This document discusses moving to a continuous deployment model to improve software security. It argues that the traditional release-based model is harmful, especially for security, as it results in long delays between when code is written and deployed. Continuous deployment aims to deploy small changes frequently, with developers pushing their own code to production. This gets developers more invested in the quality and security of the code they write. It also allows faster fixing of bugs and security issues when they are found. The document outlines steps to gradually implement continuous deployment and address common concerns about its impact on quality, compliance, and customers.
Fixing security by fixing software developmentNick Galbreath
Fixing Security by Fixing Software Development Using Continuous Deployment
Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Automate Application Quality Detection. Use Key Application Quality Metrics (# of SQL, Memory Allocated, CPU & GC Times, ...) captured during Automated Test Executions.
Let these Metrics act as Quality Gates. Leads to better quality software reaching the end of the Pipeline
Fixing security by fixing software developmentNick Galbreath
Fixing Security by Fixing Software Development Using Continuous Deployment
Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Automate Application Quality Detection. Use Key Application Quality Metrics (# of SQL, Memory Allocated, CPU & GC Times, ...) captured during Automated Test Executions.
Let these Metrics act as Quality Gates. Leads to better quality software reaching the end of the Pipeline
Security at Scale - Lessons from Six Months at YahooAlex Stamos
This is my talk on building security at scale from Black Hat USA 2014. In it I outline the lessons I've learned from six months as Yahoo's CISO and share ideas for how the security industry can better address problems at web scale.
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and ScalabiltyAndreas Grabner
This is the presentation given for the Docker Meetup in Cordoba, Argentina. Recording should soon be up on http://www.meetup.com/Docker-Cordoba-ARG/events/226995018/
Key Takeaways: Pick your Metrics! Automate It! Fail Bad Builds Faster! Deliver Faster with Better Quality!
To the Docker Audience my main point was that: Just adding Docker doesn't give you free performance and scalability of your app. I walk through many examples of failing apps. What are the metrics that highlight the problem and how to automatically detect bad builds by looking at these Metrics along your Pipeline.
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
To watch this webinar replay, please join us here:
https://info.dynatrace.com/apm_wc_devops_journey_series_tips_around_the_world_na_registration.html
DevOps: Cultural and Tooling Tips Around the World
DevOps! One of the most abused terms in the software industry over the last few years. One of the reasons for this is that the term can mean something totally different, depending on what your role is, and what kind of business you are in. Yet, it is a very real practice with solid benefits that allow companies to build better quality software faster, and with lower cost and risk.
In this 30-minute “secret sauce” session, Andreas Grabner, DevOps Activist at Dynatrace, shares customer learnings and best practices from DevOps adopters around the world. You’ll gain insights from questions like:
• What does DevOps really mean for developers, testers and operators?
• How do companies like Facebook deploy twice a day without big issues?
• How does DevOps work in industries like finance, government, and healthcare where tight regulations exist?
• Is Dev responsible for Ops? Or only if you are working in a Cloud environment?
• What is different and unique as we move from old-fashioned on-prem software to hybrid and Cloud apps?
• Why is talking to people the forgotten DevOps tool?
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
Top Java Performance Problems and Metrics To Check in Your PipelineAndreas Grabner
Why is Performance Important? What are the most common reasons applications dont scale and perform well. Which technical metrics to look at. How to check it automated in the pipeline
BTD2015 - Your Place In DevTOps is Finding Solutions - Not Just Bugs!Andreas Grabner
This is about leveling-up and REVOLUTIONIZING Testing as part of your Agile/DevOps Transformation.
You can contribute more than testing functionality. You need to Level-Up your skill set by understanding the apps you are testing. # Images, # JS Files, # SQL Statements, Connection Pool Utilization and Garbage Collection Activity have to be added to your portfolio.
Check these metrics when you do your functional testing and report regressions to your engineers even though the functionality is still good. But you just uncovered an Architectural regression that will lead to a scalabilty and performance problem.
Finding these problems early will eliminate a lot of wasted and unplanned time later on in the lifecycle. that is your contribution to delivering software faster with better quality
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Hugs instead of Bugs: Dreaming of Quality Tools for Devs and TestersAndreas Grabner
I have a Dream that Testers extend their horizon and toolsets and not only test for functional correctness but make a step towards what developers need in order to fix critical issues. I am talking about architectural, scalability and performance metrics such as # of JS Files on a page, Page Size, # of SQL Statements, # of Log Messages Written.
If Testers start to capture this information as well and share it with their bug description I am sure it will both increase the value of testers as well as reduce the total time it takes to fix problems.
OOP 2016 - Building Software That Eats The WorldAndreas Grabner
According to VC and web pioneer Marc Andreessen software is eating the world. Evidence proves he is right. Uber, the biggest taxi company, has no cars, AirBnB, the biggest hotel service, has no rooms and there are many more examples. Looking at these success stories there is a clear blueprint how to build software that eats the world. Just a quick heads up: It is not about building your typical web application any more.
Web and App Performance: Top Problems to avoid to keep you out of the NewsAndreas Grabner
As presented at Boston and NYC Web Perf Meetup.
Its time to level up Web Performance Optimization started by Steve Souders. We need to look beyond the rim of the browser as there are many problems happenig from browser to database.
In this presentation I showed how Browser Diagnostics needs to evolve into End-to-End Application Diagnostics and Monitoring. Showing 5 real life examples on why applications failed and the metrics to look at to identify these problems early on
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
Distributed systems at scale have unpredictable and complex outcomes that are costly when security incidents occur. The speed, scale, and complex operations within microservice architectures make them tremendously difficult for humans to mentally model their behavior. If the latter is even remotely true how is it possible to adequately secure services that are not even fully comprehended by the engineering teams that built them. How do we realign the actual state of operational security measures to maintain an acceptable level of confidence that our security actually works. Security Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Slides from my DevOpsExpo London talk "From oops to NoOps".
They tell you in these conferences that DevOps is not about tools, but about culture. And they are partially right. I am going to tell you that it’s not only about culture or tools but also abstractions.
It is a lot about how you see software and its value. About our mental model of what software is: how it runs, evolves, and interacts with the other facets of an enterprise.
We used to view software as code. As a state of code. Now we think about software as change, as a flow. A dynamic system where people, machines, and processes interact continuously.
At Platform.sh we spend a bunch of time asking ourselves not “How do you build?” - or even “How do you build consistently?” - but rather “What does it mean to consistently build in a world where change is good?” A world that lets you push security fixes into production as soon as they’re available because you don’t want to be an Equifax but you do want stability.
In this presentation, I will go over what we think software is and why having the right ideas about software will help you get your culture right and your tooling aligned, as well as gain in productivity, and general happiness and well-being.
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
How to keep you out of the News: Web and End-to-End Performance TipsAndreas Grabner
Too many websites make it too the news when they fail to deliver, e.g: eCommerce when they go down on Cyber Monday, Tax Software on Tax Day or Online Banking when people want to check on their latest pay check.
In this presentation - presented at several Web Performance, Java, .NET, ... Meetups I walk through the most common performance mistakes people made in recent history. I explain in technical detail what the problem was and how to find these problems earlier as you dont want to wait until your site crashes and you end up in the news.
This presentation was given as part of a Dynatrace Lunch & Learn event. APM (=Application Performance Management) allows us to transform the way we develop, deploy and run software.
Here are some ideas how APM can be (r)evolutionized
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
Security at Scale - Lessons from Six Months at YahooAlex Stamos
This is my talk on building security at scale from Black Hat USA 2014. In it I outline the lessons I've learned from six months as Yahoo's CISO and share ideas for how the security industry can better address problems at web scale.
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and ScalabiltyAndreas Grabner
This is the presentation given for the Docker Meetup in Cordoba, Argentina. Recording should soon be up on http://www.meetup.com/Docker-Cordoba-ARG/events/226995018/
Key Takeaways: Pick your Metrics! Automate It! Fail Bad Builds Faster! Deliver Faster with Better Quality!
To the Docker Audience my main point was that: Just adding Docker doesn't give you free performance and scalability of your app. I walk through many examples of failing apps. What are the metrics that highlight the problem and how to automatically detect bad builds by looking at these Metrics along your Pipeline.
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
To watch this webinar replay, please join us here:
https://info.dynatrace.com/apm_wc_devops_journey_series_tips_around_the_world_na_registration.html
DevOps: Cultural and Tooling Tips Around the World
DevOps! One of the most abused terms in the software industry over the last few years. One of the reasons for this is that the term can mean something totally different, depending on what your role is, and what kind of business you are in. Yet, it is a very real practice with solid benefits that allow companies to build better quality software faster, and with lower cost and risk.
In this 30-minute “secret sauce” session, Andreas Grabner, DevOps Activist at Dynatrace, shares customer learnings and best practices from DevOps adopters around the world. You’ll gain insights from questions like:
• What does DevOps really mean for developers, testers and operators?
• How do companies like Facebook deploy twice a day without big issues?
• How does DevOps work in industries like finance, government, and healthcare where tight regulations exist?
• Is Dev responsible for Ops? Or only if you are working in a Cloud environment?
• What is different and unique as we move from old-fashioned on-prem software to hybrid and Cloud apps?
• Why is talking to people the forgotten DevOps tool?
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
Top Java Performance Problems and Metrics To Check in Your PipelineAndreas Grabner
Why is Performance Important? What are the most common reasons applications dont scale and perform well. Which technical metrics to look at. How to check it automated in the pipeline
BTD2015 - Your Place In DevTOps is Finding Solutions - Not Just Bugs!Andreas Grabner
This is about leveling-up and REVOLUTIONIZING Testing as part of your Agile/DevOps Transformation.
You can contribute more than testing functionality. You need to Level-Up your skill set by understanding the apps you are testing. # Images, # JS Files, # SQL Statements, Connection Pool Utilization and Garbage Collection Activity have to be added to your portfolio.
Check these metrics when you do your functional testing and report regressions to your engineers even though the functionality is still good. But you just uncovered an Architectural regression that will lead to a scalabilty and performance problem.
Finding these problems early will eliminate a lot of wasted and unplanned time later on in the lifecycle. that is your contribution to delivering software faster with better quality
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Hugs instead of Bugs: Dreaming of Quality Tools for Devs and TestersAndreas Grabner
I have a Dream that Testers extend their horizon and toolsets and not only test for functional correctness but make a step towards what developers need in order to fix critical issues. I am talking about architectural, scalability and performance metrics such as # of JS Files on a page, Page Size, # of SQL Statements, # of Log Messages Written.
If Testers start to capture this information as well and share it with their bug description I am sure it will both increase the value of testers as well as reduce the total time it takes to fix problems.
OOP 2016 - Building Software That Eats The WorldAndreas Grabner
According to VC and web pioneer Marc Andreessen software is eating the world. Evidence proves he is right. Uber, the biggest taxi company, has no cars, AirBnB, the biggest hotel service, has no rooms and there are many more examples. Looking at these success stories there is a clear blueprint how to build software that eats the world. Just a quick heads up: It is not about building your typical web application any more.
Web and App Performance: Top Problems to avoid to keep you out of the NewsAndreas Grabner
As presented at Boston and NYC Web Perf Meetup.
Its time to level up Web Performance Optimization started by Steve Souders. We need to look beyond the rim of the browser as there are many problems happenig from browser to database.
In this presentation I showed how Browser Diagnostics needs to evolve into End-to-End Application Diagnostics and Monitoring. Showing 5 real life examples on why applications failed and the metrics to look at to identify these problems early on
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
Distributed systems at scale have unpredictable and complex outcomes that are costly when security incidents occur. The speed, scale, and complex operations within microservice architectures make them tremendously difficult for humans to mentally model their behavior. If the latter is even remotely true how is it possible to adequately secure services that are not even fully comprehended by the engineering teams that built them. How do we realign the actual state of operational security measures to maintain an acceptable level of confidence that our security actually works. Security Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Slides from my DevOpsExpo London talk "From oops to NoOps".
They tell you in these conferences that DevOps is not about tools, but about culture. And they are partially right. I am going to tell you that it’s not only about culture or tools but also abstractions.
It is a lot about how you see software and its value. About our mental model of what software is: how it runs, evolves, and interacts with the other facets of an enterprise.
We used to view software as code. As a state of code. Now we think about software as change, as a flow. A dynamic system where people, machines, and processes interact continuously.
At Platform.sh we spend a bunch of time asking ourselves not “How do you build?” - or even “How do you build consistently?” - but rather “What does it mean to consistently build in a world where change is good?” A world that lets you push security fixes into production as soon as they’re available because you don’t want to be an Equifax but you do want stability.
In this presentation, I will go over what we think software is and why having the right ideas about software will help you get your culture right and your tooling aligned, as well as gain in productivity, and general happiness and well-being.
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
How to keep you out of the News: Web and End-to-End Performance TipsAndreas Grabner
Too many websites make it too the news when they fail to deliver, e.g: eCommerce when they go down on Cyber Monday, Tax Software on Tax Day or Online Banking when people want to check on their latest pay check.
In this presentation - presented at several Web Performance, Java, .NET, ... Meetups I walk through the most common performance mistakes people made in recent history. I explain in technical detail what the problem was and how to find these problems earlier as you dont want to wait until your site crashes and you end up in the news.
This presentation was given as part of a Dynatrace Lunch & Learn event. APM (=Application Performance Management) allows us to transform the way we develop, deploy and run software.
Here are some ideas how APM can be (r)evolutionized
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
"All happy cloud deployments are alike; each unhappy cloud deployment is unhappy in its own way." — Leo Tolstoy, Site Reliability Engineer
At Gruntwork, I've had the chance to see the cloud adoption journeys of hundreds of companies, from tiny startups to Fortune 50 giants. I've seen those journeys go well. I've seen those journeys go poorly. In this talk, I discuss a few of the ways cloud adoption can go horribly wrong (massive cost overruns, endless death marches, security disasters), and more importantly, how you can get it right.
To help you get it right, we looked at the cloud journeys that were successful and extracted from them the patterns they had in common. We distilled all this experience down into something called the Gruntwork Production Framework, which defines five concrete steps you can follow to adopt the cloud at your own company—and hopefully, to end up with your very own happy cloud deployment.
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
We can be brilliant developers, but we won’t succeed—and won’t lead our organizations to succeed—without a new perspective (if you will) and new assumptions about the components of the “technology ecosystem” that are fundamentally critical to our success. This includes the operators, QA team, DBAs, security folks, and even the pure business contingent—in most cases, each of these individuals and groups plays a critical role in the success of what we create and give birth to as developers. What we do in isolation might be genius, but if we insulate ourselves—especially with arrogance—from these colleagues, neither our code nor our organizations will realize their full potential, and most will fail. The bottom line is that our old ways are no longer viable, and as the elite within our industry, we will be the leaders and heroes who discard old assumptions and adopt a new perspective in this exciting journey to digital transformation—where the impossible can become reality.
Web is now visible everywhere. It's highest time to learn webdevelopment! Know why it's great branch of IT, what it's made of and what tasks are waiting the for today's web developers.
Learn the HTML, JS and CSS from basics. Do not read HTML courses written 10 years ago.
Want to do backend, but still wondering whether to choose PHP, Ruby, Python, nodeJS ? No fear! We'll try to show pros & cons of every language AND also give a short guide how to learn them quickly.
Original presentation: http://akai.org.pl/slides/webstarter/
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...CODE BLUE
Here at Microsoft, our people often find security issues in other vendors' products, fueling the need for a coordinated approach to working with those vendors to get those bugs fixed. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same management, in the role of a finder, that we'd like to see from other companies and researchers when reporting vulnerabilities. MSVR has played an important role working with internal bug hunters to fix many vulnerabilities in top software during the lifetime of this proactive program. After you know how we work, you how you can start a vulnerability coordination program at your company too.
6 ways DevOps helped PrepSportswear move from monolith to microservicesDynatrace
Like a lot of online businesses today, PrepSportswear’s success is 100% dependent on the availability, scalability and performance of their digital online services. If the website is down, the business stops. They knew they had to transform their business from that of a retailer with a website to a high caliber IT company that sells products online.
In these webinar slides, Richard Dominguez, PrepSportswear’s Developer in Operations, shares their journey. They transformed from a team operating a monolithic app using waterfall development methodology on an old, hard to maintain code base, to a modern IT organization applying new practices from Agile development, DevOps and a Service-Oriented Architectural approach.
The Impact? PrepSportswear’s Most Successful Online Holiday Shopping Season in Company History! Join us to:
Learn how to identify if you are running a monolithic application that is dragging you down.
Get tips on hiring the right people to inject a DevOps cultural mindset into your organization.
Understand how to break the monolith into smaller pieces that support key lines of business.
Discover where to automate monitoring into your pipeline and platform.
Identify metrics for individual stakeholders (dev vs. test vs. business).
Go forward, celebrate, learn from, and repeat success!
Richard will be joined by Andreas Grabner, Performance Advocate at Dynatrace who will support why monitoring, application and end user metrics have to be a key part of your own transformation!
Richard Dominguez has 9+ years’ experience as both a System Analyst and Software Developer in Test. He has worked on many high profile projects in Microsoft such as Hyper-V, Windows 7 Client Performance, and Windows Phone Services. Richard now works at PrepSportswear as the company’s DevOps engineer. His responsibilities include site reliability, external synthetic testing, release management and overall site performance.
Andreas Grabner has 15+ years’ experience as an architect and developer in the Java and .NET space. In his current role, Andi works as an advocate for high performing applications in both the development and operations areas. He is a regular expert and contributor to large performance communities, a frequent speaker at technology conferences and regularly publishes articles blogs on blog.dynatrace.com
Similar to Faster Secure Software Development with Continuous Deployment - PH Days 2013 (20)
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
What if we could reduce SQLi attacks in your application by 90%? WIth little to no changes in your application, with no new hardware or firewalls?
First presentated at RSA Conference USA, 2013-02-27
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
SQL that isn't caught by WAFs but also isn't used (yet) by attackers! Why detecting SQLi is good, and why doing it with regular expressions is hard. And re-introducing libinjections which is a new way of detecting SQLi attacks.
This is a mashup of my Black Hat USA 2012 and DEFCON 20 talks, refreshed and updated.
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Nick Galbreath
First presented at Security BSidesLA, Hermosa Beach, California, August 16, 2012
Continuous deployment is characters by a small and frequent changes to production. Find out why it's my #1 security feature. It's not just about pushing fast!
How do fonts look when uploaded onto slideshare when the presentation is of various sides? How does it look on a washed-out projector? For plain text? For computer-code?
This presentation provides a number of sans-serif and monospace fonts to help answer these questions.
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Nick Galbreath
Rate Limits at Scale SANS AppSec Las Vegas.
Rate Limit Everything All the time using a quantized time system with Memcache or Redis. Use this protect resources or discover anomalies.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
3. Nick Galbreath (@ngalbreath)
! Spoken at Black Hat, DEFCON, OWASP
! Book on cryptography
! but really...
! Engineering Management and Software
Development for high growth startups.
! Personal site http://www.client9.com/
4. libinjection
! Author of libinjection
! A very different way of doing SQLi detection
! Right now in another room, Vladimir
Vorontsov is showing how to bypass it (to
be fixed shortly)
! Check it out and file bugs on github
http://libinjection.client9.com/
! Found a bypass?
What database
and query is needed
to exploit it?
RU ♥
SQLi
5. IPONWEB
! customized online advertising infrastructure
and exchanges
! engineering offices in Moscow, with
business offices in London, New York and
Tokyo.
! YEAH IN MOSCOW
! YEAH WE ARE HIRING
! Send email to nickg@iponweb.net
6. Well that's a bold statement...
Fixing Security by
Fixing Development
Using Continuous Deployment
7. and here's another
For web applications, our release-based
software development lifecycle is still
based on a pre-Internet model and is
harmful to organizations and
particularly harmful for security.
8. What needs fixing?
! SQLi dropped from #8 to #14 in the latest
White Hat "The State of Web Security"
report. Good news, right?
! This means SQLi is only 7% of websites.
That's 1 in 15.
And this is the #14 vulnerability!
! And time to fix was on average 196 days.
That's embarrassing.
Veracode claims 32% of incoming web applications have SQLi
https://info.veracode.com/state-of-software-security-report-volume5.html
https://reg.whitehatsec.com/
WPstats0513
9. Even worse...
! Number 1 driver to fix security
problems...
compliance.
! Number 1 reason to not fix security is...
compliance.
! Not..
! keeping our employees and customers safe
! protecting corporate interests.
! improving quality
! being good at what we do.
10. Security Products #1 .. in security bugs
VeraCode: State of
Software Security, V4
December 2011
Security Product
74% Fail Rate
11. Let's Just Give Up
! “You could spend all your resources chasing
such things as this,” William Ribich, the former
president of Technology Solutions Group
[ QinteliQ ], said in an interview in January.
Ribich, who retired in November 2009, shortly
after the discovery of a major data theft, said he
needed to balance the uncertain risk that the
hackers could use what they stole against a
growing shopping list of security products and
consulting fees.
! "You finally have to reach a point where you
say ’let’s move on,’” he said.
http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html
^^^ The Russian and Chinese hackers did not move on ^^^^.
12. I would call that broken
! But preventing SQLi isn't a technically
hard problem.
! And most security patches are very small.
! How did we get here?
13. Software Product Model
! Code flows between functional groups
! Product Managers spec code
! Engineers write code
! QA engineers tests code
! Release engineers package code
! Operations runs code
! ... and Security does something too.
14. High Distribution Cost
! The Software Product Model is designed for
software where the cost of distribution is
high. "High" might be financial, risk, time,
resources, customer annoyance.
! Retail, physical product, CD/DVD
! Embedded of Exotic Hardware
! Safety, Medical or Defense Systems
! Operating Systems (desk or phone)
! Homework (1-time deploy)
17. Web Applications Year 2000
! Mostly followed Software Product
Model since that's all we knew.
! High barrier to entry
! Specialized Hardware, Software and
People needed to get started.
! Lots of engineering needed to keep
things running.
! (side note: CERT/CVE started in
1999)
18. True Story #1
! "Can't push out the spelling error fix
– it's too risky"
! "That code as already been through
QA, it's locked down."
! "Product has to prioritize that
change, else we aren't touching it."
19. True Story #2
! We'll do an iteration, where we try to fix
as many things as possible.
! This won't be a scheduled iteration,
it will be done because so many things
are piled up.
! So the spelling error will get fixed...
uhh, who knows when.
20. Web Applications 2013
! Almost no barrier to entry
! Commodity hardware
! Programming not that hard
! Scaling problems can
be mostly outsourced
(mostly)
21. Cost of Distribution 2013
! Frequently no compile step
or it's very fast.
! Moving to production a few
kilobytes or megabytes of code
over 1Gbps, 10Gbps link.
! In other words... free
22. Failure is very different however
! Most web applications are data-driven.
! Frequently have social features, APIs,
user-generated content.
! Failures might be due to algorithmic
problems... but...
! Most likely to due to user input, bad data
in database or operational load.
! this means data in past can cause
problems in the future.
23. Releases and Problems
! When a web-release goes out, and
has problems....
! Next week is spent tracking down
who changed what, where.
! Re-QA
! Re-Push
! meanwhile new code is piling up.
24. When SPM meets Web Apps
! A long time between code being written
and code being released.
! Might be weeks or months
! Feedback loop between code-in-dev
and code-in-production is broken
! When security or bug reports come in,
the author is likely on a different project.
25. Hypothesis
! It is impossible to simulate the production
environment in development, either due to
operational differences or data
differences.
! No amount of QA or Security Testing can
prove you don't have bugs, vulnerabilities,
or cause severe operational problems.
! You have bugs and vulnerabilities,
right now, in your application.
26. Impedance Mismatch
! Easy to write code, +
! Long release cycles +
! Security as an end-of-line or out
of band process ==
! no one cares
! Something is going to break,
and most people don't care.
28. So the Answer is...
! Going slower? I'm sure your boss
will love that suggestion
! More steps and process? In other
words, slower.
! Asking for more people? Sure but
good luck hiring them. Doesn't
scale.
! Asking for more products? Since
the others have worked so well.
29. Continuous Deployment
! Also known as Continuous Delivery.
! A System of Software Production
Characterized by Numerous Small
Changes the Production Environment,
initiated by the author of the change.
You change it, you push it to prod.
30. Deployment != Feature Release
time
change
New code goes out all the time.
New features get turned on in
a separate process.
31. "Writing Software"
! Software Developers think their job is
writing software.
! And so, they love to make things perfect
before anyone else sees it.
! Impolite: "data hiding"
! code is hiding on developer's computer
! or on some branch
! in other words invisible until it's ready.
32. Actually
! The software engineer's job is actually
writing running software, that works well.
! This idea is so alien, that companies have
to remind the engineers of this.
33. Rackspace Haiku
writing code is hard
if you cannot deploy
it does not matter
@paulvx from DevOpsDays Austin 2013
34. Facebook's Analog Labs Poster
"Move Fast and
Break Things....
Except "Push" (deployment system)
via http://mitadmissions.org/blogs/entry/
move_fast_and_break_things
36. Today's goal
! but for today the goal is getting the
developer to care about their code
in production.
! If you don't have that, I don't think you can
really solve security problems.
37. How does this work?
! Really?
Developers push their own code
out?
! How is this not a disaster.
! How is this not a security disaster?
38. The Deploy Button
! What is you had a button that said
"DEPLOY"
! That pushed to production, whatever
is current in your source control
system.
! And took about a minute
! The change and who pressed the
button is logged, but that's it.
39. Part 1: Fear
! No one is going to push
it ;-)
! Meanwhile code is piling
up
Real example: A new hire I had at Etsy
was afraid of deploying an HTML change
that they made.
"But I don't want to break the site!"
40. Part 2: First Push
! Someone brave will press the button
! And very likely the site will explode,
and a rollback will need to be done.
! They'll know since someone else will
have told them.
41. Part 3: With Graphs
! Let's get all those operational graphs
out in the open. And put them right
next to the button.
http://codeascraft.com/2011/02/15/measure-
anything-measure-everything/
42. Part 4: Push #2
! Repush
! Site might still explode
! But the developer is aware and
can rollback.
43. Take 5: Isolation
! Hmmm, the developer notices that in the
change set, a million things are going out.
! Maybe just pushing out a smaller change
will help isolate the issue.
44. Take 6: Success!
! Yes, the developer just pushed out
some code and made the site better.
! The secret about continuous
deployment is small changes that
can be easily understood.
45. Take 7: Dark Pushes
! Now we got some bugs fixed, let's push
a feature.
! First let's push out all the supporting
files. Since they aren't being called,
they do nothing and are safe to push
out.
! Now everyone can see them
46. Take 8: Getting the feature live
! Instead of "all at once", we slowly ramp up a
feature.
! if (user_id % 20 == 0):
do new feature;
! we change change the percentage easily with
another code push.
! or turn it down. Much nicer change log.
! While the site didn't explode, it's hard to see if
the feature is being used or not.
47. Take 9: Application Level Graphs
! Allow developers to instrument their
code so they can see what is
happening in production.
! Enter StatsD and other
UDP-based tools
! Enter centralized logging and in-
application method to make it easy
to log problems.
48. Take 10: Communication
! So far good for one developer.
! To scale up, you'll need a system to allow
developers.
! IRC-like tools work well (e.g. "the push
channel") – skype, jabber, hangouts, etc
49. Along the way
! Expose production logs to developers
! Add in a staging-step where the code
goes to faction of the cluster, so
developers can test with real traffic
! Try to make development closer to prod.
! Make "smoke tests" to catch basic errors
! Add syntax checkers to eliminate obvious
issues.
! Use static analysis to find bugs
50. Mistakes will happen
! Do postmortem analysis
! Everyone thought they were doing
the right thing at the time.
! "How can the environment be
changed to prevent this" and build
tools to enforce it.
! (Rarely can you truly change people)
52. That guy who pushes at 3am
! Courtesy and convention will
converge very quickly when the site
goes down at 3am and the
developer starts getting calls ;-)
! Of hours pushes of course can
happen, when they notify operations.
53. What About Code Reviews?
! Yes, please do them.
! Nothing here prevents code reviews.
! In fact code reviews are easier since
! they are small
! they are in mainline not some branch
54. What about Security Reviews
! Please do them.
! Nothing here eliminates
architectural planning or review.
! This actually doesn't change the
SDLC very much.
55. What about Agile Methods
! (everyone seems to have a different idea
of what Agile is but..)
! Agile methodologies typically work to
improve the business spec / development
cycle. (are you building what the
customer wants)
! But doesn't address code deployment.
! They are complimentary practices.
56. What about Customer Service?
! "Don't they freak out with all the
changes?"
! Remember: deployment != feature release
! Most deployments do very little from the
customer point of view
! Feature releases (frequently controlled by
ramp-ups or flags) always needs to be
coordinated with product and customer
service.
57. What about Compliance? PCI?
! Let me tell you about compliance...
! mechanism not policy
! compliance is a lot easier when it's done
every day instead of a once-a-year audit.
59. Obvious Benefit to Security
! Security patches can go out quickly
! You know this since they are now
just part of a normal development
cycle and code goes out regularly.
! Why not clear out those low-priority
security problems?
60. More Importantly
! That Engineer who previously did not
push code is now sensitized that their
code has consequences and are
responsive and empowered to fix it.
! It’s amazing how interested engineers
become in security when you find
problems with their code when they are
able to fix it quickly themselves.
61. New Security Math
! Instead of focusing only on increasing MTTF,
which will never be infinite
! more firewalls, more process, more magic
! You can focus on how fast can you detect faults,
and how fast can you fix them.
! How low can you go?
! MTTD - Mean time to Detect
! MTTR - Mean time to Repair
62. Hack The Stack
! A side effect of this you now have
tools to repurpose for security and
monitoring of production
! Note that most changes are not
security problems.
63. Logging
! Due to allow developers to see
application logging, it's now very
easy to instrument the application to
log security events.
! Or add logs to times when you are
under attack.
64. Graphing
! Make dashboards of
! SQLi and XSS attacks
! Every type of log-in failure
! Core Dumps
! Database Syntax Errors
65. Static Analysis
! You now have a place to insert them.
! Work with QA group to add more code
quality tests.
66. Post-Commit Checks
! Alert on when sensitive areas of the code
are changed (auth, login)
! Alert on crypto usage (why is developer
using MD5.. hmmm)
! Alert on your programming language's
"dangerous functions"
This allows you to engage the developer
at the start of the cycle.
67. Faster is Better
! You could do most of this in a normal
release-cycle software lifecycle.
! The difference is you are finding
problems at the start instead of 10m
before the launch and telling
everyone to stop.
! The feedback loop works.
68. New Roles, Less Silos
! Developers: works with operations
! QA: works on building systems for
testing, to empower others to write
better tests
! Release Engineering: tools to enable
code to flow faster
! Security: in-house consultancy,
secure-by-default architecture,
monitoring
70. Goal: 50% reduction in deploy time
! Whatever your state of deployment is,
no matter how many people are
involved, no matter how long it
currently takes, make a goal of cutting
it in half.
! This is an easy sell to management
just on cost basis.
! Everything else flows from this.
71. Mechanism not Policy
! Strive for the fastest deployment
mechanism for possible
! But you define the "continuous" in
Continuous Deployment
! Yes, Etsy was 60+ deploys per day, with
each having multiple authors.
! Current gig? we have rules of no more
than 3 per week since our customer have
asked for that, and only deployed at
"low-tide"
73. In other contexts: Operations
! How fast can you deploy OS changes
to you production environment?
! How fast can you deploy router
changes?
! How fast can you deploy patches to
the desktop
You probably don't do it that often since
it's really painful and time consuming!
That's exactly the problem.
74. In other contexts: software product
! here "production" might be getting code
into the main branch and running
automated build / test.
! It's the flow of code: little changes vs big.
75. In other contexts: silicon
! Continuous deployment already done for
silicon! wut?
! Only small changes, with tests are
allowed to be committed!
! Big changes are rejected.
Learned the hard way that big changes
are completely unmanageable