Fixing Security by Fixing Software Development Using Continuous Deployment
Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
Building an Open Source AppSec PipelineMatt Tesauro
Take the concepts of DevOps and apply them to AppSec and you have an AppSec Pipeline. Allow automation, orchestration and some ChatOps to expand the flow of your AppSec team since its not likely to get any bigger.
New Era of Software with modern Application Security v1.0Dinis Cruz
(as presented at Codemotion Rome 2016)
This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive
Continuous Deployment: The Dirty DetailsMike Brittain
Presented at ALM Summit 3 in Redmond, WA. January 2013.
Like what you've read? We're frequently hiring for a variety of engineering roles at Etsy. If you're interested, drop me a line or send me your resume: mike@etsy.com.
http://www.etsy.com/careers
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
Building an Open Source AppSec PipelineMatt Tesauro
Take the concepts of DevOps and apply them to AppSec and you have an AppSec Pipeline. Allow automation, orchestration and some ChatOps to expand the flow of your AppSec team since its not likely to get any bigger.
New Era of Software with modern Application Security v1.0Dinis Cruz
(as presented at Codemotion Rome 2016)
This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive
Continuous Deployment: The Dirty DetailsMike Brittain
Presented at ALM Summit 3 in Redmond, WA. January 2013.
Like what you've read? We're frequently hiring for a variety of engineering roles at Etsy. If you're interested, drop me a line or send me your resume: mike@etsy.com.
http://www.etsy.com/careers
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...Dave Olsen
We’re entering a new era where an increasing number of devices with wildly divergent features -- including phones, tablets, game consoles, and TVs -- are connected to the Internet. As the way people access the Internet changes, there is an urgent need to rethink how we use the web to communicate. This doesn't mean creating separate solutions for each device but rather preparing our existing content to meet this increasingly unpredictable future. Dave Olsen and Doug Gapinski will share and examine examples that show how responsive design will help institutions rethink and adjust for the future-friendly web.
Primary topics that are covered are: understanding the reality of web development today, example RWD design patterns, and understanding how to test and optimize the performance of your RWD website.
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
To watch this webinar replay, please join us here:
https://info.dynatrace.com/apm_wc_devops_journey_series_tips_around_the_world_na_registration.html
DevOps: Cultural and Tooling Tips Around the World
DevOps! One of the most abused terms in the software industry over the last few years. One of the reasons for this is that the term can mean something totally different, depending on what your role is, and what kind of business you are in. Yet, it is a very real practice with solid benefits that allow companies to build better quality software faster, and with lower cost and risk.
In this 30-minute “secret sauce” session, Andreas Grabner, DevOps Activist at Dynatrace, shares customer learnings and best practices from DevOps adopters around the world. You’ll gain insights from questions like:
• What does DevOps really mean for developers, testers and operators?
• How do companies like Facebook deploy twice a day without big issues?
• How does DevOps work in industries like finance, government, and healthcare where tight regulations exist?
• Is Dev responsible for Ops? Or only if you are working in a Cloud environment?
• What is different and unique as we move from old-fashioned on-prem software to hybrid and Cloud apps?
• Why is talking to people the forgotten DevOps tool?
XRebel is a development-flow-friendly performance tool that enables developers to make performance optimizations during initial development. Find slow methods and HTTP calls, excessive queries, and hidden exceptions within your web application.
Security at Scale - Lessons from Six Months at YahooAlex Stamos
This is my talk on building security at scale from Black Hat USA 2014. In it I outline the lessons I've learned from six months as Yahoo's CISO and share ideas for how the security industry can better address problems at web scale.
(Talk given at Continuous Lifecycle London 2016)
Continuous Delivery techniques and practices are often misunderstood. This session will explore some Continuous Delivery anti-patterns based on work 'in the wild' with a wide range of organisations across different industry sectors:
- Believing that "Continuous Delivery is not for us"
- Ignoring the database
- Thinking that a deployment pipeline is just a series of chained jobs in Jenkins
- Not funding the build/test/deployment capability properly
- No effective logging or application metrics
By avoiding these pitfalls, we can increase the effectiveness of our software delivery efforts.
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
Updated version here (Dec 2019): https://www.slideshare.net/realgenekim/the-unicorn-project-and-the-five-ideals-updated-dec-2019
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
GenOrganizations and development teams are moving beyond waterfall models to those embracing a continuous delivery/DevOps-style set of processes. The deployment of doing tens, hundreds, or even thousands of deploys per day as 'normal' does not align to the SDLC, separation of duties, and common controls expected by auditors.
In this presentation, we will describe what auditors look for in a compliance audit, how to develop alternate control procedures that fulfill those reporting requirements, how to avoid “red flags” that indicate inadequate controls, and real world case studies and reporting artifacts.
Gene Kim has been studying high performing IT organizations since 1999 and helped develop the SOX scoping guidelines with the Institute of Internal Auditors in 2005. James DeLuccia IV is the leader for the Ernst & Young Americas Certification Services, James oversees all of the audits against common industry standards, and champions several global program implementation roll-outs. Developing and 'translating' the control environment behaviors of clients, such as Google, Amazon, Workday, and others is difficult. This discussion will bridge the needs of auditors with the community of developers by sharing examples, discussing the assurance expectations, and how to communicate to pass an audit.
Application Security Testing for a DevOps Mindset Denim Group
The cultural transition to DevOps is coming to organizations, and security teams must learn to adapt or be marginalized. Forward-thinking security teams will use this transition to their advantage and will reap the benefits of better and more frequent security insight into development cycles. By understanding the goals of development teams, security representatives can help to meaningfully include themselves in the development process and provide value through sensible risk management.
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
"Turning TDD upside down - For bugs, always start with a passing test" - Common workflow on TDD is to write failed tests. The problem with this approach is that it only works for a very specific scenario (when fixing bugs). This presentation will present a different workflow which will make the coding and testing of those tests much easier, faster, simpler, secure and thorough'
Presented at LSCC (London Software Craftsmanship Community) http://www.meetup.com/london-software-craftsmanship on sep 2016.
when you want to create your dynamic web site you must learn html css3 and php,jee,rails,asp.net but nodejs affourd meteor js which you can create your dynamic web site by using meteor only
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.
Why do mobile projects (still) fail - September 2014 editionIndiginox
My talk around the reasons mobile projects fail and what you can do to prevent some of the pitfalls. This talk doesn't talk about code or deep dive technical development - but about the "other" problems that can befall a mobile project - especially in large organizations.
Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...Dave Olsen
We’re entering a new era where an increasing number of devices with wildly divergent features -- including phones, tablets, game consoles, and TVs -- are connected to the Internet. As the way people access the Internet changes, there is an urgent need to rethink how we use the web to communicate. This doesn't mean creating separate solutions for each device but rather preparing our existing content to meet this increasingly unpredictable future. Dave Olsen and Doug Gapinski will share and examine examples that show how responsive design will help institutions rethink and adjust for the future-friendly web.
Primary topics that are covered are: understanding the reality of web development today, example RWD design patterns, and understanding how to test and optimize the performance of your RWD website.
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
To watch this webinar replay, please join us here:
https://info.dynatrace.com/apm_wc_devops_journey_series_tips_around_the_world_na_registration.html
DevOps: Cultural and Tooling Tips Around the World
DevOps! One of the most abused terms in the software industry over the last few years. One of the reasons for this is that the term can mean something totally different, depending on what your role is, and what kind of business you are in. Yet, it is a very real practice with solid benefits that allow companies to build better quality software faster, and with lower cost and risk.
In this 30-minute “secret sauce” session, Andreas Grabner, DevOps Activist at Dynatrace, shares customer learnings and best practices from DevOps adopters around the world. You’ll gain insights from questions like:
• What does DevOps really mean for developers, testers and operators?
• How do companies like Facebook deploy twice a day without big issues?
• How does DevOps work in industries like finance, government, and healthcare where tight regulations exist?
• Is Dev responsible for Ops? Or only if you are working in a Cloud environment?
• What is different and unique as we move from old-fashioned on-prem software to hybrid and Cloud apps?
• Why is talking to people the forgotten DevOps tool?
XRebel is a development-flow-friendly performance tool that enables developers to make performance optimizations during initial development. Find slow methods and HTTP calls, excessive queries, and hidden exceptions within your web application.
Security at Scale - Lessons from Six Months at YahooAlex Stamos
This is my talk on building security at scale from Black Hat USA 2014. In it I outline the lessons I've learned from six months as Yahoo's CISO and share ideas for how the security industry can better address problems at web scale.
(Talk given at Continuous Lifecycle London 2016)
Continuous Delivery techniques and practices are often misunderstood. This session will explore some Continuous Delivery anti-patterns based on work 'in the wild' with a wide range of organisations across different industry sectors:
- Believing that "Continuous Delivery is not for us"
- Ignoring the database
- Thinking that a deployment pipeline is just a series of chained jobs in Jenkins
- Not funding the build/test/deployment capability properly
- No effective logging or application metrics
By avoiding these pitfalls, we can increase the effectiveness of our software delivery efforts.
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
Updated version here (Dec 2019): https://www.slideshare.net/realgenekim/the-unicorn-project-and-the-five-ideals-updated-dec-2019
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
GenOrganizations and development teams are moving beyond waterfall models to those embracing a continuous delivery/DevOps-style set of processes. The deployment of doing tens, hundreds, or even thousands of deploys per day as 'normal' does not align to the SDLC, separation of duties, and common controls expected by auditors.
In this presentation, we will describe what auditors look for in a compliance audit, how to develop alternate control procedures that fulfill those reporting requirements, how to avoid “red flags” that indicate inadequate controls, and real world case studies and reporting artifacts.
Gene Kim has been studying high performing IT organizations since 1999 and helped develop the SOX scoping guidelines with the Institute of Internal Auditors in 2005. James DeLuccia IV is the leader for the Ernst & Young Americas Certification Services, James oversees all of the audits against common industry standards, and champions several global program implementation roll-outs. Developing and 'translating' the control environment behaviors of clients, such as Google, Amazon, Workday, and others is difficult. This discussion will bridge the needs of auditors with the community of developers by sharing examples, discussing the assurance expectations, and how to communicate to pass an audit.
Application Security Testing for a DevOps Mindset Denim Group
The cultural transition to DevOps is coming to organizations, and security teams must learn to adapt or be marginalized. Forward-thinking security teams will use this transition to their advantage and will reap the benefits of better and more frequent security insight into development cycles. By understanding the goals of development teams, security representatives can help to meaningfully include themselves in the development process and provide value through sensible risk management.
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
"Turning TDD upside down - For bugs, always start with a passing test" - Common workflow on TDD is to write failed tests. The problem with this approach is that it only works for a very specific scenario (when fixing bugs). This presentation will present a different workflow which will make the coding and testing of those tests much easier, faster, simpler, secure and thorough'
Presented at LSCC (London Software Craftsmanship Community) http://www.meetup.com/london-software-craftsmanship on sep 2016.
when you want to create your dynamic web site you must learn html css3 and php,jee,rails,asp.net but nodejs affourd meteor js which you can create your dynamic web site by using meteor only
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.
Why do mobile projects (still) fail - September 2014 editionIndiginox
My talk around the reasons mobile projects fail and what you can do to prevent some of the pitfalls. This talk doesn't talk about code or deep dive technical development - but about the "other" problems that can befall a mobile project - especially in large organizations.
Hear from the product team about Apigee's key products and technology. Learn how customers use Apigee to grow reach with mobile apps, accelerate development and create new products through APIs, and gain end-to-end visibility into business and operations by analyzing 360 degrees of information.
Presentation from Apigee's Open Banking & PSD2 Summit in London on 19th May 2016. This presentation covers Apigee's innovative data driven security approach that detects intelligent bots, transaction anomalies, and helps protect your APIs from cyberthreats.
Protecting your pricing strategy from bad bots employed by your competitors, requires a data-driven approach to identify and stop bad bots—automatically.
In this webcast, we'll explore ways to stop bad bots from impacting your enterprise applications, including:
- understanding the nature of bot attacks and typical use cases
- techniques to detect and stop bad bots, while allowing good bots in
- implementing technologies in your security stack to protect against bots
As you move your workloads to the cloud or build new cloud-native applications, how will you connect them with other apps and data that still reside in your data centers, or in other clouds?
The de facto standard to connect cloud workloads is the REST API. To get the most out of your cloud deployments, there’s a host of best practices around managing APIs in the cloud world.
This presentation covers:
-challenges faced as companies move to the cloud
- managing security, governance, and visibility concerns
- how APIs help you in a multi-cloud world
Sure, APIs are a technology. But APIs are part of a value chain, and every value chain is becoming infused with APIs that drive business results. What does it take to create a business strategy that makes the most of APIs? There are clear patterns for success that will enable you to get ahead of change—rather than react to competitors and disruptors.
We cover:
- why APIs are becoming an indispensable part of the value chain
- how APIs open new opportunities for business growth
- three things you should do in the next 100 days
What is an API-first enterprise? Where do APIs fit into modern application architecture? Are they just new terms for SOA? Presentation from Apigee's City Tour in Paris 23 June 2016.
What are the biggest cyber threats facing financial and healthcare entities today and in the near future? How can organizations embrace innovation and agile development culture while balancing the time to market goals with risk management?
Jason Kobus, director, API Banking, Silicon Valley Bank, and Apigee's head of security, Subra Kumaraswamy, present how an effective API program combined with a secure API management platform can
- provide visibility for all security threats targeting their backend services
- control access to sensitive data - end-to-end
- enable developers to build secure apps with secure APIs
- facilitate secure access with partners and developers
Centralized control over a monolithic IT architecture is giving way to agile microservices that are easily consumable and scalable. How should businesses in the middle of this transition think about the move to microservices?
Azuqua and Apigee share how companies make the transition and gradually shed older toolsets.
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
As enterprises begin to share their sensitive data through APIs the ability to enforce authorization and non-repudiation of data with full visibility and traceability is critical for corporate compliance and viability. Join Apigee and Apcera on how to best manage data sovereignty through an end to end chain of custody through workloads, APIs and end users.
Consultant Robert Broeckelmann shares his experience of implementing API management in a large enterprise and will share how to:
- define API governance
- explore the goals, requirements, implementation of API governance
- look at lessons learned from implementing one enterprise customer's API governance process
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynoteApigee | Google Cloud
Apigee's Chet Kapoor discusses the power of platforms, network effects, cloud-native architectures, and APIs. He presented this keynote at the Chicago stop of the Adapt or Die World Tour on Nov. 17, 2016.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
Slides from my DevOpsExpo London talk "From oops to NoOps".
They tell you in these conferences that DevOps is not about tools, but about culture. And they are partially right. I am going to tell you that it’s not only about culture or tools but also abstractions.
It is a lot about how you see software and its value. About our mental model of what software is: how it runs, evolves, and interacts with the other facets of an enterprise.
We used to view software as code. As a state of code. Now we think about software as change, as a flow. A dynamic system where people, machines, and processes interact continuously.
At Platform.sh we spend a bunch of time asking ourselves not “How do you build?” - or even “How do you build consistently?” - but rather “What does it mean to consistently build in a world where change is good?” A world that lets you push security fixes into production as soon as they’re available because you don’t want to be an Equifax but you do want stability.
In this presentation, I will go over what we think software is and why having the right ideas about software will help you get your culture right and your tooling aligned, as well as gain in productivity, and general happiness and well-being.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
We can be brilliant developers, but we won’t succeed—and won’t lead our organizations to succeed—without a new perspective (if you will) and new assumptions about the components of the “technology ecosystem” that are fundamentally critical to our success. This includes the operators, QA team, DBAs, security folks, and even the pure business contingent—in most cases, each of these individuals and groups plays a critical role in the success of what we create and give birth to as developers. What we do in isolation might be genius, but if we insulate ourselves—especially with arrogance—from these colleagues, neither our code nor our organizations will realize their full potential, and most will fail. The bottom line is that our old ways are no longer viable, and as the elite within our industry, we will be the leaders and heroes who discard old assumptions and adopt a new perspective in this exciting journey to digital transformation—where the impossible can become reality.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
In the software engineering world, change is the only constant. And in the course of the last decades, the frequency of that change has exploded. What Agile has brought to software teams, DevOps is now bringing to the entire organization. And the results speak for themselves. The DevOps high-performers are killing it. Insane deploy frequencies of features, high reliability of applications, and high productivity of cross-functional teams have amplified the speed at which ideas become a reality.
In parallel, Application Security was doing its own thing and to a large part remained oblivious to all the impressive improvements that were happening in software engineering. Because breaking an application doesn’t need any knowledge of how it was created in the first place.
This talk will cover anti-patterns that are preventing application security from being adopted by development teams, such as:
* Signals versus Noise
* Lost in Translation
* Make it easy
Identified by OWASP as one of the top-10 security threats facing developers, Underprotected APIs are subject to common exploitation that can be difficult to detect. This presentation outlines the reasoning and methodology behind securing these APIs. By Adam Cecchetti, CEO of Deja vu Security
6 ways DevOps helped PrepSportswear move from monolith to microservicesDynatrace
Like a lot of online businesses today, PrepSportswear’s success is 100% dependent on the availability, scalability and performance of their digital online services. If the website is down, the business stops. They knew they had to transform their business from that of a retailer with a website to a high caliber IT company that sells products online.
In these webinar slides, Richard Dominguez, PrepSportswear’s Developer in Operations, shares their journey. They transformed from a team operating a monolithic app using waterfall development methodology on an old, hard to maintain code base, to a modern IT organization applying new practices from Agile development, DevOps and a Service-Oriented Architectural approach.
The Impact? PrepSportswear’s Most Successful Online Holiday Shopping Season in Company History! Join us to:
Learn how to identify if you are running a monolithic application that is dragging you down.
Get tips on hiring the right people to inject a DevOps cultural mindset into your organization.
Understand how to break the monolith into smaller pieces that support key lines of business.
Discover where to automate monitoring into your pipeline and platform.
Identify metrics for individual stakeholders (dev vs. test vs. business).
Go forward, celebrate, learn from, and repeat success!
Richard will be joined by Andreas Grabner, Performance Advocate at Dynatrace who will support why monitoring, application and end user metrics have to be a key part of your own transformation!
Richard Dominguez has 9+ years’ experience as both a System Analyst and Software Developer in Test. He has worked on many high profile projects in Microsoft such as Hyper-V, Windows 7 Client Performance, and Windows Phone Services. Richard now works at PrepSportswear as the company’s DevOps engineer. His responsibilities include site reliability, external synthetic testing, release management and overall site performance.
Andreas Grabner has 15+ years’ experience as an architect and developer in the Java and .NET space. In his current role, Andi works as an advocate for high performing applications in both the development and operations areas. He is a regular expert and contributor to large performance communities, a frequent speaker at technology conferences and regularly publishes articles blogs on blog.dynatrace.com
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Burr Sutter
We can be brilliant developers, but we won’t succeed—and won’t lead our organizations to succeed—without a new perspective (if you will) and new assumptions about the components of the “technology ecosystem” that are fundamentally critical to our success. This includes the operators, QA team, DBAs, security folks, and even the pure business contingent—in most cases, each of these individuals and groups plays a critical role in the success of what we create and give birth to as developers. What we do in isolation might be genius, but if we insulate ourselves—especially with arrogance—from these colleagues, neither our code nor our organizations will realize their full potential, and most will fail. The bottom line is that our old ways are no longer viable, and as the elite within our industry, we will be the leaders and heroes who discard old assumptions and adopt a new perspective in this exciting journey to digital transformation—where the impossible can become reality.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications and a hundred identical safes with their combinations so that the world’s best safecrackers can study it and you still can’t open the safe, that’s security.
Similar to Fixing security by fixing software development (20)
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
What if we could reduce SQLi attacks in your application by 90%? WIth little to no changes in your application, with no new hardware or firewalls?
First presentated at RSA Conference USA, 2013-02-27
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
SQL that isn't caught by WAFs but also isn't used (yet) by attackers! Why detecting SQLi is good, and why doing it with regular expressions is hard. And re-introducing libinjections which is a new way of detecting SQLi attacks.
This is a mashup of my Black Hat USA 2012 and DEFCON 20 talks, refreshed and updated.
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Nick Galbreath
First presented at Security BSidesLA, Hermosa Beach, California, August 16, 2012
Continuous deployment is characters by a small and frequent changes to production. Find out why it's my #1 security feature. It's not just about pushing fast!
How do fonts look when uploaded onto slideshare when the presentation is of various sides? How does it look on a washed-out projector? For plain text? For computer-code?
This presentation provides a number of sans-serif and monospace fonts to help answer these questions.
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Nick Galbreath
Rate Limits at Scale SANS AppSec Las Vegas.
Rate Limit Everything All the time using a quantized time system with Memcache or Redis. Use this protect resources or discover anomalies.
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Fixing security by fixing software development
1. Fixing Security by Fixing Software Development
Using Continuous Deployment
Nick Galbreath, VP Eng IPONWEB, http://www.iponweb.com/
@ngalbreath http://www.client9.com/
May 14-15, San Francisco, California
3. Nick Galbreath (@ngalbreath)
! Spoken at Black Hat, DEFCON, OWASP
! Author of libinjection: advanced SQLi
detection used in > 2 WAFs, 1 Honeypot
! Book on cryptography
! but really...
! Engineering Management and Software
Development for high growth startups.
! Personal site http://www.client9.com/
4. IPONWEB
! customized online advertising
infrastructure and exchanges
! engineering offices in Moscow, with
business offices in London, New York and
Tokyo.
5. Original Abstract
Fixing Security by Fixing Software Development Using Continuous
Deployment
Do you have an effective release cycle? Is your process long and archaic? Long
release cycle are typically based on assumptions we haven't seen since the
1980s and require very mature organizations to implement successfully. They
can also disenfranchise developers from caring or even knowing about security
or operational issues. Attend this session to learn more about an alternative
approach to managing deployments through Continuous Deployment, otherwise
known as Continuous Delivery. Find out how small, but frequent changes to the
production environment can transform an organization’s development process
to truly integrate security. Learn how to get started with continuous deployment
and what tools and process are needed to make implementation within your
organization a (security) success.
6. Well that's a bold statement...
"Fixing Security by Fixing Development
Using Continuous Deployment"
7. and here's another
For web applications, our release-based
software development lifecycle is still
based on a pre-Internet model and is
harmful to organizations and
particularly harmful for security.
8. What needs fixing?
! SQLi dropped from #8 to #14 in the latest
White Hat "The State of Web Security"
report. Good news, right?
! This means SQLi is only 7% of websites.
That's 1 in 15. And this is #14
vulnerability!
! And time to fix was on average 196 days.
That's embarrassing.
Veracode claims 32% of incoming web applications have SQLi
https://info.veracode.com/state-of-software-security-report-volume5.html
https://reg.whitehatsec.com/WPstats0513
9. Even worse...
! Number 1 driver to fix security problems...
compliance.
! Number 1 reason to not fix security is...
compliance.
! Not..
! keeping our employees and customers safe
! protecting corporate interests.
! improving quality
! being good at what we do.
10. Security Products #1 .. in security bugs
VeraCode: State of
Software Security, V4
December 2011
11. Let's Just Give Up
! “You could spend all your resources chasing such
things as this,” William Ribich, the former president of
Technology Solutions Group [ QintelIQ ], said in an
interview in January. Ribich, who retired in November 2009,
shortly after the discovery of a major data theft, said he
needed to balance the uncertain risk that the hackers could
use what they stole against a growing shopping list of
security products and consulting fees.
! "You finally have to reach a point where you say
’let’s move on,’” he said.
http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html
12. I would call that broken
! But preventing SQLi isn't a technically
hard problem.
! And most security patches are very small.
! How did we get here?
13. Software Product Model
! Code flows between functional groups
! Product Managers spec code
! Engineers write code
! QA engineers tests code
! Release engineers package code
! Operations runs code
! ... and Security does something too.
14. High Distribution Cost
! The Software Product Model is designed
for software where the cost of distribution
is high. "High" might be financial, risk,
time, resources, customer annoyance.
! Retail, physical product, CD/DVD
! Embedded of Exotic Hardware
! Safety, Medical or Defense Systems
! Operating Systems (desk or phone)
! Homework (1-time deploy)
17. Web Applications Year 2000
! Mostly followed Software Product Model
since that's all we knew.
! High barrier to entry
! Specialized Hardware, Software and
People needed to get started.
! Lots of engineering needed to keep things
running.
! (side note: CERT/CVE started in 1999)
18. True Story #1
! "Can't push out the spelling error fix – it's
too risky"
! "That code as already been through QA,
it's locked down."
! "Product has to prioritize that change, else
we aren't touching it."
19. True Story #2
! We'll do an iteration, where we try to fix as
many things as possible.
! This won't be a scheduled iteration, it will
be done because things are so bad
! So the spelling error will get fixed...
uhh, who knows when.
20. Web Applications 2013
! Almost no barrier to entry
! Commodity hardware
! Programming not that hard
! Scaling problems can
be mostly outsourced
(mostly)
21. Cost of Distribution 2013
! Frequently no compile step
or it's very fast.
! Moving to production a few kilobytes or
megabytes of code over 1Gbps, 10Gbps
link.
! In other words... free
22. Failure is very different however
! Most web applications are data-driven.
! Frequently have social features, APIs,
user-generated content.
! Failures might be due to algorithmic
problems... but...
! Most likely to due to user input, bad data
in database or operational load.
! this means data in past can cause
problems in the future.
23. Releases and Problems
! When a web-release goes out, and has
problems....
! Next week is spent tracking down who
changed what, where.
! Re-QA
! Re-Push
! meanwhile new code is piling up.
24. When SPM meets Web Apps
! A long time between code being written
and code being released.
! Might be weeks or months
! Feedback loop between code-in-dev and
code-in-production is broken
! When security or bug reports come in, the
author is likely on a different project.
25. Hypothesis
! It is impossible to simulate the production
environment in development, either due to
operational differences or data differences.
! No amount of QA or Security Testing can
prove you don't have bugs, vulnerabilities,
or cause severe operational problems.
! You have bugs and vulnerabilities,
right now, in your application.
26. Impedance Mismatch
! Easy to write code, +
! Long release cycles +
! Security as an end-of-line or out of band
process ==
! no one cares
27. So the Answer is...
! Going slower? I'm sure your boss will love
that suggestion
! More steps and process? In other words,
slower.
! Asking for more people? Sure but good
luck hiring them. Doesn't scale.
! Asking for more products? Since the
others have worked so well.
28. Continuous Deployment
! Also known as Continuous Delivery.
! A System of Software Production
Characterized by Numerous Small
Changes the Production Environment,
initiated by the author of the change.
You change it, you push it to prod.
30. "Writing Software"
! Software Developers think their job is
writing software.
! And so, they love to make things perfect
before anyone else sees it.
! Impolite: "data hiding"
! code is hiding on developer's computer
! or on some branch
! in other words invisible until it's ready.
31. Actually
! The software engineer's job is actually
writing running software, that works well.
! This idea is so alien, that companies have
to remind the engineers of this.
32. Rackspace Haiku
writing code is hard
if you cannot deploy
it does not matter
@paulvx from DevOpsDays Austin 2013
33. Facebook
"Move Fast and
Break Things....
Except "Push" (deployment system)
via http://mitadmissions.org/blogs/entry/
move_fast_and_break_things
35. Today's goal
! but for today the goal is getting the
developer to care about their code
in production.
! If you don't have that, I don't think you can
really solve security problems.
36. How does this work?
! Really? Developers push their own code
out?
! How is this not a disaster.
! How is this not a security disaster?
37. The Deploy Button
! What is you had a button that said
"DEPLOY"
! That pushed to production, whatever is
current in your source control system.
! And took about a minute
! The change and who pressed the button is
logged, but that's it.
38. Part 1: Fear
! No one is going to push it ;-)
! Meanwhile code is piling up
Real example: A new hire I had at Etsy was afraid
of deploying an HTML change that they made.
"But I don't want to break the site!"
39. Part 2: First Push
! Someone brave will press the button
! And very likely the site will explode, and a
rollback will need to be done.
! They'll know since someone else will have
told them.
40. Part 3: With Graphs
! Let's get all those operational graphs out
in the open. And put them right next to
the button.
41. Part 4: Push #2
! Repush
! Site might still explode
! But the developer is aware and can
rollback.
42. Take 5: Isolation
! Hmmm, the developer notices that in the
change set, a million things are going out.
! Maybe just pushing out a smaller change
will help isolate the issue.
43. Take 6: Success!
! Yes, the developer just pushed out some
code and made the site better.
! The secret about continuous deployment
is small changes that can be easily
understood.
44. Take 7: Dark Pushes
! Now we got some bugs fixed, let's push a
feature.
! First let's push out all the supporting files.
Since they aren't being called, they do
nothing and are safe to push out.
! Now everyone can see them
45. Take 8: Getting the feature live
! Instead of "all at once", we slowly ramp up
a feature.
! if (user_id % 20 == 0):
do new feature;
! we change change the percentage easily
with another code push.
! or turn it down. Much nicer change log.
! While the site didn't explode, it's hard to
see if the feature is being used or not.
46. Take 9: Application Level Graphs
! Allow developers to instrument their code
so they can see what is happening in
production.
! Enter StatsD and other UDP-based tools
! Enter centralized logging and in-
application method to make it easy to log
problems.
47. Take 10: Communication
! So far good for one developer.
! To scale up, you'll need a system to allow
developers.
! IRC-like tools work well (e.g. "the push
channel") – skype, jabber, hangouts, etc
48. Along the way
! Expose production logs to developers
! Add in a staging-step where the code
goes to faction of the cluster, so
developers can test with real traffic
! Try to make development closer to prod.
! Make "smoke tests" to catch basic errors
! Add syntax checkers to eliminate obvious
issues.
! Use static analysis to find bugs
49. Mistakes will happen
! Do postmortem analysis
! Everyone thought they were doing the
right thing at the time.
! "How can the environment be changed to
prevent this" and build tools to enforce it.
! (Rarely can you truly change people)
51. That guy who pushes at 3am
! Courtesy and convention will converge
very quickly when the site goes down at
3am and the developer starts getting
calls ;-)
! Of hours pushes of course can happen,
when they notify operations.
52. What About Code Reviews?
! Yes, please do them.
! Nothing here prevents code reviews.
! In fact code reviews are easier since
! they are small
! they are in mainline not some branch
53. What about Security Reviews
! Please do them.
! Nothing here eliminates architectural
planning or review.
! This actually doesn't change the SDLC
very much.
54. What about Agile Methods
! (everyone seems to have a different idea of
what Agile is but..)
! Agile methodologies typically work to
improve the business spec / development
cycle. (are you building what the customer
wants)
! But doesn't address code deployment.
! They are complimentary practices.
55. What about Customer Service?
! "Don't they freak out with all the
changes?"
! Remember: deployment != feature release
! Most deployments do very little from the
customer point of view
! Feature releases (frequently controlled by
ramp-ups or flags) always needs to be
coordinated with product and customer
service.
56. What about Compliance? PCI?
! Let me tell you about compliance...
! mechanism not policy
58. Obvious Benefit to Security
! Security patches can go out quickly
! You know this since they are now just part
of a normal development cycle.
59. More Importantly
! That Engineer who previously didn’t push
code is now sensitized that their code has
consequences and are responsive and
empowered to fix it.
! It’s amazing how interested engineers
become in security when you find
problems with their code when they are
able to fix quickly themselves.
60. Hack The Stack
! A side effect of this you now have tools to
repurpose for security and
monitoring of production
! Note that most changes are not security
problems.
61. Logging
! Due to allow developers to see application
logging, it's now very easy to instrument
the application to log security events.
! Or add logs to times when you are under
attack.
62. Graphing
! Make dashboards of
! SQLi and XSS attacks
! Every type of log-in failure
! Core Dumps
! Database Syntax Errors
63. Static Analysis
! You now have a place to insert them.
! Work with QA group to add more code
quality tests.
64. Post-Commit Checks
! Alert on when sensitive areas of the code
are changed (auth)
! Alert on crypto usage (why is developer
using MD5.. hmmm)
! Alert your programming languages
"dangerous functions"
This allows you to engage the developer at the start of the cycle.
65. Faster is Better
! You could do most of this in a normal
release-cycle software lifecycle.
! The difference is you are finding problems
at the start instead of 10m before the
launch and telling everyone to stop.
! The feedback loop works.
66. New Roles, Less Silos
! Developers: works with operations
! QA: works on building systems for testing,
to empower others to write better tests
! Release Engineering: tools to enable code
to flow faster
! Security: in-house consultancy, secure-by-
default architecture, monitoring
68. Goal: 50% reduction in deploy times
times
! Whatever your state of deployment is, no
matter how many people are involved, no
matter how long it currently takes, make a
goal of cutting it in half.
! This is an easy sell to management just on
cost basis.
! Everything else flows from this.
69. Mechanism not Policy
! Strive for the fastest deployment mechanism for
possible
! But you define the "continuous" in Continuous
Deployment
! Yes, Etsy was 60+ deploys per day, with each having
multiple authors.
! Current gig? we have rules of no more than 3 per week
since our customer have asked for that, and only
deployed at "low-tide"
73. In other contexts: software product
! here "production" might be getting code
into the main branch and running
automated build / test.
! It's the flow of code: little changes vs big.
74. In other contexts: silicon
! Continuous deployment already done for
silicon! wut?
! Only small changes, with tests are allowed
to be committed!
! Big changes are rejected.
Learned the hard way that big changes are
completely unmanageable