From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
•
0 likes•327 views
The traditional way of handling security issues in DevOps involves security teams analyzing vulnerabilities and opening issues/tickets, with closing the loop on resolutions being difficult. This model is changing as the cost of fixing later-stage defects rises significantly. The shift is toward DevSecOps where responsibility for application security moves to development teams. Developers are integrating security tools earlier in the software development lifecycle (SDLC) to enable a more secure-by-design approach. Effective DevSecOps requires tools that fit seamlessly into developer workflows and prioritize actual vulnerabilities over non-issues. It also demands integrating security practices into DevOps processes through agile methodologies and automation.
Report
Share
Report
Share
Download to read offline
Recommended
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software.
Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses:
1. The four layers of open-source security
2. How to integrate continuous security into your SDLC
3. Best practices for organizations to own and execute the security process
Taking Open Source Security to the Next Level
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
Tackling the Risks of Open Source Security: 5 Things You Need to Know
This document discusses open source security risks and provides recommendations. It contains 5 sections:
1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing.
2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation.
3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities.
4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps.
5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries.
Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss:
The key differences between accidental vulnerabilities and malicious releases,
How to manage the risk for each type of vulnerability,
Lessons learned from the most interesting malicious packages spotted during 2019.
The State of Open Source Vulnerabilities Management
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
Tackling the Container Iceberg:How to approach security when most of your sof...
Container images are based on many direct and indirect open source dependencies, which most developers are not aware of. What are the security implications of only seeing the tip of the iceberg? What are the challenges one faces when relying so heavily on open source? And how can teams overcome these?
Join Codefresh and WhiteSource, as they embark on a journey to tackle:
The container iceberg - learn what are your blind spots
The main security challenges when using open source in containerized applications
The role of automation in open source security in containers
A live demo showing how WhiteSource & Codefresh can allow you to automate open source security in containers throughout the DevOps pipeline
The Challenges of Scaling DevSecOps
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
Open Source Security at Scale- The DevOps Challenge
It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018.
The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?
Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses:
- The current state of open source vulnerabilities management;
- The latest innovations in the open source security world; and
- The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.
Recommended
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software.
Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses:
1. The four layers of open-source security
2. How to integrate continuous security into your SDLC
3. Best practices for organizations to own and execute the security process
Taking Open Source Security to the Next Level
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
Tackling the Risks of Open Source Security: 5 Things You Need to Know
This document discusses open source security risks and provides recommendations. It contains 5 sections:
1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing.
2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation.
3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities.
4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps.
5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries.
Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss:
The key differences between accidental vulnerabilities and malicious releases,
How to manage the risk for each type of vulnerability,
Lessons learned from the most interesting malicious packages spotted during 2019.
The State of Open Source Vulnerabilities Management
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
Tackling the Container Iceberg:How to approach security when most of your sof...
Container images are based on many direct and indirect open source dependencies, which most developers are not aware of. What are the security implications of only seeing the tip of the iceberg? What are the challenges one faces when relying so heavily on open source? And how can teams overcome these?
Join Codefresh and WhiteSource, as they embark on a journey to tackle:
The container iceberg - learn what are your blind spots
The main security challenges when using open source in containerized applications
The role of automation in open source security in containers
A live demo showing how WhiteSource & Codefresh can allow you to automate open source security in containers throughout the DevOps pipeline
The Challenges of Scaling DevSecOps
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
Open Source Security at Scale- The DevOps Challenge
It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018.
The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?
Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses:
- The current state of open source vulnerabilities management;
- The latest innovations in the open source security world; and
- The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.
Empowering Financial Institutions to Use Open Source With Confidence
The days when financial institutions relied solemnly on proprietary code are over. Today, even the largest financial services firms have realized the benefits of using open source technology to build powerful, innovative applications at a reduced time-to-market. However, the financial services industry faces strict regulatory requirements that present it with a unique set of challenges, especially when it comes to open source usage (both consumption and contribution).
FINOS is a non-profit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. Together with WhiteSource, they are able to provide a safe environment for developers to use open source components freely and fearlessly.
Join FINOS and WhiteSource as they discuss:
The challenges of open source usage
The state of open source vulnerabilities management
How FINOS uses WhiteSource to ensure the security and IP compliance of FINOS-produced open source software
DevSecOps
This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.
SCS DevSecOps Seminar - State of DevSecOps
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
DevSecOps outline
DevSecOps aims to define success, assign responsibilities and milestones, discover the code pipeline by treating code as infrastructure and implementing quality control, inventory security tools by understanding what is owned and the costs, assess gaps by picking frameworks and balancing controls with complexity, and iterate quickly by continuously improving and focusing on platforms over individual tools. The presentation outlines steps for organizations to implement DevSecOps practices by defining objectives, understanding code movement, taking inventory of security tools, assessing gaps, and iterating processes.
The Future of DevSecOps
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
DevSecOps in 2031: How robots and humans will secure apps together Log
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
The State of DevSecOps
The document discusses the rise of DevSecOps and its importance for software development. It notes that existing security solutions are no longer adequate due to the speed of modern development, and that security has become a bottleneck. DevSecOps aims to integrate security practices into development workflows to enable continuous and real-time security. It outlines how security responsibilities have evolved from separate teams to being shared among developers, and how tools have progressed from periodic testing to continuous monitoring and automation. The document argues that DevSecOps is necessary now given the costs of data breaches and risks of vulnerabilities in open source components.
DevSecOps The Evolution of DevOps
*** DevSecOps: The Evolution of DevOps ***
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
Presentation by James Betteley who shares his experience of shaping DevOps and what he foresees will happen with DevSecOps.
State of DevSecOps - DevSecOpsDays 2019
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
State of DevSecOps - DevOpsDays Jakarta 2019
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Demystifying DevSecOps
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
DevSecOps: Bringing security to the DevOps pipeline
The document discusses DevSecOps, which aims to automate security practices like testing and monitoring into the development lifecycle. It advocates integrating security practices like static code analysis, dependency management, and container scanning into the build process. For testing, it recommends smoke tests and restricting access to test environments. In deployment, it suggests automating atomic container deployments to remove the need for developer access to production. For operations, it outlines security practices like isolating containers, documenting infrastructure, and preventing configuration drift between environments. The goal is to implement security controls through automation and standardization rather than manual reviews.
Secure DevOPS Implementation Guidance
The document provides an overview of secure DevOps practices including:
- Integrating security into the software development lifecycle from design through deployment.
- Using automation and continuous integration/delivery practices to continuously assess and remediate vulnerabilities.
- Implementing secure configurations for hardware and software and keeping systems updated with the latest patches.
- Performing security testing using tools that can identify vulnerabilities during the development process.
- Controlling administrative privileges and secrets management in an "infrastructure as code" environment.
New Barriers of Transformation
The document discusses the barriers to digital transformation. It begins by looking at how there was initially oblivion, then the development of language led to ambiguity and dogmatism around concepts like CI/CD. This then led to misunderstandings as different levels of an organization adopted new practices at different rates. Incentives and education were also barriers as outdated management principles clashed with new technologies. Overcoming these barriers requires valuing continuous improvement, creating a shared understanding of processes, and believing in the power of new technologies.
Zero to Ninety in Securing DevOps
Delivered at DevSecOps Days 2018, RSA Conference
j. Wolfgang Goerlich
About J. Wolfgang Goerlich
About J Wolfgang Goerlich
CBI (Creative Breakthroughs, Inc.)
Cyber Security Strategist
J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.
RSAC DevSecOpsDays 2018 - We are all Equifax
This document discusses software supply chain security and vulnerabilities. It references the Equifax data breach in 2017 that was caused by a vulnerability in the Apache Struts software. The document notes that 80-90% of modern applications and operations consist of assembled components, but not all parts are created equal from a security standpoint. It provides statistics showing that 11.1% of Java components downloaded annually have known vulnerabilities and that 80% of organizations analyzed show poor cyber hygiene. The key takeaway is that businesses are ultimately responsible for the security of their data and systems, so emphasizing security for the entire software supply chain is important.
DevOps or DevSecOps
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
Dev secops indonesia-devsecops as a service-Amien Harisen
DevSecOps is gaining popularity to recent years, thanks to the rapid expansion and adoptions of DevOps. The traditional penetration testing is considered a blocker in a rapid CI/CD deployment. So integrating security in a seamless manner is considered an important upgrade to the DevOps environment.
However, the traditional DevSecOps require huge amount of time, money and effort to implement. Traditional and DevSecOps principle is a culture that depends on teamwork between, the Dev ,Sec, and Ops team, which in real life situation its pretty difficult to realize.
This talk is about how to minimize the whole effort to implement DevSecOps in the current DevOps environment.
State of DevSecOps - GTACS 2019
The document discusses the importance of DevSecOps. It notes that existing security solutions are no longer adequate as software can now be distributed globally and created more cheaply in the cloud. DevSecOps aims to integrate security into development and operations by making security teams empower developers and help them succeed. It outlines how security tools and responsibilities have evolved from separate security testing to being integrated into product teams. The document argues DevSecOps is important because fixing defects early is cheaper than during production, and most modern applications use open source components which could contain vulnerabilities. It concludes security teams should empower product teams and help solve technology problems while product teams should be mindful of security.
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
Your organization has already embraced the DevOps methodology? That’s a great start. But what about security?
It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case.
Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss:
- Why traditional DevOps has shifted, and what this will mean
- Who should own security in the age of DevOps
- Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline
Pentest is yesterday, DevSecOps is tomorrow
Introduction to General DevSecOps, how it differentiate with DevOps and the correlation between Agile DevOps and DevSecOps
More Related Content
What's hot
Empowering Financial Institutions to Use Open Source With Confidence
The days when financial institutions relied solemnly on proprietary code are over. Today, even the largest financial services firms have realized the benefits of using open source technology to build powerful, innovative applications at a reduced time-to-market. However, the financial services industry faces strict regulatory requirements that present it with a unique set of challenges, especially when it comes to open source usage (both consumption and contribution).
FINOS is a non-profit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. Together with WhiteSource, they are able to provide a safe environment for developers to use open source components freely and fearlessly.
Join FINOS and WhiteSource as they discuss:
The challenges of open source usage
The state of open source vulnerabilities management
How FINOS uses WhiteSource to ensure the security and IP compliance of FINOS-produced open source software
DevSecOps
This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.
SCS DevSecOps Seminar - State of DevSecOps
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
DevSecOps outline
DevSecOps aims to define success, assign responsibilities and milestones, discover the code pipeline by treating code as infrastructure and implementing quality control, inventory security tools by understanding what is owned and the costs, assess gaps by picking frameworks and balancing controls with complexity, and iterate quickly by continuously improving and focusing on platforms over individual tools. The presentation outlines steps for organizations to implement DevSecOps practices by defining objectives, understanding code movement, taking inventory of security tools, assessing gaps, and iterating processes.
The Future of DevSecOps
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
DevSecOps in 2031: How robots and humans will secure apps together Log
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
The State of DevSecOps
The document discusses the rise of DevSecOps and its importance for software development. It notes that existing security solutions are no longer adequate due to the speed of modern development, and that security has become a bottleneck. DevSecOps aims to integrate security practices into development workflows to enable continuous and real-time security. It outlines how security responsibilities have evolved from separate teams to being shared among developers, and how tools have progressed from periodic testing to continuous monitoring and automation. The document argues that DevSecOps is necessary now given the costs of data breaches and risks of vulnerabilities in open source components.
DevSecOps The Evolution of DevOps
*** DevSecOps: The Evolution of DevOps ***
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
Presentation by James Betteley who shares his experience of shaping DevOps and what he foresees will happen with DevSecOps.
State of DevSecOps - DevSecOpsDays 2019
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
State of DevSecOps - DevOpsDays Jakarta 2019
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Demystifying DevSecOps
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
DevSecOps: Bringing security to the DevOps pipeline
The document discusses DevSecOps, which aims to automate security practices like testing and monitoring into the development lifecycle. It advocates integrating security practices like static code analysis, dependency management, and container scanning into the build process. For testing, it recommends smoke tests and restricting access to test environments. In deployment, it suggests automating atomic container deployments to remove the need for developer access to production. For operations, it outlines security practices like isolating containers, documenting infrastructure, and preventing configuration drift between environments. The goal is to implement security controls through automation and standardization rather than manual reviews.
Secure DevOPS Implementation Guidance
The document provides an overview of secure DevOps practices including:
- Integrating security into the software development lifecycle from design through deployment.
- Using automation and continuous integration/delivery practices to continuously assess and remediate vulnerabilities.
- Implementing secure configurations for hardware and software and keeping systems updated with the latest patches.
- Performing security testing using tools that can identify vulnerabilities during the development process.
- Controlling administrative privileges and secrets management in an "infrastructure as code" environment.
New Barriers of Transformation
The document discusses the barriers to digital transformation. It begins by looking at how there was initially oblivion, then the development of language led to ambiguity and dogmatism around concepts like CI/CD. This then led to misunderstandings as different levels of an organization adopted new practices at different rates. Incentives and education were also barriers as outdated management principles clashed with new technologies. Overcoming these barriers requires valuing continuous improvement, creating a shared understanding of processes, and believing in the power of new technologies.
Zero to Ninety in Securing DevOps
Delivered at DevSecOps Days 2018, RSA Conference
j. Wolfgang Goerlich
About J. Wolfgang Goerlich
About J Wolfgang Goerlich
CBI (Creative Breakthroughs, Inc.)
Cyber Security Strategist
J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.
RSAC DevSecOpsDays 2018 - We are all Equifax
This document discusses software supply chain security and vulnerabilities. It references the Equifax data breach in 2017 that was caused by a vulnerability in the Apache Struts software. The document notes that 80-90% of modern applications and operations consist of assembled components, but not all parts are created equal from a security standpoint. It provides statistics showing that 11.1% of Java components downloaded annually have known vulnerabilities and that 80% of organizations analyzed show poor cyber hygiene. The key takeaway is that businesses are ultimately responsible for the security of their data and systems, so emphasizing security for the entire software supply chain is important.
DevOps or DevSecOps
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
Dev secops indonesia-devsecops as a service-Amien Harisen
DevSecOps is gaining popularity to recent years, thanks to the rapid expansion and adoptions of DevOps. The traditional penetration testing is considered a blocker in a rapid CI/CD deployment. So integrating security in a seamless manner is considered an important upgrade to the DevOps environment.
However, the traditional DevSecOps require huge amount of time, money and effort to implement. Traditional and DevSecOps principle is a culture that depends on teamwork between, the Dev ,Sec, and Ops team, which in real life situation its pretty difficult to realize.
This talk is about how to minimize the whole effort to implement DevSecOps in the current DevOps environment.
State of DevSecOps - GTACS 2019
The document discusses the importance of DevSecOps. It notes that existing security solutions are no longer adequate as software can now be distributed globally and created more cheaply in the cloud. DevSecOps aims to integrate security into development and operations by making security teams empower developers and help them succeed. It outlines how security tools and responsibilities have evolved from separate security testing to being integrated into product teams. The document argues DevSecOps is important because fixing defects early is cheaper than during production, and most modern applications use open source components which could contain vulnerabilities. It concludes security teams should empower product teams and help solve technology problems while product teams should be mindful of security.
What's hot (20)
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Similar to From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
Your organization has already embraced the DevOps methodology? That’s a great start. But what about security?
It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case.
Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss:
- Why traditional DevOps has shifted, and what this will mean
- Who should own security in the age of DevOps
- Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline
Pentest is yesterday, DevSecOps is tomorrow
Introduction to General DevSecOps, how it differentiate with DevOps and the correlation between Agile DevOps and DevSecOps
Why DevSecOps Is Necessary For Your SDLC Pipeline?
DevSecOps environment allows integration of automated security checks within your SDLC pipeline to deliver early warnings and monitor escaped security vulnerabilities consistently.
Shift Left Save Resources DevSecOps and the CICD Pipeline
The power of "Shift Left, Save Resources: DevSecOps and the CI/CD Pipeline"! Discover how this approach not only enhances software development and delivery but also strengthens security measures. Let's optimize efficiency while safeguarding our digital assets. Read more: https://cloudzenix.com/cloud-solutions/cloud-computing-devsecops-solutions/
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
DevSecOps is a development methodology that combines security measures at every stage of the software development lifecycle in order to provide reliable and secure systems. DevSecOps, in general, increases the benefits of a DevOps service.
Fortify-Application_Security_Foundation_Training.pptx
This document provides an overview of application security challenges and trends. It discusses how attacks have moved to target applications directly rather than just infrastructure. It also notes that security is often an afterthought for developers focused on speed and that maturity varies. Key trends include shifting security left in the development process, addressing open source risks, and leveraging tools like machine learning. Stakeholders have different priorities around protecting the organization versus meeting deadlines. Primary use cases involve finding and fixing vulnerabilities throughout the development lifecycle. The Fortify platform aims to provide application security that scales with development needs.
Fortify-Application_Security_Foundation_Training.pptx
This document provides an overview of application security and the Fortify portfolio. It discusses growing application security challenges such as attacks targeting the application layer. It also reviews key application security trends like shift left development and cloud transformation. The document outlines primary customer use cases and priorities around securing applications. Additionally, it summarizes the Fortify product offerings and how the portfolio addresses application security needs. Examples of Fortify customer success are also provided along with insights into the competitive application security market.
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps aims to boost team productivity by increasing access between development and operations teams. The DevSecOps methodology integrates security into all phases of software delivery to instantly resolve security issues. It is sometimes known as "shift left" security, which simply refers to integrating security into the development process as early as feasible.
DevSecOps: Integrating Security Into DevOps! {Business Security}
The key benefit of DevOps is speed and continuous delivery but with secure DevOps teams often suffer from the notion that there’s a tradeoff between security and speed. However, that is not the scenario always.
Prudent use of Security automation allows the teams to maintain both security and speed. The automated security testing makes the security consistent and less vulnerable to human errors. Shifting of the security practices left towards the design phase is a major advantage. It is a big achievement to catch the security loophole at the design or the development phase of a new feature. This is what DevSecOps tooling strategies aim at.
Check out this presentation and learn more about integrating security into DevOps with DevSecOps!
DevOps and Devsecops- Everything you need to know.
DevOps is a software development approach that emphasizes collaboration and communication between developers and IT operations teams to streamline the development and deployment of software. DevSecOps extends DevOps by integrating security into every stage of the software development lifecycle, from planning to deployment, to ensure that security risks are identified and addressed early on.
DevOps and Devsecops- What are the Differences.
Pharmaceutical manufacturing software is a tool that streamlines the manufacturing process of pharmaceutical products. The difference between different pharmaceutical manufacturing software lies in their features and capabilities. Some software may focus on specific areas of manufacturing, such as quality control, while others may provide end-to-end solutions for the entire manufacturing process. Factors such as scalability, customization, and regulatory compliance are also important considerations when choosing pharmaceutical manufacturing software. Ultimately, the right software should meet the unique needs of a pharmaceutical manufacturing company and improve their operational efficiency.
Outpost24 webinar - application security in a dev ops world-08-2018
As DevOps continue to advance, and agile development continues to be widely adopted, the latest OWASP top 10 list shows little to no movement at the top in terms of the most serious vulnerabilities affecting web applications. With a plethora of tools and information to help reduce application vulnerabilities and increase the level of security awareness in development team available, why do we still see web applications as a significant attack vector?
The New Security Playbook: DevSecOps
Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
DevOps and Devsecops.pdf
DevSecOps is an idea that is relatively new and is based on the principles of DevOps. While DevOps integrates operations and development in a continuous, harmonized process, DevSecOps incorporates a security component in the SDLC. Visit the post to know more.
DevOps and Devsecops What are the Differences.pdf
DevSecOps is the methodology that integrates security techniques into the DevOps process. It fosters and encourages collaboration with release engineers and security groups based on a ‘Security As Code’ concept. DevSecOps has gained recognition and importance due to the increasing security risks associated with software applications.
How to get the best out of DevSecOps - a security perspective
This document discusses best practices for DevSecOps. It recommends making security tools available to developers, securing the development environment, using red and blue teams to test security, securing the supply chain, appointing developer security champions, conducting code reviews, and using security testing tools. The document emphasizes a cultural shift toward greater collaboration between development and security teams.
DevSecOps - offpage blog final draft - 03.docx
DevSecOps is a strategy that incorporates security practices into the software development lifecycle. It aims to produce secure software quickly by integrating security teams into development and operations. Adopting DevSecOps provides benefits like enhanced security, quicker product delivery, and an adaptable security process. Transitioning to DevSecOps requires aligning security, development, and operations as a shared responsibility from the beginning of the development cycle. Automating security testing helps detect vulnerabilities early to speed development while maintaining security.
DevSecOps Implementation Journey
Yohanes Syailendra discusses DevSecOps implementation at DKATALIS, an Indonesian company. Some key points:
1. DevSecOps shifts security left to earlier stages of development to find and fix vulnerabilities sooner. This allows for faster development times and more secure applications.
2. At DKATALIS, DevSecOps includes threat modeling, static application security testing (SAST), dynamic application security testing (DAST), infrastructure as code scanning, and container security throughout the development pipeline.
3. A successful DevSecOps implementation requires changing culture, processes, and architecture to establish security as a shared responsibility across development and security teams. Automation is also important to scale practices
Security's DevOps Transformation
This document outlines an approach for integrating security into the software development lifecycle (SDLC) using DevSecOps principles. It discusses how security can shift left by being incorporated into various phases of product development and delivery, including product management, design, development, deployment, defect management, and monitoring. It provides examples of how to integrate security practices and tools at each stage. The goal is to establish security as a critical product feature rather than an afterthought, and foster collaboration between security and development teams through a DevSecOps model and maturity criteria.
10 things to get right for successful dev secops
This document discusses 10 things that are important to get right for successful DevSecOps implementation. It recommends that security testing be integrated seamlessly into the development process without disrupting developers. It also advises focusing first on identifying and fixing known critical vulnerabilities in libraries and components before custom code, and accepting that not all vulnerabilities can be eliminated. Developers should receive basic secure coding training without being expected to become security experts. The overall goal is to make security processes transparent to developers in order to balance security and speed of development.
Similar to From Zero to DevSecOps: How to Implement Security at the Speed of DevOps (20)
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Shift Left Save Resources DevSecOps and the CICD Pipeline
Shift Left Save Resources DevSecOps and the CICD Pipeline
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
More from DevOps.com
Modernizing on IBM Z Made Easier With Open Source Software
In the past decade, IDC has seen IBM Z evolve first from a siloed platform to what they call a "connected" platform, and then to a "transformative" platform. This transition has been driven by IBM, by the IBM Z software vendors, like Rocket Software, and by businesses themselves.
IDC research shows that businesses that choose to modernize IBM Z achieve higher satisfaction than re-platformers and many are using open source software (OSS) in their modernization initiatives. Employing OSS makes it possible to crack the platform open and enable it to connect to the rest of the datacenter and the outside world. Join IDC guest speaker, Al Gillen and Peter Fandel as they take a deeper look at the value proposition associated with using commercially supported OSS in mission-critical environments, like IBM Z. In this webinar we’ll discuss:
How OSS can neutralize the disparity between seasoned IBM Z and emerging developers
The modernization initiatives that involve OSS
What to consider before bringing OSS to IBM Z
How Rocket Software is delivering commercially supported OSS to IBM Z
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
With the growing adoption of Kubernetes, organizations want to take advantage of containerized Microsoft SQL Server 2019 to optimize transactional performance and accelerate time-to-insights from their business-critical data. However, as enterprises embrace hybrid cloud strategy, they need to consider several aspects based on the performance, cost and data protection requirements for running enterprise-grade SQL Server databases.
In this webinar, we will compare and contrast various cloud-native platforms for SQL Server that would help CIOs, DevOps engineers, database administrators and applications architects to determine the most suitable platform that fits their business needs.
Join us as we explore some exciting results from a recent performance benchmark study conducted by McKnight Consulting Group, an independent consulting firm, to compare the performance of Microsoft SQL Server 2019 on the best possible configurations of the following Kubernetes platforms:
Diamanti Enterprise Kubernetes Platform
Amazon Web Services Elastic Kubernetes Service (AWS EKS)
Azure Kubernetes Service (AKS)
Topics will include:
Platform considerations and requirements for running Microsoft SQL Server 2019
Performance comparison and analysis of running SQL Server on various platform
Best practices for running containerized SQL Server databases in Kubernetes environment
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
With the growing adoption of Kubernetes, organizations want to take advantage of containerized Microsoft SQL Server 2019 to optimize transactional performance and accelerate time-to-insights from their business-critical data. However, as enterprises embrace hybrid cloud strategy, they need to consider several aspects based on the performance, cost and data protection requirements for running enterprise-grade SQL Server databases.
In this webinar, we will compare and contrast various cloud-native platforms for SQL Server that would help CIOs, DevOps engineers, database administrators and applications architects to determine the most suitable platform that fits their business needs.
Join us as we explore some exciting results from a recent performance benchmark study conducted by McKnight Consulting Group, an independent consulting firm, to compare the performance of Microsoft SQL Server 2019 on the best possible configurations of the following Kubernetes platforms:
Diamanti Enterprise Kubernetes Platform
Amazon Web Services Elastic Kubernetes Service (AWS EKS)
Azure Kubernetes Service (AKS)
Topics will include:
Platform considerations and requirements for running Microsoft SQL Server 2019
Performance comparison and analysis of running SQL Server on various platform
Best practices for running containerized SQL Server databases in Kubernetes environment
Next Generation Vulnerability Assessment Using Datadog and Snyk
Vulnerability assessment for teams can often be overwhelming. The dependency graph could be thousands of packages depending on the application. Triaging vulnerability data and prioritizing actions has historically been a very manual process, until now. With Datadog and Snyk, learn how to trace security and performance issues by leveraging continuous profiling capabilities for actionable insight that help developers remediate problems.
Join us on Thursday, January 21 for a unique opportunity to learn more about continuous profiling, vulnerability management, and the benefit to customers from using both of these products. In this webinar, you will:
Bust some myths around continuous profiling and learn how Datadog differentiates itself
See decorated traces in action for sample Java applications and understand how Snyk + Datadog reduce time to triage supply chain vulnerabilities
Learn roadmap information for upcoming public announcements from both partners
Vulnerability Discovery in the Cloud
In the era of cloud generation, the constant activity around workloads and containers create more vulnerabilities than an organization can keep up with. Using legacy security vendors doesn't set you up for success in the cloud. You’re likely spending undue hours chasing, triaging and patching a countless stream of cloud vulnerabilities with little prioritization.
Join us for this live webinar as we detail how to streamline host and container vulnerability workflows for your software teams wanting to build fast in the cloud. We'll be covering how to:
Get visibility into active packages and associated vulnerabilities
Reduce false positives by 98%
Reduce investigation time by 30%
Spot a legacy vendor looking to do some cloud washing
2021 Open Source Governance: Top Ten Trends and Predictions
If you work in software development, jumpstart your engineering team in 2021—get ahead of the engineering curve and your competitors—by attending this must-watch open source trends and predictions webinar.
Alex Rybak, Director of Product Management at Revenera, and Russ Eling, founder and CEO of OSS Engineering Consultants, share their top 10 open source usage, license compliance and security insights for the new year.
Just a few hints at what you’ll learn more about:
Where the adoption of shift-left is headed and the decisions you’ll face going forward
The impact of a lack of software developer security training relative to pandemic fallout
The broader role of the engineering team in open source management and governance
The expanding role and impact of open source marketplaces such as GitHub
Don’t miss the discussion for valuable insight and learning for software engineering teams
A New Year’s Ransomware Resolution
2020 was a brutal year for ransomware. Cybercriminals operated without any human decency, targeting the most vulnerable and at-risk parties, such as hospitals, scientists, and global manufacturers. The approach has become more sophisticated and life-threatening, shifting from individual targets to global enterprises, destroying backups, blackmailing victims with public leakage of exfiltrated data, and paralyzing critical systems and infrastructure.
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
This document discusses runtime security on Azure Kubernetes Service (AKS). It begins by introducing AKS and how it simplifies Kubernetes deployment and management. It then discusses the security concerns with containers and the need for runtime security. Runtime security involves monitoring activity within containers to detect unwanted behaviors. The document outlines how Sysdig provides runtime security for AKS through its agents that collect syscall data and Kubernetes audit logs. It analyzes this data using policies to detect anomalies and threats across containers, hosts, and Kubernetes clusters. Sysdig also integrates with other tools like Falco and Anchore to provide breadth and depth of security.
Don't Panic! Effective Incident Response
In any fast-paced engineering environment, unexpected incidents can arise and escalate without warning. Without strong leadership within teams, you get chaotic, stressful, and tiring situations that waste valuable engineering time, slow down resolution, and most importantly, impact your customers.
Operationally mature organisations use proven incident response systems led by Incident Commanders. Incident Commanders provide the leadership needed to help stabilize major incidents fast.
In this webinar, we’ll take lessons learned from formalized incident response, such as those used by first responders, and show you how to apply those same practices to your organization. By utilising these methods you’ll improve both the speed and effectiveness of your team’s response, reducing the amount of downtime experienced.
In this workshop, attendees will:
Be introduced to the Incident Command System and learn how it can be adapted to their organisation
Walk through the basics of incident response best practices
Discuss examples of formal incident response from multiple organisations
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Chaos engineering is becoming a critical part of the DevOps toolchain when adopting Site Reliability Engineering (SRE) practices. Every system is becoming a distributed system and chaos engineering proclaims many advantages for them.
It improves infrastructure automation, increases reliability and transforms incident management. However, an often-overlooked benefit of chaos engineering and SRE involves culture transformation. Culture is often touched upon when talking about chaos engineering and SRE but not as often as skills and process.
In this webinar, we will discuss how you can build out a chaos engineering practice and how you can adopt a true blameless culture and maximize the potential of your team.
You will learn how to:
Hold blameless postmortems
Share post mortems with other teams
Run regular fire drills and game days
Automate chaos experiments for continuous validation
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Enterprises are best served by leveraging an RBAC system to manage access to their SSH and Kubernetes resources. With Teleport, an open source software, employers are able to provide granular access controls to developers based on the access they need and when they need it. This makes it possible for employers to maintain secure access without getting in the way of their developers’ daily operations.
Join Steven Martin, solution engineer at Teleport, as he demonstrates how to assign access to developers and SRE’s across environments with Teleport through roles mapped from enterprises’ identity providers or SSOs.
Monitoring Serverless Applications with Datadog
Join Datadog for a webinar on monitoring serverless applications with AWS Lambda. You'll learn how to get the most of Datadog's platform, as well ask the following key takeaways:
Learn how to set up a Twitter bot that makes API calls with Node.js
Deploying Serverless Applications
What does observability look like with less infrastructure?
Deliver your App Anywhere … Publicly or Privately
Developers are increasingly adopting a microservices approach for their apps in order to gain rapid iteration capabilities required for delivering new services faster. However, delivering the App still requires multiple steps such as allocation of virtual IPs, provisioning the front load balancer, configuring firewall rules, configuring a public domain, and DDOS. At present, each of these steps requires coordination across multiple teams with multiple iterations per team. The time efficiencies gained by adopting microservices and cloud-native technologies is negated due to the time taken to deliver the App.
In this session, Pranav Dharwadkar, VP of products at Volterra, and Jakub Pavlik, director of engineering, will help you understand these challenges and introduce a distributed proxy architecture that can alleviate the challenges across different cloud environments. This webinar will include a live demo using a distributed proxy architecture to advertise an App publicly and privately.
In this webinar, you will learn:
The steps required to deliver an App using the current approaches
How a distributed proxy architecture can be used to deliver the app publicly and privately
The operational benefits of a distributed proxy architecture for delivering new services
Securing medical apps in the age of covid final
The COVID-19 pandemic has drastically altered the connected healthcare landscape, accelerating the usage of telemedicine and other remote healthcare delivery systems by as much as 11,000% for some populations. How has this unprecedented push affected healthcare and medical device application security? The security team at Intertrust recently analyzed 100 Android and iOS medical apps to find out.
In this webinar, we'll discuss:
Medical application and device threat trends
The top mHealth security vulnerabilities uncovered in our analysis
Strategies to keep your mHealth apps safe
Future advances in digital healthcare and how your security can evolve with it
How to Build a Healthy On-Call Culture
Raise your hand if you enjoy being buried in alerts or woken up at 2 a.m. — yeah … thought so. Ever-rising customer expectations around high availability and performance put massive pressure on the teams who develop and support SaaS products. And teams are literally losing sleep over it. Until outages and other incidents are a thing of the past, organizations need to invest in a way of dealing with them that won’t lead to burn-out.
In this session, you’ll learn how to combine the latest tooling with DevOps practices in the pursuit of a sustainable incident response workflow. It’s all about transparency, actionable alerts, resilience and learning from each incident.
The Evolving Role of the Developer in 2021
The role of the developer continues to change as they sit on the front line of application and even cloud infrastructure security. Today, developers are focused on innovating fast and improving security, but how do high-performing teams accomplish this? They commit code frequently, release often and update dependencies regularly (608x faster than others).
In this webinar, we'll discuss the key traits of high-performing teams and how that impacts the role of the developer.
Key Takeaways:
Choose the best third party dependencies
Determine the lowest effort upgrades between open source versions
Solve for issues in both direct and transitive dependencies with a single-click
Block and quarantine suspicious open source components
Service Mesh: Two Big Words But Do You Need It?
Today, one of the big concepts buzzing in the app development world is service mesh. A service mesh is a configurable infrastructure layer for microservices application that makes communication flexible, reliable and fast. Let’s take a step back, though, and answer this question: Do you need a service mesh?
Join this webinar to learn:
What a service mesh is; when and why you need it — or when and why you may not
App modernization journey and traffic management approaches for microservices-based apps
How to make an informed decision based on cost and complexity before adopting service mesh
Learn about NGINX Service Mesh in a live demo, and how it provides the best service mesh option for container-based L7 traffic management
Secure Data Sharing in OpenShift Environments
Red Hat OpenShift is enabling quicker adoption of DevOps practices. Containers are an essential component of DevOps and the OpenShift Kubernetes Container Platform is integral for orchestration within these environments. Data security is now challenged to keep pace with the size and scope of container usage. The migration from legacy in-house deployments to hybrid-cloud installations has created new attack surfaces as data is shared more freely in Kubernetes deployments.
Protecting data at rest and in motions is a necessity. Learn how you can keep data protected and securely share data in OpenShift environments with real-time data protection solutions.
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
Managing access permissions in the public cloud can be a very complex process. In fact, by 2023, 75% of cloud security failures will result from the inadequate management of identities, access and privileges, according to Gartner.
Join us as Guy Flechter, CISO of AppsFlyer, presents a real-world case of how his company works to enforce least-privilege and to govern identities in their cloud. This webinar will also provide an overview of how to govern access and achieve least privilege by analyzing the access permissions and activity in your public cloud environment. With thousands of human and machine identities, roles, policies and entitlements, this webinar will give you the tools to examine the access open to people and services in your public cloud, and determine whether that access is necessary.
In this workshop, you will learn about:
The risks of IAM misconfiguration and excessive entitlements in cloud environments
The challenges in identifying and mitigating Identity and access risks for both human and machine identities
How to automate cloud identity governance and entitlement management with Ermetic
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Open-source machine learning can be transformative, but without the proper tools in place, enterprises struggle to balance the IT security and governance requirements with the need to deliver these powerpoint tools into the hands of their developers and modelers.
How can organizations get the latest technology from the open-source brain trust, while ensuring enterprise-grade management and security? In this webinar, we will discuss how Anaconda Team Edition, available on RedHat Marketplace, enables IT departments to mirror a curated set of packages into their organization in a safe and governed way.
Join Michael Grant, VP of services at Anaconda, to discuss:
How IT organizations are using Anaconda Team Edition to curate, govern and secure Python and R packages
Tips for how development and data science teams can get the most out of Team Edition, from uploading your own packages to building custom channels for groups or projects
How to distribute conda environments to desktops, servers and clusters:
GUI-based installers for desktop users
“Conda packs” for automated delivery to remote servers and distributed computing clusters
Conda-enabled Docker containers for application deployment
More from DevOps.com (20)
Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Recently uploaded
“I’m still / I’m still / Chaining from the Block”
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Presentation of the OECD Artificial Intelligence Review of Germany
Consult the full report at https://www.oecd.org/digital/oecd-artificial-intelligence-review-of-germany-609808d6-en.htm
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
TrustArc Webinar - 2024 Global Privacy Survey
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
20240607 QFM018 Elixir Reading List May 2024
Everything I found interesting about the Elixir programming ecosystem in May 2024
Best 20 SEO Techniques To Improve Website Visibility In SERP
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Programming Foundation Models with DSPy - Meetup Slides
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Artificial Intelligence for XMLDevelopment
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
UiPath Test Automation using UiPath Test Suite series, part 6
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Removing Uninteresting Bytes in Software Fuzzing
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...Edge AI and Vision Alliance
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.National Security Agency - NSA mobile device best practices
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Climate Impact of Software Testing at Nordic Testing Days
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Recently uploaded (20)
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
- 1. 1 Presented by: Anders Wallgren ,VP of Technology Strategy at CloudBees Jeffrey Martin, Senior Director of Product at WhiteSource
- 2. 2 1 The Shift from DevOps to DevSecOps
- 3. 3 Why Traditional DevOps is Changing
- 4. The Common Way of Handling Security Issues Security teams analyze and prioritize vulnerabilities Sending emails or opening issues/tickets Closing the loop on resolution is hard
- 5. 5 The cost of fixing security and quality issues is rising significantly, as the development cycle advances. Coding $80/Defect Build $240/Defect QA & Security $960/Defect Production $7,600/Defect Late Detection Can Turn Out Costly
- 6. § Cost Reduction § Speed of delivery § ‘Secure by design’ § Open discussion 6 The Business Benefits of DevSecOps Quality Time Cost
- 7. 7 The Operational Benefits of DevSecOps § Versions are up-to-date § Nearly “zero” re-work § Early identification of vulnerabilities in code § Enables a culture of constant iterative improvements
- 8. 8 2 Responsibility over AppSec is shifting to development teams
- 9. 9 Who is Owning Application Security in the Organization? of the respondents stating the ownership lies in the software development side 72% 22%
- 10. 10 Organizations of all sizes are shifting their operational security to software development teams Who owns security in your organization, by company size?
- 11. 11 The impact of developers taking over security is that they are integrating security tools earlier in the SDLC of developers are taking action towards application testing on build stage or before. 66% In what stage of the SDLC do you spend most of your time implementing security measures?
- 12. 12 In what stage of the SDLC do you spend most of your time implementing security measures, by open source usage? The higher usage for open source, the more likely that developers would implement application security tools
- 13. 13 3 Tools and Strategies Needed to Implement DevSecOps
- 14. 14 The new generation of security tools: Developers security tools
- 15. 15 Developers need robust tools, that fit into their workflows
- 16. 16 EFFECTIVE VULNERABILITY If the proprietary code is making calls to the vulnerable functionality INEFFECTIVE VULNERABILITY If the proprietary code is NOT making calls to the vulnerable functionality EFFECTIVE VS INEFFECTIVE VULNERABILITIES IN A COMPONENT Prioritization is key to vulnerability detection and remediation
- 17. After testing 2,000 Java applications, WhiteSource found that 72% of all detected vulnerabilities were deemed ineffective.
- 18. § Integrate the security aspects and practices with the DevOps processes § Use agile methodologies to deliver small, secure pieces of code in frequent releases § Automate the security processes whenever possible § The best response to the bottleneck effect of older security models on the modern continuous delivery pipeline 18 DevSecOps: Integrating DevOps & Security Culture
- 19. Shifting the Mindset: Shift Left and Close the Loop § Build guardrails, don't be gatekeepers § Avoid Bottlenecks in the process: If the process slows you down, it needs to be changed § Make security everyone’s responsibility § Facilitate regular discussions about application security throughout the development process
- 20. 20 Q&A
- 21. Thank You! 21