCOM
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
Code Review | 2010
Code Review | 2010Code Review | 2010
Code Review | 2010Klocwork
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
VIPER
VIPERVIPER
VIPER
Vikas Kore
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
DevSecCon
 
How can agile help you in clearing the technical debt
How can agile help you in clearing the technical debtHow can agile help you in clearing the technical debt
How can agile help you in clearing the technical debtManu Pk
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
Mobile application security tools
Mobile application security toolsMobile application security tools
Mobile application security tools
QTMContent
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life
OWASP
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
RootedCON
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application Security
Black Duck by Synopsys
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
Black Duck by Synopsys
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
Michael Man
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.ppt
azida3
 

More Related Content

What's hot

Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
VIPER
VIPERVIPER
VIPER
Vikas Kore
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
DevSecCon
 
How can agile help you in clearing the technical debt
How can agile help you in clearing the technical debtHow can agile help you in clearing the technical debt
How can agile help you in clearing the technical debtManu Pk
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
Mobile application security tools
Mobile application security toolsMobile application security tools
Mobile application security tools
QTMContent
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life
OWASP
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
RootedCON
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application Security
Black Duck by Synopsys
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
Black Duck by Synopsys
 

What's hot (20)

Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
VIPER
VIPERVIPER
VIPER
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
How can agile help you in clearing the technical debt
How can agile help you in clearing the technical debtHow can agile help you in clearing the technical debt
How can agile help you in clearing the technical debt
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
 
Mobile application security tools
Mobile application security toolsMobile application security tools
Mobile application security tools
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application Security
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
 

Similar to Extract Oct 2019: DSO-LG Rolling Slides

August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
Michael Man
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.ppt
azida3
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...
FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...
FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...
scoopnewsgroup
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
Sven Schleier
 
How not to fall into the DevSecOps trap
How not to fall into the DevSecOps trapHow not to fall into the DevSecOps trap
How not to fall into the DevSecOps trap
Matteo Emili
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Security for developers
Security for developersSecurity for developers
Security for developers
Abdelrhman Shawky
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps for Enterprise Systems
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps.com
 

Similar to Extract Oct 2019: DSO-LG Rolling Slides (20)

August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.ppt
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...
FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...
FedScoop Public Sector Innovation Summit DOD Enterprise DevSecOps Initiative ...
 
Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
 
How not to fall into the DevSecOps trap
How not to fall into the DevSecOps trapHow not to fall into the DevSecOps trap
How not to fall into the DevSecOps trap
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 

More from Michael Man

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
Michael Man
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
Michael Man
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
Michael Man
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
Michael Man
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
Michael Man
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
Michael Man
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
Michael Man
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Michael Man
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
Michael Man
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
Michael Man
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
Michael Man
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
Michael Man
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
Michael Man
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
Michael Man
 
DevSecOps: Test Automation
DevSecOps: Test AutomationDevSecOps: Test Automation
DevSecOps: Test Automation
Michael Man
 

More from Michael Man (20)

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
 
DevSecOps: Test Automation
DevSecOps: Test AutomationDevSecOps: Test Automation
DevSecOps: Test Automation
 

Recently uploaded

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 

Recently uploaded (20)

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 

Extract Oct 2019: DSO-LG Rolling Slides

  • 1.
  • 2. WAYS TO STAY IN TOUCH https://www.meetup.com/DevSecOps-London-Gathering https://www.linkedin.com/company/devsecops-london- gathering https://twitter.com/DevSecOps_LG https://www.youtube.com/channel/UCR4oVMkRjNN2OQa WMiBcfJA
  • 4. DSO-LG 2020 Topic defined below for each month; now looking for speakers • Focus sessions each month running from January – August • Microservices (backend) application architecture • Frontend browser client • Frontend mobile client • Core security application component (handling secret and/or “important data”) • Infrastructure evolution: Compute, Containers (incl K8), Serverless • “In line” and “out of band” security testing • Challenges with integrating security testing tools • Each session will give examples: • Types of pipeline, threat models, security testing and governance/guardrails ”Application Security Transformation Journey Moving From A Monolithic To Microservices Architecture”
  • 5. SHOUT OUT *** Meetups *** OWASP London Chapter www.meetup.com/OWASP-London/ OWASP WIA www.meetup.com/womeninappsec/ DevSecOps Manchester www.meetup.com/DevSecOps-Manchester/ DevSecOps – Netherlands www.meetup.com/DevSecOps-Netherlands/ LLHS www.meetup.com/LLHS-Ladies-of-London-Hacking- Society/ London Code Quality Meetup *** Technology Specific *** Docker London www.meetup.com/Docker-London/ Kubernetes London www.meetup.com/Kubernetes-London/ Threat Modeling www.meetup.com/The-Threat-Modeling-Meetup/ Istio London www.meetup.com/Istio-London/
  • 6. SHOUT OUT *** Conferences *** DevSecCon London* https://www.devseccon.com/london -2019/ Open Security Summit https://open-security-summit.org/ BSides London https://www.securitybsides.org.uk/ QCon London https://qconlondon.com/ * https://www.devseccon.com/scholarship-program-application/ I’ve bought a Early Bird ticket – anybody else?
  • 7. Dev Workstation Build Server Centralize Report (Vulnerability Management) Server SCM Static Code Analysis (SAST) Dynamic Testing (DAST) Interactive Testing (IAST) Open Source Component Security Manual Penetration Testing – Out of Band Scope: Application and Network layer – White/Black box Defect Management AUTOMATION INTEGRATION POINTS SECURITYASSURANCEMODEL Container Security Infrastructure As Code Scanning DEVSECOPS FRAMEWORK (OCT 2019) * A framework is a pre-built general or special purpose architecture that's designed to
  • 8. IDE Static Code Analysis SCM Dynamic Analysis Open Source Software Security Security Testing Framework Binary Repository Define Security Test CasesThreat Modeling Security Standards Automation Tools: Passing Criteria Risk Management Out of Band Security Testing Security Champions DevSecOps Engineer Security Audit Artifacts CI Build Server DEVSECOPS – TOOLING & ASSURANCE EXAMPLES (OCT 2019) curl nmap sslyze sqlmap Interactive Testing Infrastructure Assurance Threat Modeling Container Security
  • 9. “DIFFERENT” DEVSECOPS ROLES “Terminology provides clarity and confusion.” Michael Man Throughout this year 2019, it appears that there are 3 (rightly or wrongly) types of DevSecOps roles (October 2019) that I have come across …. Food for thought: • People with experience with automating infrastructure deployments (Infrastructure as Code; Cloud Engineers). • People experienced with designing and implementing security testing tools and integrating those into pipelines (Application Security Tooling). • People who works with the development team to review, triage and remediate the security findings from the various testing conducted as part of the delivery pipeline (Security Champions, Embedded Security SME).
  • 10. DEVSECOPS – PEOPLE & CULTURE • Break down the silo; no change here, just like the original DevOps movement • Not aware of what is going on – likely you are not part of the “DevSecOps” team; leave your ivory tower and build relationships • Conduct a Value Stream Mapping exercise to optimize your delivery (rinse and repeat) • Drill down and sketch out the details of each workflow before solutionising • Try new checks/controls as part of the pipeline