Scott M. Johnson, Lead PM - Technical Compliance presented, "How Docusign uses Black Duck for DevOps, AppSec and Compliance." For more information, visit our website at www.blackducksoftware.com.
Dr. Robert Burnett, director of software engineering at L3 Communications Corporation presented "Continuous Integration––An Overview." For more information, please visit us at www.blackducksoftware.com
This document discusses continuous security with Kubernetes. It introduces the concept of DevSecOps which integrates security practices into DevOps workflows. It discusses how to secure container images, container builds, container registries, container hosts, and networking. It also covers continuous integration, delivery, monitoring and logging in container environments. The goal is to enable innovation speed while maintaining security and efficiency at scale.
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
Organizations of all sizes using automation and agile methodologies to improve the speed and reliability of their software development initiatives. In this session we will provide an overview and demonstrations of the various ways you can integrate Black Duck Hub with your CI/CD tools to manage open source risks throughout development.
Learn how this Black Duck customer tracks the potential impact of open source security vulnerabilities in all its products while ensuring the SDLC remains fast and agile.
Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.
The Hub builds on all the great technology developed in the Black Duck Suite over the past 10 years combined with a revamped UI and an integrated set of features. It's much easier than you would think to make the move from the Suite to the Hub. Learn how in this revealing session.
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
Dr. Robert Burnett, director of software engineering at L3 Communications Corporation presented "Continuous Integration––An Overview." For more information, please visit us at www.blackducksoftware.com
This document discusses continuous security with Kubernetes. It introduces the concept of DevSecOps which integrates security practices into DevOps workflows. It discusses how to secure container images, container builds, container registries, container hosts, and networking. It also covers continuous integration, delivery, monitoring and logging in container environments. The goal is to enable innovation speed while maintaining security and efficiency at scale.
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
Organizations of all sizes using automation and agile methodologies to improve the speed and reliability of their software development initiatives. In this session we will provide an overview and demonstrations of the various ways you can integrate Black Duck Hub with your CI/CD tools to manage open source risks throughout development.
Learn how this Black Duck customer tracks the potential impact of open source security vulnerabilities in all its products while ensuring the SDLC remains fast and agile.
Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.
The Hub builds on all the great technology developed in the Black Duck Suite over the past 10 years combined with a revamped UI and an integrated set of features. It's much easier than you would think to make the move from the Suite to the Hub. Learn how in this revealing session.
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
This session examines how Legal Counsel can help software development teams create an automated compliance process to make daily decisions related to open source licenses.
This document discusses myths and misperceptions around open source security. It addresses 6 common misperceptions: 1) that security tools can find all open source vulnerabilities, 2) that scanning is best done at the end of development, 3) that the National Vulnerability Database covers all vulnerabilities, 4) that replacing vulnerable components is always the answer, 5) that the "many eyes" theory ensures open source security, and 6) that open source is less secure than commercial software. The document provides details to counter each misperception and emphasizes that all software can have vulnerabilities, and that visibility into what software is used is key to security.
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck
Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption.
The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.
In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn:
• Why container environments present new application security challenges, including those posed by ever-increasing open source use.
• How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities.
• Best practices and methodologies for deploying secure containers with trust and confidence.
Integrating security into Continuous DeliveryTom Stiehm
This document discusses integrating security practices into continuous delivery processes. It describes Coveros' SecureAgile development process which includes threat modeling, risk analysis, penetration testing, security stories, secure code reviews, defensive coding and design, and secure testing. The goal is to assure timely delivery of software while achieving security objectives. Integrating security helps make applications more secure, reduces security costs, improves quality, and protects applications from attackers.
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Devops security-An Insight into Secure-SDLCSuman Sourav
The integration of Security into DevOps is already happening out of necessity. DevOps is a powerful paradigm shift and companies often don’t understand how security fits. Aim of this session is to give an overview of DevOps security and How security can be integrated and automated into each phases of software development life-cycle.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
In this session, we'll start with the basics of application security for an environment where development teams are able to push code into production at will. We quickly cover the basics and move on to the advanced topics of tests and models for long-term application security. We'll cover real-world Black Duck CI examples including keeping apps up-to-date in Pivotal Cloud Foundry environments, and end with tips for advocating for long-term security structures.
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.
This document discusses Hub APIs for integrating Black Duck into other environments. It provides an overview of common API scenarios, introduces the Hub APIs, and describes the currently available Hub API categories including general, report, notification, and extension APIs. The document also discusses REST API patterns and provides an example of API structure and interactions. It concludes by previewing future directions for Hub API enhancements.
The document discusses securing the "last mile" of the software supply chain, which refers to getting software deployed from development to production. It presents a process for hardening the deployment pipeline that involves identifying security requirements, determining which components are trusted vs untrusted, analyzing for vulnerabilities, and refining the model by adding new trusted components until no vulnerabilities remain. Specifically, it applies this process to example deployment pipeline that uses Jenkins and Docker, finding vulnerabilities and addressing them by adding steps like encrypting files and verifying image checksums using small, independently verifiable components.
Рабочие нагрузки Skype for business 2015 UC LabUC2
The document announces an upcoming UC2 meeting on April 26, 2016 featuring presentations on Exchange 2013/2016 transport high availability and Avaya networking solutions for Microsoft UC. It also advertises live streaming of the event over Skype for Business Online. Presentation topics for a March 29 event at the Microsoft Technology Center include Skype for Business 2015 workload routing, port/protocol usage, and traffic modeling/simulation solutions from Microsoft and IXIA.
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
Businesses are driving development teams to build, test and deliver app innovations faster and faster, while attackers continue to grow in sophistication and complexity. To protect the business, dev and security teams are deploying multiple app/network/OSS security testing tools, internal & 3rd party manual assessments, and other processes which in turn drives an exponential spike in volume of issues to analyze, correlate, triage, route and repair. Facing this data deluge, DevSecOps teams are turning to automation of mobile app security testing and orchestration of vulnerability management for speed and scale. Join Brian Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of Denim Group in this best practices session to learn how to drive efficiencies in team and pipeline performance at scale.
Forge.mil is a collaborative software development platform that aims to overcome siloed development, reduce duplication of effort, and enable cross-program sharing of software and services. It provides application lifecycle management services and tools for collaborative development within a shared, multi-tenant environment for Department of Defense programs and partners. Forge.mil has grown to support over 2700 software releases from various DoD projects across different services since its initial launch in 2009.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
This session examines how Legal Counsel can help software development teams create an automated compliance process to make daily decisions related to open source licenses.
This document discusses myths and misperceptions around open source security. It addresses 6 common misperceptions: 1) that security tools can find all open source vulnerabilities, 2) that scanning is best done at the end of development, 3) that the National Vulnerability Database covers all vulnerabilities, 4) that replacing vulnerable components is always the answer, 5) that the "many eyes" theory ensures open source security, and 6) that open source is less secure than commercial software. The document provides details to counter each misperception and emphasizes that all software can have vulnerabilities, and that visibility into what software is used is key to security.
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck
Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption.
The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.
In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn:
• Why container environments present new application security challenges, including those posed by ever-increasing open source use.
• How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities.
• Best practices and methodologies for deploying secure containers with trust and confidence.
Integrating security into Continuous DeliveryTom Stiehm
This document discusses integrating security practices into continuous delivery processes. It describes Coveros' SecureAgile development process which includes threat modeling, risk analysis, penetration testing, security stories, secure code reviews, defensive coding and design, and secure testing. The goal is to assure timely delivery of software while achieving security objectives. Integrating security helps make applications more secure, reduces security costs, improves quality, and protects applications from attackers.
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Devops security-An Insight into Secure-SDLCSuman Sourav
The integration of Security into DevOps is already happening out of necessity. DevOps is a powerful paradigm shift and companies often don’t understand how security fits. Aim of this session is to give an overview of DevOps security and How security can be integrated and automated into each phases of software development life-cycle.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
In this session, we'll start with the basics of application security for an environment where development teams are able to push code into production at will. We quickly cover the basics and move on to the advanced topics of tests and models for long-term application security. We'll cover real-world Black Duck CI examples including keeping apps up-to-date in Pivotal Cloud Foundry environments, and end with tips for advocating for long-term security structures.
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.
This document discusses Hub APIs for integrating Black Duck into other environments. It provides an overview of common API scenarios, introduces the Hub APIs, and describes the currently available Hub API categories including general, report, notification, and extension APIs. The document also discusses REST API patterns and provides an example of API structure and interactions. It concludes by previewing future directions for Hub API enhancements.
The document discusses securing the "last mile" of the software supply chain, which refers to getting software deployed from development to production. It presents a process for hardening the deployment pipeline that involves identifying security requirements, determining which components are trusted vs untrusted, analyzing for vulnerabilities, and refining the model by adding new trusted components until no vulnerabilities remain. Specifically, it applies this process to example deployment pipeline that uses Jenkins and Docker, finding vulnerabilities and addressing them by adding steps like encrypting files and verifying image checksums using small, independently verifiable components.
Рабочие нагрузки Skype for business 2015 UC LabUC2
The document announces an upcoming UC2 meeting on April 26, 2016 featuring presentations on Exchange 2013/2016 transport high availability and Avaya networking solutions for Microsoft UC. It also advertises live streaming of the event over Skype for Business Online. Presentation topics for a March 29 event at the Microsoft Technology Center include Skype for Business 2015 workload routing, port/protocol usage, and traffic modeling/simulation solutions from Microsoft and IXIA.
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
Businesses are driving development teams to build, test and deliver app innovations faster and faster, while attackers continue to grow in sophistication and complexity. To protect the business, dev and security teams are deploying multiple app/network/OSS security testing tools, internal & 3rd party manual assessments, and other processes which in turn drives an exponential spike in volume of issues to analyze, correlate, triage, route and repair. Facing this data deluge, DevSecOps teams are turning to automation of mobile app security testing and orchestration of vulnerability management for speed and scale. Join Brian Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of Denim Group in this best practices session to learn how to drive efficiencies in team and pipeline performance at scale.
Forge.mil is a collaborative software development platform that aims to overcome siloed development, reduce duplication of effort, and enable cross-program sharing of software and services. It provides application lifecycle management services and tools for collaborative development within a shared, multi-tenant environment for Department of Defense programs and partners. Forge.mil has grown to support over 2700 software releases from various DoD projects across different services since its initial launch in 2009.
Implementing Fast IT Deploying Applications at the Pace of Innovation Cisco DevNet
Fast innovation requires Fast IT: the new model for IT that transforms the way we deliver new business application capabilities to our clients.
Cisco IT has created solutions that enable automated provisioning of environments and fast deployment of cloud applications through “Software Development-as-a-Service”.
In this session, we’ll provide a hands-on experience of how application teams use an automated toolset to combine quality and agility, while reducing operational expense. We’ll also provide a view of the key technologies that enable this solution.
Finally, there’s a quick glimpse into what’s next: containerization and IOE Application Enablement.
Kube con china_2019_7 missing factors for your production-quality 12-factor appsShikha Srivastava
This document discusses factors for building production-ready applications on Kubernetes. It describes the original 12 factors for building scalable apps and identifies 7 additional missing factors. The missing factors are: XIII) Observable, XIV) Schedulable, XV) Upgradable, XVI) Least Privileged, XVII) Auditable, XVIII) Access Control (Identity, Network, Scope, Certificates), and XIX) Measurable. Addressing all factors throughout the development and deployment process is key to building truly production-grade applications.
DevOps is powering the computing environments of tomorrow. When properly configured, the Splunk platform allows us to gain real-time visibility into the velocity, quality, and business impact of DevOps-driven application delivery across all roles, departments, process, and systems. Splunk can be used by DevOps practitioners to provide continuous integration/deployment and the real-time feedback to help the organization with their operational intelligence. Join us for a exciting talk about Splunk’s current approach to DevOps, and for examples of how Splunk is being used by customers today to transform DevOps initiatives.
Learn how Github analytics can help you gauge the health of your DevOps release cycle, gain visibility into team productivity, and secure your intellectual property.
Spring and Pivotal Application Service - SpringOne Tour - BostonVMware Tanzu
This document discusses Spring and Pivotal Application Service (PAS). It notes that PAS provides market-leading support for Spring technologies and an ecosystem of services for Spring applications. It covers why developers use Spring and PAS, how PAS supports Spring features like Boot, Security, and Cloud, and the services available on PAS like MySQL, RabbitMQ, and Redis. It concludes with next steps around contacting an account team, trying hosted PAS software, and signing up for roadmap calls.
Spring and Pivotal Application Service - SpringOne Tour DallasVMware Tanzu
Spring and Pivotal Application Service (PAS) provide a market-leading platform for developing and deploying Spring applications on cloud-native technologies. PAS offers robust support for Spring technologies, a growing ecosystem of services for Spring apps, and tools to improve development productivity and application observability. Next steps include contacting an account team, trying hosted PAS, or signing up for the next product roadmap call.
An overview of how electronic signature objects are generated and used within PDF documents including the overview of Aodbe LiveCycle ES's ability to programmatically work with them server side.
This document discusses continuous delivery using Spinnaker, an open source continuous delivery platform. It provides an overview of Spinnaker, including how it supports continuous integration and delivery goals like shipping faster and reducing risk. Spinnaker allows automated deployment pipelines across multiple cloud providers and supports features like zero-downtime deployments, rollbacks, and automated canary analysis. The document also describes how Spinnaker integrates with platforms like Cloud Foundry and CI systems like Concourse.
Transforming your Security Products at the EndpointIvanti
Are you thinking about extending the endpoint capabilities of your Security Solution? Join us for a dep dive into the value of embedding patch management capabilities into your security software. Learn how other security companies have chosen to add patching and remdiation. Why in 2018 patching is more important than ever as your customers confront ransomware, zero day attacks, and more.
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API CallsAmazon Web Services
Monitoring and making sense of infrastructure data can be an arduous process. Managing a volume of API calls from more than one million active users every minute presents an even more complex and demanding challenge. Using Amazon Web Services (AWS) and Datadog, Grindr overcame a series of infrastructure challenges by both implementing and managing highly scalable, high availability, and top performing infrastructure, as well as aggregating, analyzing, and acting on key infrastructure data KPIs.
This document is a resume for John Haggins, who has over 20 years of experience as a Director/Architect for software engineering projects. He has managed teams of up to 45 engineers and overseen multimillion dollar budgets. His skills include designing and implementing software solutions, managing projects, establishing software development standards, and architecting systems. He has experience working with technologies such as .NET, Java, Linux, SQL Server, and VMware.
Modernizing Testing as Apps Re-ArchitectDevOps.com
Applications are moving to cloud and containers to boost reliability and speed delivery to production. However, if we use the same old approaches to testing, we'll fail to achieve the benefits of cloud. But what do we really need to change? We know we need to automate tests, but how do we keep our automation assets from becoming obsolete? Automatically provisioning test environments seems close, but some parts of our applications are hard to move to cloud.
This document discusses DevSecOps principles for banks and financial institutions. It introduces DevSecOps as an evolution from DevOps that incorporates security practices like risk assessments, security testing, and compliance monitoring directly into the development lifecycle. The presentation outlines key DevSecOps principles like establishing security requirements upfront, implementing controls like access management and logging, and conducting continuous security testing. It provides an example of a Swiss bank that uses Kubernetes, Docker, and security tools from VSHN to operationalize DevSecOps and improve governance.
MD Badusha is a software engineer with over 15 years of experience developing and maintaining applications in C/C++ on Unix/Linux platforms. He has extensive experience in the telecom and financial domains. Some of his past projects include developing components for a credit card personalization system and enhancing networking management software. He is proficient in development lifecycle activities like coding, testing, debugging and delivering releases.
Similar to Flight East 2018 Presentation–Black Duck at Docusign (20)
Die Zeiten ändern sich und verlangen immer mehr Aufmerksamkeit. Dies trifft speziell im Bereich Open-Source-Software zu. Die Komplexität gerade in der Technologiebranche ist enorm, gerade wenn der Sicherheitsaspekt eine wichtige Rolle spielt.
Die Nutzung von Open-Source ist bereits beachtlich und nimmt stetig zu. Im Vergleich zum letzten Jahr ist die Anzahl der Unternehmen, die OSS verwenden enorm gestiegen. In Deutschland setzen 69% der befragten Unternehmen OSS ein und der Trend steigt stetig. Im globalen Vergleich verwenden laut des OSSRA Berichts 2019 (Open Source Sicherheits-und Risikoanalyse) 60% der befragten Unternehmen Open Source im analysierten Code im Jahr 2018; eine 3%ige Steigerung zum Vorjahr.
During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
For more information, please visit our website at www.synopsys.com/software
This annual review will highlight the most significant legal developments related to open source software in 2019, including:
•Evolution of open source: control, sustainability, and politics
•Litigation update: Cambium and Artifex cases
•Patents and the open source community
•Impacts of government sanctions
•The shift left for compliance and rise of bug bounty programs
•And much, much more
For more information, please visit https://www.synopsys.com/software-integrity/managed-services/open-source-software-audit.html
Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where:
• The threat landscape continues to evolve.
• Application portfolios and their risk profiles continue to shift.
• Security tools are difficult to deploy, configure, and integrate into workflows.
• Consumption models continue to change.
How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering.
Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where:
• The threat landscape continues to evolve.
• Application portfolios and their risk profiles continue to shift.
• Security tools are difficult to deploy, configure, and integrate into workflows.
• Consumption models continue to change.
How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering.
For more information, please visit our website at https://www.synopsys.com/software-integrity/managed-services.html
During a recent webinar, Jonathan Knudsen presented: "That's Not How This Works: All Development Should Be Secure."
Development teams are pressured to push new software out quickly. But with speed comes risk. Anyone can write software, but if you want to create software that is safe, secure, and robust, you need the right process. Webinar attendees will learn:
• Why traditional approaches to software development usually end in tears and heartburn
• How a structured approach to secure software development lowers risk for you and your customers
• Why automation and security testing tools are key components in the implementation of a secure development life cycle
For more information, please visit our website at www.synopsys.com/software-integrity.html
Companies’ use of open source software has surpassed the occasional and solidified itself as the mainstream. Effectively identifying and managing the compliance and security risks associated with open source software can be a difficult task. Whether a company is acquiring another company, preparing for acquisition or simply wanting to manage their use of open source, the universal first step is to figure out the composition of the code, often via an audit. But what do you do once you have the audit report?
For more information, please visit our website at https://www.synopsys.com/open-source-audit
During a recent webinar, Lewis Ardern, senior security consultant presented "OWASP Top 10 for JavaScript Developers."
19_10_EMEA_WB_Owasp Top 10 for Java Script Developers With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities.
For more information, please visit our website at www.synopsys.com/standards
During a recent webinar, West Monroe discussed, "The State of Open Source in M&A Transactions."
Based extensive experience in M&A, West Monroe Partners is on the front line when it comes to tech due diligence, and they’ve seen a few trends emerge when it comes to open source and M&A deals. Buyers and seller alike need to understand these trends to get the most value out of any transaction.
For more information, please visit our website at www.synopsys.com/open-source-audit
Vulnerabilities are an inevitable part of software development and management. Whether they’re in open source or custom code, new vulnerabilities will be discovered as a codebase ages. As stated in the 2019 Open Source Security and Risk Analysis report, 60% of the codebases audited in 2018 contained at least one known vulnerability. As the number of disclosures, patches, and updates grows, security professionals must decide which critical items to address immediately and which items to defer.
For more information, please visit our website at www.synopsys.com/software.
Dan Sturtevant, Silverthread and Niles Madison at Synopsys discussed design quality and code quality on a recent webinar.
In an acquisition where a software asset is a core part of the deal valuation, it’s important to understand the overall quality of the software prior to doing the deal. Buggy software is problematic and needs to be cleaned up, so assessing code quality is important. But also, with poorly designed software, every fix is costly and laborious. This can significantly impact the long-term viability of the application, and maintaining that software can seriously degrade ROI. That’s why understanding a software system’s design or architectural health and the likely 'cost of ownership' is key..
For more information, please visit our website at https://www.synopsys.com/open-source-audit
During a recent webinar, Andrew Vanderstock, senior principal consultant at Synopsys presented "Using Evidence-Based Security in Your Secure Development Life Cycle." For more information on our products and services, please visit our website at www.synopsys.com/software.
The Synopsys Cybersecurity Research Center (CyRC) has a dedicated team of security analysts who specialize in sourcing, curating, and analyzing open source software vulnerabilities. The team delivers a customer-focused vulnerability feed comprising open source vulnerability reports called BDSAs (Black Duck Security Advisories). These reports are timely, accurate, and packed with relevant actionable information.
In this webinar, Siobhan Hunter, security research lead, reveals why the high-quality content of the BDSA feed is best in class, with examples of how our BDSA feed compares with the NVD and insights into how we discover and deliver valuable vulnerability information for our customers every day. For more information, please visit our website at https://www.synopsys.com/cyrc
This document summarizes a study on why investing in application security (appsec) matters for financial services organizations. The study found that over 50% of financial services firms had experienced theft of customer data due to insecure software. It also found that on average, only 34% of financial software and technology is tested for cybersecurity vulnerabilities. While addressing cybersecurity risks is important, the study noted that financial organizations face resource constraints, with only 45% believing they have adequate budgets for security and only 38% having necessary security skills. The document promotes the software integrity tools offered by Synopsys to help organizations build more secure software faster and address these challenges.
Virtually every organization uses open source software, and lots of it, to create efficiencies in software development. But left unmanaged, open source can introduce legal, IP, compliance, and other risks for the business. With over 2,500 different licenses in use, legal professionals and technical managers need to understand the license obligations associated with open source and how to mitigate risks. For more information, please visit our website at www.synopsys.com/open-source-audit
In the past few years, cybersecurity has become more intertwined into each step of the automotive development process. In particular, fuzz testing has proven to be a powerful approach to detect unknown vulnerabilities in automotive systems. However, with limited instrumentation, especially on systems such as in-vehicle infotainment (IVI) system and telematics units, there are several types of issues that go undetected, such as memory leaks and cases where the application crashes but restarts quickly. For more information, please visit www.synopsys.com/auto
During a recent webinar attendees learned how a purpose-built M&A open source audit differs from open source management tools and why it matters in tech due diligence. We covered: • The types of risk around open source software • Why depth of analysis matters, and what it results in during M&A diligence • Why accuracy, reporting, and expert human analysis are keys to thorough diligence.
For more information, please visit our website at www.synopsys.com/open-source-audit
Lysa Bryngelson, Sr. Product Manager for Black Duck Binary Analysis at Synopsys presented on a recent webinar. During the webinar, she discussed one of the biggest challenges companies face with third-party software is lack of visibility into the open source libraries used in the software they embed in their products. Over the last year, major security breaches have been attributed to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail, and media. For more information, please visit our website at www.synopsys.com/blackduck
Alors que l’adoption de DevOps pour des organisations Agile était une transition naturelle, le passage à DevSecOps a introduit de nouveaux défis. DevSecOps nécessite un changement important de mentalité et de culture d'entreprise pour intégrer les nouveaux outils et les nouvelles activités de sécurité. C’est la raison pour laquelle suivre le rythme d’Agile et la culture DevOps lors de l’introduction de la sécurité dans le cycle de développement logiciel (SDLC) est un défit pour de nombreuses entreprises.
Dans ce webinaire, Cem Nisanoglu explore le modèle opérationnel de DevSecOps et souligne l'importance de la gestion des changements, de l'automatisation, et des indicateurs de sécurité dans une transition vers DevSecOps, ainsi que la manière dont ces activités peuvent contribuer à la formation de sécurité, à des cycles de release plus rapides, et à l'optimisation des budgets de sécurité dans l’entreprise.
Tim Mackey is a principal security strategist with the Synopsys Cybersecurity Research Center(CyRC). Within this role, he engages with various technical and business communities to understand how application security is evolving with ever-expanding attack surfaces and increasingly sophisticated threats. He specializes in container security, virtualization, cloud technologies, distributed systems engineering, mission critical engineering, performance monitoring, and large-scale data center operations. Tim takes the lessons learned from these activities and delivers talks globally at conferences like RSA, KubeCon and InfoSec. For more information, please visit www.synopsys.com/software.
During a recent webinar, Tim Mackey, Principal Security Strategist with the Synopsys Cyber Research Center discussed how to streamline the tech due diligence process.
For more information, please visit our website at www.synopsys.com/open-source-audit
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
When deliberating between CodeIgniter vs CakePHP for web development, consider their respective strengths and your project requirements. CodeIgniter, known for its simplicity and speed, offers a lightweight framework ideal for rapid development of small to medium-sized projects. It's praised for its straightforward configuration and extensive documentation, making it beginner-friendly. Conversely, CakePHP provides a more structured approach with built-in features like scaffolding, authentication, and ORM. It suits larger projects requiring robust security and scalability. Ultimately, the choice hinges on your project's scale, complexity, and your team's familiarity with the frameworks.
DDS Security Version 1.2 was adopted in 2024. This revision strengthens support for long runnings systems adding new cryptographic algorithms, certificate revocation, and hardness against DoS attacks.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Mobile app Development Services | Drona InfotechDrona Infotech
Drona Infotech is one of the Best Mobile App Development Company In Noida Maintenance and ongoing support. mobile app development Services can help you maintain and support your app after it has been launched. This includes fixing bugs, adding new features, and keeping your app up-to-date with the latest
Visit Us For :
Preparing Non - Technical Founders for Engaging a Tech AgencyISH Technologies
Preparing non-technical founders before engaging a tech agency is crucial for the success of their projects. It starts with clearly defining their vision and goals, conducting thorough market research, and gaining a basic understanding of relevant technologies. Setting realistic expectations and preparing a detailed project brief are essential steps. Founders should select a tech agency with a proven track record and establish clear communication channels. Additionally, addressing legal and contractual considerations and planning for post-launch support are vital to ensure a smooth and successful collaboration. This preparation empowers non-technical founders to effectively communicate their needs and work seamlessly with their chosen tech agency.Visit our site to get more details about this. Contact us today www.ishtechnologies.com.au
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
WhatsApp offers simple, reliable, and private messaging and calling services for free worldwide. With end-to-end encryption, your personal messages and calls are secure, ensuring only you and the recipient can access them. Enjoy voice and video calls to stay connected with loved ones or colleagues. Express yourself using stickers, GIFs, or by sharing moments on Status. WhatsApp Business enables global customer outreach, facilitating sales growth and relationship building through showcasing products and services. Stay connected effortlessly with group chats for planning outings with friends or staying updated on family conversations.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
Flight East 2018 Presentation–Black Duck at Docusign
1. Black Duck @ DocuSign
Scott M. Johnson
Lead PM – Technical Compliance
How DocuSign uses BlackDuck for
Devops, AppSec and Compliance
2. DocuSign is now a verb
The industry leader in signing is now building
the first end to end digital System of Agreement
3. 430,000 Customers – 350 Million users – 1 Million documents/day
High Performance Architecture at DocuSign
3
1.1 M+
transactions
per day
100s of Gbps
of network
bandwidth
6,000+
Blob trx/sec
150TB+
of PCI flash storage
powering our
OLTP system
Thousands
of drives, tens
of PBs of storage
4.5K+ HTTP
requests/sec
>99.99%
uptime
4. Platform Security is Core to our Mission
4
Hardware &
Infrastructure
• Geo-dispersed data
centers
• Near real-time data
replication
• Round-the-clock security
Systems &
Operations
• Separate corporate,
development and
production networks
• Active 24/7 monitoring and
alerting
• Data stored up to nine
times across
geographically disparate
locations
Applications
& Access
• Customer control over
account authentication
options
• Multiple recipient
authentication options
• Layers of auditing,
including digital audit trails
and logging capabilities
Transmission
& Storage
• Anti-tampering controls on
documents
• Reliable, systematic
capture of signing data
• Cloud and on-premises
solutions
7. DocuSign Complies With the Top Security and Privacy
Standards
Global Security
Gold Standard:
Full ISO
27001:2013
Standardized
approach to
security
assessment,
authorization, and
continuous
monitoring for cloud
products and
services
First company to be
compliant with
xDTM Standard,
v.1.0, standard
focused on quality
for Digital
Transaction
Management
DocuSign adheres
to the requirements
of the European
Union’s General
Data Protection
Regulation (GDPR)
SOC 1 Type 2:
Audit report on
controls relevant to
financial reporting,
verifies operating
effectiveness
SOC 2 Type 2:
Audit report covers
security, availability,
processing integrity,
confidentiality
Data Security
Standard for
handling credit card
information.
DocuSign
compliant as both
service provider
and merchant
Approved
DocuSign Binding
Corporate Rules
(BCR) as a data
Controller and
Processor,
sponsored by the
Irish Data
Protection
Commissioner
10. Top 10 Challenges of OSS Governance
1) Creating accurate reports of what is actually shipping in a complex
dev environment.
2) Implementing a Patching Policy without disrupting new features
3) Compiled binaries in GitHub. Arg!
4) 10 year old code is still in the system - POC / Dead Code / Unshipped
repos
5) Some GitHub code not actually shipping, or team ships from a sub
branch
6) Identifying ownership and non-ownership
7) Integrating with Sonarcube, Fortify, Nessus scanning to augment
results.
8) AGPL converted to commercial – Still detected as AGPL
9) Refreshing all data while persisting exceptions, ignores and license
updates.
24. Automate the creation of compliance evidence:
BlackDuck, Jenkins, Github, SonarCube, Artifactory and DocuSign
• Automatically sync and scan code bases, builds and release artifacts
• Annotate risks for developers in SonarCube and Artifactory
• Create DocuSign embedded component authorization forms for AppSec + architecture leads
• Auto-generate DocuSign envelopes for quarterly authorization signoffs for each project
• Build quarterly inventory for compliance evidence with signoff from VP and deputy risk
managers
• SQL Import jobs to automatically link ownership with binaries and produce Power BI reports
• Scan every PR for new components and follow up with developers and teams.
• AI?
In-progress Aspirations: API Mashups!
27. Regular Assessment Activities
Activity Cadence Requirement Scope
Vulnerability Scanning Monthly ISO/PCI/FedRamp, Customer All DocuSign systems
ASV Scanning Quarterly PCI PCI Scope
Release Scanning Monthly ISO/PCI/FedRamp, Customer Primary Products
Go Live Scanning On Demand ISO/PCI/FedRamp New dynamic web sites
Website Scan On Demand ISO/PCI/FedRamp All DocuSign web sites
Website Malware and
Change Monitoring
Daily ISO/PCI/FedRamp All DocuSign web sites
Server Acceptance On Demand ISO/PCI/FedRamp New DocuSign systems
Pentest Annual PCI/ISO/FedRamp PCI Scope
28. 3rd Party Security Tooling
Product Area Scope
BlackDuck Hub Open source vulnerabilities, licenses,
operational risks, patch levels and
attribution.
Open Source in Github,
Compiled apps, Jenkins,
Artifactory
Tenable Security Center and
Nessus Scanners
Network and OS vulnerability scanning All DocuSign systems
Rapid 7 AppSpider / Arachni Web application and release scanning /
Dynamic Analysis
Primary Products / New
dynamic websites
Risk IQ Web application inventory management All DocuSign websites
HP Fortify Static code analysis Primary Products
Burp Suite Dynamic application scanning and
penetration testing tool
Primary Products / PenTests
29. Delivering World-Class Security
Platform and Architecture Overview2
• Security strategy
• Security policies
• Security council
• SDLC security
• Threat &
Vulnerability mgmt
• Information
assurance
Governance,
Risk, and
Compliance
Endpoint
Security
• Security tools
architecture
• Intel security suite
• Data leakage
prevention
• Malware protection
Monitoring,
Defense,
and Incident
Response
• 24/7 security ops
center
• Correlation ranking
and escalation of
security events
Managed
Services
• Vendor security life-
cycle compliance
program
Physical
Security
• Data centers
& offices
• People security
& safety
• Badging
• Cameras
• Sign-in process
World-
Class
Security
Program
30. Processes
The DocuSign Security Program
3
Delivering World-Class Security
People
• Comprehensive cross-functional security
expertise
• Industry thought leadership
• Extensive security and privacy training
Platform and Operations
• Customer control over account authentication
options
• Multiple recipient authentication options
• Layers of auditing and logging capabilities
People
Platform
Processes
• Expansive, holistic protection program with
incident response, endpoint security,
physical security, privacy and compliance
• Internationally recognized security standards
and certifications