The document summarizes a presentation on best practices for managing risk from open source libraries and components. The presentation was given by Jim Routh and Joshua Corman and covered the following topics: an introduction to the FS-ISAC Third Party Software Security Working Group; the group's recommended control types including policy management and enforcement for open source components; how software development has changed with most code now being assembled rather than written; and how component lifecycle management can help address issues by enforcing policies in the development process.
ClearArmor CSRP - 01.01
SOFTWARE BASED VULNERABILITIES
CyberSecurity is a Business Issue, not a Technology Issue
CyberSecurity is not just about reacting. It includes Risk Management, Audit, Compliance, and training. It also requires continuous attention to Cyber Hygiene. CyberSecurity requires continuous measurement, monitoring, and remediation. Is your organization reactive or proactive? Move to proactive CyberSecurity.
To comply with the intent of the NIST CyberSecurity Framework (CSF), Cyber Hygiene is a requirement. To Comply with NIST 800-53, 800-171, DFARS, NY State DFS Part 500, and a plethora of other frameworks and compliance guidelines requires continuous risk reduction through vulnerability remediation. ClearArmor CyberSecurity Resource Planning (CSRP) enables your organization to meet those requirements.
A Comparative Study between Vulnerability Assessment and Penetration TestingYogeshIJTSRD
The Internet has drastically changed in the past decade. Now internet has more business than before and therefore there is a increase in Advanced Persistent Threat groups and Adversaries. After all the advancement in technology and innovation Web application Security is still a challenge for most of the organization all over the world, Because every time APT’s groups and Threat actors uses different Tactics Techniques and Procedure TTPs for exploiting any organization. There can be many techniques to mitigate such attacks such as defensive coding, hardening system firewall, implementing IDS and IPS using of SIEM tools etc. The solution contains monitoring different logs, events and regular assessment of organizations network which is known as Vulnerability Assessment which is a generalized or a sequenced review of a security system and the other one is penetration testing also known popularly as ethical hacking or red teaming assessment where the client’s poses themselves as real Hackers and try to penetrate into the company’s network to check if it’s really secure or not.In this paper we will be comparing these two methods and techniques and also decide at the end which of the above two method is more superior and why. Sharique Raza | Feon Jaison "A Comparative Study between Vulnerability Assessment and Penetration Testing" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-3 , April 2021, URL: https://www.ijtsrd.com/papers/ijtsrd41145.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/41145/a-comparative-study-between-vulnerability-assessment-and-penetration-testing/sharique-raza
Reorganizing Federal IT to Address Today's ThreatsLumension
New reports show U.S. government servers are faced with 1.8 billion cyber attacks every month. View this technical presentation on ‘Reorganizing Federal IT to Address Today’s Threats’ by Richard Stiennon, analyst with IT Harvest and author of Surviving Cyber War, and Paul Zimski, VP of Solution Strategy with Lumension, as they examine:
*Today’s threats targeting government IT systems
*How federal IT departments can be reorganized to improve security and operations
*What key endpoint security capabilities should be implemented
Get expert insight and recommendations on improving your approach to securing IT systems from today’s sophisticated threats.
ClearArmor CSRP - 01.01
SOFTWARE BASED VULNERABILITIES
CyberSecurity is a Business Issue, not a Technology Issue
CyberSecurity is not just about reacting. It includes Risk Management, Audit, Compliance, and training. It also requires continuous attention to Cyber Hygiene. CyberSecurity requires continuous measurement, monitoring, and remediation. Is your organization reactive or proactive? Move to proactive CyberSecurity.
To comply with the intent of the NIST CyberSecurity Framework (CSF), Cyber Hygiene is a requirement. To Comply with NIST 800-53, 800-171, DFARS, NY State DFS Part 500, and a plethora of other frameworks and compliance guidelines requires continuous risk reduction through vulnerability remediation. ClearArmor CyberSecurity Resource Planning (CSRP) enables your organization to meet those requirements.
A Comparative Study between Vulnerability Assessment and Penetration TestingYogeshIJTSRD
The Internet has drastically changed in the past decade. Now internet has more business than before and therefore there is a increase in Advanced Persistent Threat groups and Adversaries. After all the advancement in technology and innovation Web application Security is still a challenge for most of the organization all over the world, Because every time APT’s groups and Threat actors uses different Tactics Techniques and Procedure TTPs for exploiting any organization. There can be many techniques to mitigate such attacks such as defensive coding, hardening system firewall, implementing IDS and IPS using of SIEM tools etc. The solution contains monitoring different logs, events and regular assessment of organizations network which is known as Vulnerability Assessment which is a generalized or a sequenced review of a security system and the other one is penetration testing also known popularly as ethical hacking or red teaming assessment where the client’s poses themselves as real Hackers and try to penetrate into the company’s network to check if it’s really secure or not.In this paper we will be comparing these two methods and techniques and also decide at the end which of the above two method is more superior and why. Sharique Raza | Feon Jaison "A Comparative Study between Vulnerability Assessment and Penetration Testing" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-3 , April 2021, URL: https://www.ijtsrd.com/papers/ijtsrd41145.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/41145/a-comparative-study-between-vulnerability-assessment-and-penetration-testing/sharique-raza
Reorganizing Federal IT to Address Today's ThreatsLumension
New reports show U.S. government servers are faced with 1.8 billion cyber attacks every month. View this technical presentation on ‘Reorganizing Federal IT to Address Today’s Threats’ by Richard Stiennon, analyst with IT Harvest and author of Surviving Cyber War, and Paul Zimski, VP of Solution Strategy with Lumension, as they examine:
*Today’s threats targeting government IT systems
*How federal IT departments can be reorganized to improve security and operations
*What key endpoint security capabilities should be implemented
Get expert insight and recommendations on improving your approach to securing IT systems from today’s sophisticated threats.
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
Need a crash course on SIEM? No problem. Our security gurus will explain what SIEM is (and isn’t) and how to get up and running with it quickly and painlessly.
You'll learn everything you need to know about:
* Critical information stored in your logs and how to leverage it for better security
*Requirements to effectively perform log collection, log management, and log correlation
*How to integrate multiple data sources
*What features to look for in a SIEM solution
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
Vulnerability Management Nirvana: A Study in Predicting Exploitability
When everything is a priority, nothing is. 15% or 10,000 vulnerabilities have a CVSS score of 10. Vendors and practitioners alike use CVSS or their own threat intelligence models to predict which vulnerabilities will be exploited next. We review current options, present a predictive data-driven prioritization model, and how attendees can get started using our approach in their vulnerability management program.
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
In this Vulnerability Assessment training, you will get to learn to configure; proper training; respond to vulnerabilities that put your organization out of risk. https://www.cyberradaracademy.com/course/online-vulnerability-assessment-and-management-course-cyber-security.html
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
For many energy companies, readying for compliance with the latest version of NERC Critical Infrastructure Protection (CIP) standards, whether they be v5, v6, v7 or beyond is not the first priority – delivering reliable energy to the BES is. So, how does a company deal not only with the impending changes of CIP v5, but do so in a manner that best positions them for compliance with future versions and secures their cyber environment?
Join our live webcast on Thursday February 5 to hear from ICF, Tripwire, and AssurX industry experts who are helping organizations already grappling with the new and upcoming CIP requirements, implementing a risk based approach, the steps they are taking to get ahead of the curve, and addressing the uncertainty.
Key Takeaways - Regarding Readiness for NERC CIPv5 (and beyond):
•Best approaches for achieving compliance in a changing environment. (i.e. v5, v6, v7).
•How to save time, resources, and achieve automation with practical guidance on compliance efforts for current and future CIP requirements.
•Practical highlights and key controls from those already working on the most pressing issues.
"Backoff" Malware: How to Know If You're InfectedTripwire
The US-CERT organization recently updated its Alert TA14-212A, which warns that Point-of-Sale (POS) memory-scraping malware has been found in 3 separate forensic investigations. The Secret Service estimates over 1000+ businesses of all types that accept credit card transactions may be affected. Most may not know it yet.
Join us to learn key “Indicators of Compromise” (IOCs) for Backoff, and what you can do about it.
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
As you've likely heard, Meltdown and Spectre are vulnerabilities that exist in Intel CPUs built since 1995. Hackers can exploit Meltdown and Spectre to get hold of information stored in the memory of other running programs. This might include passwords stored in a password manager or browser, photos, emails, instant messages and even business-critical documents.
Join us for a technical webcast to learn more about these threats, and how the security controls in AlienVault Unified Security Management (USM) can help you mitigate these threats.
You'll learn:
What the AlienVault Labs security research team has learned about these threats
How to scan your environment (cloud and on-premises) for the vulnerability with AlienVault USM Anywhere
How built-in intrusion detection capabilities of USM Anywhere can detect exploits of these vulnerabilities
How the incident response capabilities in USM Anywhere can help you mitigate attacks
Watch the On-Demand Webcast here: https://www.alienvault.com/resource-center/webcasts/meltdown-and-spectre-how-to-detect-the-vulnerabilities-and-exploits?utm_medium=Social&utm_source=SlideShare&utm_content=meltdown-spectre-webcast
Hosted By
Sacha Dawes
Principal Product Marketing Manager
Sacha joined AlienVault in Feb 2017, where he is responsible for the technical marketing of the AlienVault Unified Security Management (USM) family of solutions. He brings multiple years of experience from product management, product marketing and business management roles at Microsoft, NetIQ, Gemalto and Schlumberger where he has delivered both SaaS-delivered and boxed-product solutions that address the IT security, identity and management space. Originally from the UK, Sacha is based in Austin, TX.
Creating Correlation Rules in AlienVaultAlienVault
Make a correlation between events, rules and security enforcement. Learn why correlation rules are the heart of SIEM, how to effectively correlate threats with protections, and how to link your rules to policies.
Learn the 6 practical steps every IT admin should take to ensure SIEM success in your environment. The promise of SIEM is clearly an essential one–better security visibility. Aggregate, correlate, and analyze all of the security-relevant information in your environment so that you can:
• Identify exposures
• Investigate incidents
• Manage compliance
• Measure your information security program
Unfortunately, going from installation to insight with a SIEM is a challenge. Join us for this 45-minute session to learn tricks for getting the most out of your SIEM solution in the shortest amount of time.
This is a methodology presentation to examine organizational and technology issues to compile an understandable view of the information security needs of the organization.
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
AlienVault Unified Security Management™ (USM) integrates SIEM/event correlation with built-in tools for intrusion detection, asset discovery, vulnerability assessment and behavioral monitoring to give you a unified, real-time view of threats in your environment. NEW v5.0 (available 4/20) makes it faster and easier than ever to get the insights you need, starting on Day 1.
Join us for a live demo to see how new USM v5.0 makes it easier than ever to accomplish these key tasks:
Discover all IP-enabled assets on your network
Identify vulnerabilities like unpatched software or insecure configurations
Detect network scans and malware like botnets, trojans & rootkits
Speed incident response with built-in remediation guidance for every alert
Generate accurate compliance reports for PCI DSS, HIPAA and more
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
Presentation from 18 November 2014.
Software applications need to be delivered faster and across more platforms than ever. To build high quality software in short order, we’ve seen a dramatic shift from source code to component-based development, with open source and third party components providing the innovation and efficiency that developers need.
Unfortunately, our dependence on components is growing faster than our ability to secure them. These shared components are not top-of-mind when considering application risk. Worse yet, components are increasingly the preferred attack surface in today’s applications.
The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches and identify practical next steps for closing this security gap.
So what’s the “neglected 90%,” why is it attractive to your adversaries and what can you do about it? Plenty. Here are 7 key points, for starters.
http://bit.ly/AHC_USAF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
Need a crash course on SIEM? No problem. Our security gurus will explain what SIEM is (and isn’t) and how to get up and running with it quickly and painlessly.
You'll learn everything you need to know about:
* Critical information stored in your logs and how to leverage it for better security
*Requirements to effectively perform log collection, log management, and log correlation
*How to integrate multiple data sources
*What features to look for in a SIEM solution
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
Vulnerability Management Nirvana: A Study in Predicting Exploitability
When everything is a priority, nothing is. 15% or 10,000 vulnerabilities have a CVSS score of 10. Vendors and practitioners alike use CVSS or their own threat intelligence models to predict which vulnerabilities will be exploited next. We review current options, present a predictive data-driven prioritization model, and how attendees can get started using our approach in their vulnerability management program.
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
In this Vulnerability Assessment training, you will get to learn to configure; proper training; respond to vulnerabilities that put your organization out of risk. https://www.cyberradaracademy.com/course/online-vulnerability-assessment-and-management-course-cyber-security.html
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
For many energy companies, readying for compliance with the latest version of NERC Critical Infrastructure Protection (CIP) standards, whether they be v5, v6, v7 or beyond is not the first priority – delivering reliable energy to the BES is. So, how does a company deal not only with the impending changes of CIP v5, but do so in a manner that best positions them for compliance with future versions and secures their cyber environment?
Join our live webcast on Thursday February 5 to hear from ICF, Tripwire, and AssurX industry experts who are helping organizations already grappling with the new and upcoming CIP requirements, implementing a risk based approach, the steps they are taking to get ahead of the curve, and addressing the uncertainty.
Key Takeaways - Regarding Readiness for NERC CIPv5 (and beyond):
•Best approaches for achieving compliance in a changing environment. (i.e. v5, v6, v7).
•How to save time, resources, and achieve automation with practical guidance on compliance efforts for current and future CIP requirements.
•Practical highlights and key controls from those already working on the most pressing issues.
"Backoff" Malware: How to Know If You're InfectedTripwire
The US-CERT organization recently updated its Alert TA14-212A, which warns that Point-of-Sale (POS) memory-scraping malware has been found in 3 separate forensic investigations. The Secret Service estimates over 1000+ businesses of all types that accept credit card transactions may be affected. Most may not know it yet.
Join us to learn key “Indicators of Compromise” (IOCs) for Backoff, and what you can do about it.
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
As you've likely heard, Meltdown and Spectre are vulnerabilities that exist in Intel CPUs built since 1995. Hackers can exploit Meltdown and Spectre to get hold of information stored in the memory of other running programs. This might include passwords stored in a password manager or browser, photos, emails, instant messages and even business-critical documents.
Join us for a technical webcast to learn more about these threats, and how the security controls in AlienVault Unified Security Management (USM) can help you mitigate these threats.
You'll learn:
What the AlienVault Labs security research team has learned about these threats
How to scan your environment (cloud and on-premises) for the vulnerability with AlienVault USM Anywhere
How built-in intrusion detection capabilities of USM Anywhere can detect exploits of these vulnerabilities
How the incident response capabilities in USM Anywhere can help you mitigate attacks
Watch the On-Demand Webcast here: https://www.alienvault.com/resource-center/webcasts/meltdown-and-spectre-how-to-detect-the-vulnerabilities-and-exploits?utm_medium=Social&utm_source=SlideShare&utm_content=meltdown-spectre-webcast
Hosted By
Sacha Dawes
Principal Product Marketing Manager
Sacha joined AlienVault in Feb 2017, where he is responsible for the technical marketing of the AlienVault Unified Security Management (USM) family of solutions. He brings multiple years of experience from product management, product marketing and business management roles at Microsoft, NetIQ, Gemalto and Schlumberger where he has delivered both SaaS-delivered and boxed-product solutions that address the IT security, identity and management space. Originally from the UK, Sacha is based in Austin, TX.
Creating Correlation Rules in AlienVaultAlienVault
Make a correlation between events, rules and security enforcement. Learn why correlation rules are the heart of SIEM, how to effectively correlate threats with protections, and how to link your rules to policies.
Learn the 6 practical steps every IT admin should take to ensure SIEM success in your environment. The promise of SIEM is clearly an essential one–better security visibility. Aggregate, correlate, and analyze all of the security-relevant information in your environment so that you can:
• Identify exposures
• Investigate incidents
• Manage compliance
• Measure your information security program
Unfortunately, going from installation to insight with a SIEM is a challenge. Join us for this 45-minute session to learn tricks for getting the most out of your SIEM solution in the shortest amount of time.
This is a methodology presentation to examine organizational and technology issues to compile an understandable view of the information security needs of the organization.
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
AlienVault Unified Security Management™ (USM) integrates SIEM/event correlation with built-in tools for intrusion detection, asset discovery, vulnerability assessment and behavioral monitoring to give you a unified, real-time view of threats in your environment. NEW v5.0 (available 4/20) makes it faster and easier than ever to get the insights you need, starting on Day 1.
Join us for a live demo to see how new USM v5.0 makes it easier than ever to accomplish these key tasks:
Discover all IP-enabled assets on your network
Identify vulnerabilities like unpatched software or insecure configurations
Detect network scans and malware like botnets, trojans & rootkits
Speed incident response with built-in remediation guidance for every alert
Generate accurate compliance reports for PCI DSS, HIPAA and more
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
Presentation from 18 November 2014.
Software applications need to be delivered faster and across more platforms than ever. To build high quality software in short order, we’ve seen a dramatic shift from source code to component-based development, with open source and third party components providing the innovation and efficiency that developers need.
Unfortunately, our dependence on components is growing faster than our ability to secure them. These shared components are not top-of-mind when considering application risk. Worse yet, components are increasingly the preferred attack surface in today’s applications.
The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches and identify practical next steps for closing this security gap.
So what’s the “neglected 90%,” why is it attractive to your adversaries and what can you do about it? Plenty. Here are 7 key points, for starters.
http://bit.ly/AHC_USAF
US AI Safety Institute and Trustworthy AI Details.Bob Marcus
This is a discussion of the possible role of the US AI Safety Institute in regulating Generative AI. It includes External Red Team Testing and an Incident Tracking Database.
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
Selecting an App Security Testing Partner: An eGuideHCLSoftware
In the age of digital transformation, global businesses leverage web application scanning tools to shape innovative employee cultures, business processes, and customer experiences. The surge in remote work, cloud computing, and online services unveils unprecedented vulnerabilities and threats.
Learn more: https://hclsw.co/ftpwvz
Procuring an Application Security Testing PartnerHCLSoftware
Procuring an Application Security Testing Partner is crucial for safeguarding digital assets. An Application Security Testing Partner specializes in conducting comprehensive assessments using keywords like vulnerability scanning, penetration testing, code review, and threat modeling. Their expertise ensures your applications are fortified against cyber threats, providing peace of mind in an increasingly interconnected digital landscape.
Learn More: https://hclsw.co/ftpwvz
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
Today, nearly all developers rely on third party components for building an application. Thus, for most software vendors, third
party components in general and Free/Libre and Open Source Software (FLOSS) in particular, are an integral part of their
software supply chain.
As the security of a software offering, independently of the delivery model, depends on all components, a secure software supply
chain is of utmost importance. While this is true for both proprietary and as well as FLOSS components that are consumed,
FLOSS components impose particular challenges as well as provide unique opportunities. For example, on the one hand,
FLOSS licenses contain usually a very strong “no warranty” clause and no service-level agreement. On the other hand, FLOSS
licenses allow to modify the source code and, thus, to fix issues without depending on an (external) software vendor.
This talk is based on working on integrating securely third-party components in general, and FLOSS components in particular,
into the SAP's Security Development Lifecycle (SSDL). Thus, our experience covers a wide range of products (e.g., from small
mobile applications of a few thousands lines of code to large scale enterprise applications with more than a billion lines of code),
a wide range of software development models (ranging from traditional waterfall to agile software engineering to DevOps), as
well as a multiple deployment models (e.g., on premise products, custom hosting, or software-as-a-service).
Agile development methods are commonly used to iteratively develop the information systems and they can
easily handle ever-changing business requirements. Scrum is one of the most popular agile software
development frameworks. The popularity is caused by the simplified process framework and its focus on
teamwork. The objective of Scrum is to deliver working software and demonstrate it to the customer faster
and more frequent during the software development project. However the security requirements for the
developing information systems have often a low priority. This requirements prioritization issue results in
the situations where the solution meets all the business requirements but it is vulnerable to potential
security threats.
The major benefit of the Scrum framework is the iterative development approach and the opportunity to
automate penetration tests. Therefore the security vulnerabilities can be discovered and solved more often
which will positively contribute to the overall information system protection against potential hackers.
In this research paper the authors propose how the agile software development framework Scrum can be
enriched by considering the penetration tests and related security requirements during the software
development lifecycle. Authors apply in this paper the knowledge and expertise from their previous work
focused on development of the new information system penetration tests methodology PETA with focus on
using COBIT 4.1 as the framework for management of these tests, and on previous work focused on
tailoring the project management framework PRINCE2 with Scrum.
The outcomes of this paper can be used primarily by the security managers, users, developers and auditors.
The security managers may benefit from the iterative software development approach and penetration tests
automation. The developers and users will better understand the importance of the penetration tests and
they will learn how to effectively embed the tests into the agile development lifecycle. Last but not least the
auditors may use the outcomes of this paper as recommendations for companies struggling with
penetrations testing embedded in the agile software development process.
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.
Similar to Best Practices for Managing Risk from Open Source Libraries and Components (20)
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
30+ Nexus Integrations to Accelerate DevOpsSonatype
No single tool can deliver on the promise of DevOps. Instead it’s a collection of tools, easily integrated, tightly managed, and effectively automated. Learn how Nexus integrates with more DevOps tools you use everyday.
Starting and Scaling DevOps In the EnterpriseSonatype
Gary Gruver, Gruver Consulting
In my role, I get to meet lots of different companies, and I realized quickly that DevOps means different things to different people. They all want to do “DevOps” because of all the benefits they are hearing about, but they are not sure exactly what DevOps is, where to start, or how to drive improvements over time. They are hearing a lot of different great ideas about DevOps, but they struggle to get every-one to agree on a common definition and what changes they should make. It is like five blind men describing an elephant. In large orga-nizations, this lack of alignment on DevOps improvements impedes progress and leads to a lack of focus.
This session is intended to help structure and align those improvements by providing a framework that large organizations and their executives can use to understand the DevOps principles in the context of their current development processes and to gain alignment across the organization for success-ful implem
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
Mandy Whaley, CISCO
Microservices create an explosion of internal and external APIs. These APIs need great docs. Many organizations end up with a jungle of wiki pages, swagger docs and api consoles, and maybe just a few secret documents trapped in chat room somewhere… Keeping docs updated and in sync with code can be a challenge.
We’ve been working on a project at Cisco DevNet to help solve this problem for engineering teams across Cisco. The goal is to create a forward looking developer and API doc publishing pipeline that:
Has a developer friendly editing flow
Accepts many API spec formats (Swagger, RAML, etc)
Supports long form documentation in markdown
Is CI/CD pipeline friendly so that code and docs stay in sync
Flexible enough to be used by a wide scope of teams and technologies
We have many interesting lessons learned about tooling and how to solve documentation challenges for internal and external facing APIs. We have found that solving this doc publishing flow is a key component of a building modern infrastructure. This is most definitely a culture + tech + ops + dev story, we look forward to sharing with the DevOps Days community.
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
In today’s world, a company must be a “Learning Organization” in order to be successful and innovative. Learning from both failure and success, in order to implement small incremental improvements is critical. But until you implement and apply new information, you haven’t truly “learned” anything and you certainly haven’t improved.
According to the 2015 Monitoring Survey, most companies leverage metrics from monitoring and logging purely for performance analytics and trending. If high availability and reliability are important, they also leverage metrics to alert on fault and anomaly detection. Despite these “best practices”, the metrics are primarily only used as context to keep things “running” or return them back to “normal” if there’s a problem. Rarely is that data used as a method to identify areas of improvement once services have been restored. When an outage occurs to your system, you will absolutely repair and restore services as best you know how, but are you paying attention to the data from the recovery efforts? What were operators seeing during diagnosis and remediation? What were their actions? What was going on with everyone, including conversations? A step-by-step replay of exactly what took place during that outage.
This “old-view” perspective on the purpose of monitoring, logging, and alerting leaves the full value of metrics unrealized. It fails to address what’s important to the overall business objective and it lacks any hope of seeking out innovation or disruption of the status quo.
This talk will illustrate how to identify if your company is making the best use of metrics and ways to not only learn from failure, but to become a “Learning Company”.
DevOps and All the Continuouses w/ Helen BealSonatype
DevOps promises to make better software faster and more safely and many organizations begin by practicing Continuous Integration and moving on to Continuous Delivery and sometimes even extending as far as Continuous Deployment - but this is only the tip of the iceberg.
DevOps demands a fundamental shift in the way we work and requires all participants in an organization to live its principles. It’s much more than a tool chain.
When you are delivering software in an Agile manner in fortnightly sprints, are you still funding in an annual manner? Are you adhering to The Third Way? I.e. are you practicing Continuous Experimentation? Continuous Learning? How are you doing Continuous Testing? Are you including security in that? Have you have Continuous Improvement in your organization for years? When does Continuous Everything turn into Continuous Apathy?
A Small Association's Journey to DevOps w/ Edward RuizSonatype
Small and medium-size businesses are under the same pressure to innovate-at-speed as large corporations. They face these challenges with shoestring IT budgets and limited staff who are stretched thin and forced to wear multiple hats. These limits are particularly acute in the world of nonprofit associations. But with the right vision and culture, even small teams can successfully implement a DevOps philosophy and bust the barriers to high-speed IT innovation.
In this presentation, I will recount our small membership association’s transformative journey to DevOps and share the lessons we learned along the way. I will offer first-hand experiences and practical ideas on how to cultivate a collaborative team culture to realize faster deployment cycles while improving build quality and delighting customers with great software.
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
Operational data mining gives us a rich source of data for the third devops way - continual learning by experimentation. It also shows us just how damaging those 90 day password resets can be. This talk will look at what can go wrong, and the renewed fight to fix the problem at the root.
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
Lee Calcote, Solar Winds
Running a few containers? No problem. Running hundreds or thousands? Enter the container orchestrator. Let’s take a look at the characteristics of the four most popular container orchestrators and what makes them alike, yet unique.
Swarm
Nomad
Kubernetes
Mesos+Marathon
We’ll take a structured looked at these container orchestrators, contrasting them across these categories:
Genesis & Purpose
Support & Momentum
Host & Service Discovery
Scheduling
Modularity & Extensibility
Updates & Maintenance
Health Monitoring
Networking & Load-Balancing
High Availability & Scale
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
Justin Collins, Brakeman Security
It is not enough to have fast, automated code deployment. We also need some level of assurance the code being deployed is stable and secure. Static analysis tools that operate on source code can be an efficient and reliable method for ensuring properties about the code - such as meeting basic security requirements. Automated static analysis security tools help prevent vulnerabilities from ever reaching production, while avoiding slow, fallible manual code reviews.
This talk will cover the benefits of static analysis and strategies for integrating tools with the development workflow.
Automated Infrastructure Security: Monitoring using FOSSSonatype
Madhu Akula, Automation Ninja
We can see attacks happening in real time using a dashboard. By collecting logs from various sources we will monitor & analyse. Using data gleaned from the logs, we can apply defensive rules against the attackers. We will use AWS for managing and securing the infrastructure discussed in our talk.
For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market.
As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customise and deploy their very own FOSS based centralised visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
Erlend Oftedal, Blank
Immutable infrastructure and serverless architectures have very interesting security properties. This talk will give an introduction to immutable infrastructure and serverless architecture and try to highlight some of the properties of such architectures. Next we will look at the positive effects this can have on the security of our systems, but also highlight some of the negative aspects and potential problems.
At the conclusion of this sessions, we hope to have shed some light on the positive and negative security effects of such architectures.
Getting out of the Job Jungle with JenkinsSonatype
Damien Corabouef, Multipharma, Clear2Pay
Implementing a CI/CD solution based on Jenkins has become very easy. Dealing with multiple feature, staging and release branches? Not so much. Having to handle that for multiple teams and multiple projects becomes a real challenge. This presentation shows a solution to scale to several thousands of jobs, used by dozens of different development and test teams, 24 hours a day, 7 days a week, on a worldwide schedule.
I will talk about the challenges that we’ve met, and how we’ve put in place a scalable and on-demand solution, secure and simple to use.
This is a real-life, real-scale story of making CI/CD a day-to-day reality by allowing development and test teams to consider automation as a simple and customisable service.
Nathen Harvey, Chef
Automation at scale is the foundation of every successful high velocity organization.
Automation requires dynamic infrastructure that is managed as code. Modern infrastructure code means bringing the lessons from software development to your infrastructure. Automation is managed in version control systems, tests drive code development, code moves through a continuous pipeline from the workstation to the production environment. What will this look like in five years? We will see a continued improvement in the way teams work together toward common goals, build more operable applications, and embrace complexity while improving ease-of-use.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Best Practices for Managing Risk from Open Source Libraries and Components
1. BEST PRACTICES FOR
MANAGING RISK
From Open Source
Libraries and Components
February 5th at 1pm ET
Jim Routh & Joshua Corman
2. 2 1/28/2016
FEATURED SPEAKERS
JIM ROUTH, CISO JOSHUA CORMAN, CTO
Certified with CSSLP & CISM
Chairman of FS-ISAC Committee
20+ Years in Application Security
Co-founder of Rugged Software
Previously w/ Akamai & 451 Group
Trusted Security Professional
@joshcorman
3. TODAY’S AGENDA
3 1/28/2016
• What is the Third Party Security Working Group
• What are the recommended control types
• Why policy management & enforcement
• What changed?
• Dependence (disproportional)
• Component Lifecycle Management in action
4. FS-ISAC Third Party Software Security Working Group
Third Party Software Security
Steering Committee Members
1. Jerry Brady, Morgan Stanley
2. Mark Connelly, Thomson Reuters
3. Mahi Dontamasetti, DTCC
4. Paul Fulton, Citi
5. Keith Gordon, Capital One
6. Royal Hansen, Goldman Sachs
7. Chauncey Holden, RBS Citizens Bank
8. Rich Jones, JP Morgan Chase
9. Ben Miron, GE
10. Jim Routh, Aetna
Working Group Members
1. David Smith, Fidelity
2. Don Elkins, Morgan Stanley
3. Matt Levine, Goldman Sachs
4. David Hubley, Capital One
5. Tim Mathias, Thomson Reuters
6. Rishikesh Pande, Citi
The Third Party Software Security Working Group was
established with a mandate to analyze control options and
develop specific recommendations on control types for member
firms to consider adding to their vendor governance programs.
These recommendations on control types are captured in the
FS-ISAC Working Group whitepaper, “Appropriate Software
Security Control Types for Third Party Service and Product
Providers.”
5. FS-ISAC Third Party Software Security Working Group
Recommended Control Types
vBSIMM Process Maturity
Binary Static Analysis
Policy management and enforcement for consumption
of open source libraries and components
1
2
3
7. FS-ISAC Third Party Software Security Working Group
Control 3 - Policy management
and enforcement for consumption of
open source libraries and components
This control type identifies consumable open source libraries for a given Financial
Institution, identifies the security vulnerabilities by open source component and enables
the Financial Institution to apply controls or governance over the acquisition and use of
open source libraries.
8. FS-ISAC Third Party Software Security Working Group
Component Usage Has Exploded
Control 3 Open Source Policy Management
9. FS-ISAC Third Party Software Security Working Group
Policy Management Capability
10. FS-ISAC Third Party Software Security Working Group
FS-ISAC Third Party Software Security
Working Group Whitepaper
www.fs-isac.com
25. A Massive Supply Chain Problem
No
Visibility
No
Control
No
Fix
No visibility to what components are used,
where they are used and where there is risk
No way to govern/enforce component usage.
Policies are not integrated with development .
No efficient way to fix existing flaws.
25
26.
27. FROM THE FS-ISAC WHITE PAPER
27
• Enabling application architects to control versions of
software.
• Accelerating the development process by encouraging
the consumption of open source libraries that are
resilient.
• Reduce operating costs since the cost of ripping out
obsolete components from existing applications is high
assuming the older versions can be identified in the first
place.
30. Notional Exposure Active Risk
Snapshot Report
Repository Health Check
Application Health Check
What have I downloaded ?
What’s in my repo? Are my apps
vulnerable?
32. How can we choose the best components
FROM THE START?
Shift Upstream = ZTTR (Zero Time to Remediation)
Analyze all components
from within your IDE
License, Security and Architecture data for each
component, evaluated against your policy
34. WE NEED BETTER LEVERAGE!
Most security programs are getting
a little bit better everywhere; but
not sufficiently better anywhere...
Earlier. Easier. Effective.
35. 35 1/28/2016
DEVELOPERS & APPLICATION SECURITY:
WHO’S RESPONSIBLE?
Take the Survey: https://www.surveymonkey.com/s/Developers_and_App
63% of people
concerned with open
source
36. 36 1/28/2016
“A new approach in the market is Component
Lifecycle Management (CLM) which offers the ability
to enforce policies in the development process.”
LEARN MORE
To learn more about the
‘Component Lifecycle
Management Approach’, read
the OVUM report.
http://www.sonatype.com/resources/whitepapers
37. BEST PRACTICES FOR MANAGING RISK FROM
OPEN SOURCE LIBRARIES AND COMPONENTS
Thank you for attending today’s event, please contact us with any questions.
http://www.sonatype.com/contact/general-inquiry