Hacking Portugal and making it a global player in Software development
As technology and software becomes more and more important to Portuguese society it is time to take it seriously and really become a player in that world.
Application Security can act as an enabler, due to its focus on how code/apps actually work, and its enormous drive on secure-coding, testing, dev-ops and quality.
This presentation will provide a number of paths for making
Portugal a place where programming, TDD, Open Source, learning how to code, hacking and DevOps are first class citizens.
The numbers tell the story: 84% of C-suite executives believe they must leverage artificial intelligence (AI) to achieve their growth objectives, yet 76% report they struggle with how to scale. With the stakes higher than ever, what can we learn from companies that are successfully scaling AI, achieving nearly 3X the return on investments and an average 32% premium on key financial valuation metrics?
To answer that question, Accenture conducted a landmark global study involving 1,500 C-suite executives from organizations across 16 industries. The aim: Help companies progress on their AI journey, from one-off AI experimentation to gaining a robust organization-wide capability that acts as a source of competitive agility and growth.
Read the full report:
http://www.accenture.com/AI-Built-to-Scale-Slideshare
Sales Decks for Founders - Founding Sales - December 2015 Peter Kazanjy
Presentation on "sales decks for founders" covering the best way to present your new technology product to a business-to-business buyer.
Presentation is an adaption of a chapter from Founding Sales (book on technology sales for founders and other first-time sellers): https://twitter.com/FoundingSales
Chapter excerpt here: http://firstround.com/review/building-your-best-sales-deck-starts-here/
Understanding the Cyber Security Vendor LandscapeSounil Yu
We are often inundated with vendors offering their products and services to solve our various information security problems. How can you make sense of the wide range of technologies and ensure that your control gaps are being covered? Where are opportunities for technology disruption? Where are you overly reliant on technology? This is a framework for understanding security technologies so that you can align vendors in the right bucket to ensure that you have the suite of technologies that you need to execute your information security mission.
When it comes to creating an enterprise AI strategy: if your company isn’t good at analytics, it’s not ready for AI. Succeeding in AI requires being good at data engineering AND analytics. Unfortunately, management teams often assume they can leapfrog best practices for basic data analytics by directly adopting advanced technologies such as ML/AI – setting themselves up for failure from the get-go. This presentation explains how to get basic data engineering and the right technology in place to create and maintain data pipelines so that you can solve problems with AI successfully.
The numbers tell the story: 84% of C-suite executives believe they must leverage artificial intelligence (AI) to achieve their growth objectives, yet 76% report they struggle with how to scale. With the stakes higher than ever, what can we learn from companies that are successfully scaling AI, achieving nearly 3X the return on investments and an average 32% premium on key financial valuation metrics?
To answer that question, Accenture conducted a landmark global study involving 1,500 C-suite executives from organizations across 16 industries. The aim: Help companies progress on their AI journey, from one-off AI experimentation to gaining a robust organization-wide capability that acts as a source of competitive agility and growth.
Read the full report:
http://www.accenture.com/AI-Built-to-Scale-Slideshare
Sales Decks for Founders - Founding Sales - December 2015 Peter Kazanjy
Presentation on "sales decks for founders" covering the best way to present your new technology product to a business-to-business buyer.
Presentation is an adaption of a chapter from Founding Sales (book on technology sales for founders and other first-time sellers): https://twitter.com/FoundingSales
Chapter excerpt here: http://firstround.com/review/building-your-best-sales-deck-starts-here/
Understanding the Cyber Security Vendor LandscapeSounil Yu
We are often inundated with vendors offering their products and services to solve our various information security problems. How can you make sense of the wide range of technologies and ensure that your control gaps are being covered? Where are opportunities for technology disruption? Where are you overly reliant on technology? This is a framework for understanding security technologies so that you can align vendors in the right bucket to ensure that you have the suite of technologies that you need to execute your information security mission.
When it comes to creating an enterprise AI strategy: if your company isn’t good at analytics, it’s not ready for AI. Succeeding in AI requires being good at data engineering AND analytics. Unfortunately, management teams often assume they can leapfrog best practices for basic data analytics by directly adopting advanced technologies such as ML/AI – setting themselves up for failure from the get-go. This presentation explains how to get basic data engineering and the right technology in place to create and maintain data pipelines so that you can solve problems with AI successfully.
Jerry Chen, partner at Greylock and former VP of Cloud and Application Services at VMware, shares his Unit of Value framework for startups building a go-to-market strategy. He developed this strategy while managing product and marketing teams at VMware that shipped many “1.0” releases, including VMware VDI, Cloud Foundry, and vFabric, and continues to use the framework to evaluate companies as an investor.
Accenture's Technology Vision 2021 details emerging technology trends that will help companies get back on track & build their future post COVID-19. Read more.
Developing the pricing model for your B2B SaaS app is one of the biggest marketing challenges your company will face.
This is a guide to developing your SaaS pricing model was created by noted SaaS Marketing expert and Growth Hacker Lincoln Murphy of Sixteen Ventures.
This guide takes you through the questions you need to ask about not just your market and customers, but about your company and goals, to help you figure out your SaaS pricing model.
Whether you have a self-service sales model or one that requires outside sales reps to drive business, the tips and techniques contained in this guide and the source blog post will help you create a profitable and successful SaaS pricing model.
If we thought the pandemic years were an era of dramatic cultural and digital transformation, think again. 2023 is the year of the “multiverse,” where technological and macro changes continue accelerating at stunning rates leaving SaaS builders, founders, and investors breathless.
On one side of the cloud economy, founders and CEOs are weathering some of the most challenging storms since 2000 and the ‘08 Recession. Rising interest rates have evaporated the cheap equity of recent years forcing startups to reduce burn and drive towards efficient growth. The Silicon Valley Bank crisis drove even more uncertainty into an already fragile environment. But amidst the anxiety and turmoil, the tech ecosystem has witnessed something potentially as world-changing as electricity: a string of AI advancements that may prove to define technology and society for generations to come.
The Large Language Model revolution is one of the most significant developments in computing history. We believe artificial intelligence will not only multiply software and human capabilities, but also completely transform and expand the cloud economy in the process.
In The State of the Cloud, Bessemer provides a founder’s guide on navigating the financing ecosystem for what will likely be the next 18-24 months. We also explore Bessemer’s view on the cloud economy and the AI imperatives that SaaS leaders must enact today or else be left behind.
Read the full report: https://www.bvp.com/atlas/state-of-the-cloud-2023
Pragmatic Product Strategy - Ways of thinking and doing that bring people tog...Jonny Schneider
Presented at XConf Tech Manchester in 2014 - Video at http://thght.works/1xdSvqK
This talk explores new ways of framing the work we do in order to create effective software products. A super-pragmatic model of thinking and doing that promises to bring together technologists, designers and business folks alike, across the entire software delivery lifecycle.
In the presentation we cover how it's important to track the
key metrics within a SaaS sales funnel and how to optimize them at each stage.
Many SaaS tools look at just number of sales and there are many stages both before and after the sale in which saas tools can work more efficiently and produce better results.
We also cover communication strategies and the important of using the behaviour of your consumers to model your sales strategy.
An immersive workshop at General Assembly, SF. I typically teach this workshop at General Assembly, San Francisco. To see a list of my upcoming classes, visit https://generalassemb.ly/instructors/seth-familian/4813
I also teach this workshop as a private lunch-and-learn or half-day immersive session for corporate clients. To learn more about pricing and availability, please contact me at http://familian1.com
Thabo Ndlela- Leveraging AI for enhanced Customer Service and Experienceitnewsafrica
Thabo Ndlela, from Accenture, delivered a keynote on Leveraging AI for enhanced Customer Service and Experience at Digital Finance Africa 2023 on the 2nd of August 2023.
Jerry Chen, partner at Greylock and former VP of Cloud and Application Services at VMware, shares his Unit of Value framework for startups building a go-to-market strategy. He developed this strategy while managing product and marketing teams at VMware that shipped many “1.0” releases, including VMware VDI, Cloud Foundry, and vFabric, and continues to use the framework to evaluate companies as an investor.
Accenture's Technology Vision 2021 details emerging technology trends that will help companies get back on track & build their future post COVID-19. Read more.
Developing the pricing model for your B2B SaaS app is one of the biggest marketing challenges your company will face.
This is a guide to developing your SaaS pricing model was created by noted SaaS Marketing expert and Growth Hacker Lincoln Murphy of Sixteen Ventures.
This guide takes you through the questions you need to ask about not just your market and customers, but about your company and goals, to help you figure out your SaaS pricing model.
Whether you have a self-service sales model or one that requires outside sales reps to drive business, the tips and techniques contained in this guide and the source blog post will help you create a profitable and successful SaaS pricing model.
If we thought the pandemic years were an era of dramatic cultural and digital transformation, think again. 2023 is the year of the “multiverse,” where technological and macro changes continue accelerating at stunning rates leaving SaaS builders, founders, and investors breathless.
On one side of the cloud economy, founders and CEOs are weathering some of the most challenging storms since 2000 and the ‘08 Recession. Rising interest rates have evaporated the cheap equity of recent years forcing startups to reduce burn and drive towards efficient growth. The Silicon Valley Bank crisis drove even more uncertainty into an already fragile environment. But amidst the anxiety and turmoil, the tech ecosystem has witnessed something potentially as world-changing as electricity: a string of AI advancements that may prove to define technology and society for generations to come.
The Large Language Model revolution is one of the most significant developments in computing history. We believe artificial intelligence will not only multiply software and human capabilities, but also completely transform and expand the cloud economy in the process.
In The State of the Cloud, Bessemer provides a founder’s guide on navigating the financing ecosystem for what will likely be the next 18-24 months. We also explore Bessemer’s view on the cloud economy and the AI imperatives that SaaS leaders must enact today or else be left behind.
Read the full report: https://www.bvp.com/atlas/state-of-the-cloud-2023
Pragmatic Product Strategy - Ways of thinking and doing that bring people tog...Jonny Schneider
Presented at XConf Tech Manchester in 2014 - Video at http://thght.works/1xdSvqK
This talk explores new ways of framing the work we do in order to create effective software products. A super-pragmatic model of thinking and doing that promises to bring together technologists, designers and business folks alike, across the entire software delivery lifecycle.
In the presentation we cover how it's important to track the
key metrics within a SaaS sales funnel and how to optimize them at each stage.
Many SaaS tools look at just number of sales and there are many stages both before and after the sale in which saas tools can work more efficiently and produce better results.
We also cover communication strategies and the important of using the behaviour of your consumers to model your sales strategy.
An immersive workshop at General Assembly, SF. I typically teach this workshop at General Assembly, San Francisco. To see a list of my upcoming classes, visit https://generalassemb.ly/instructors/seth-familian/4813
I also teach this workshop as a private lunch-and-learn or half-day immersive session for corporate clients. To learn more about pricing and availability, please contact me at http://familian1.com
Thabo Ndlela- Leveraging AI for enhanced Customer Service and Experienceitnewsafrica
Thabo Ndlela, from Accenture, delivered a keynote on Leveraging AI for enhanced Customer Service and Experience at Digital Finance Africa 2023 on the 2nd of August 2023.
New Era of Software with modern Application Security v1.0Dinis Cruz
(as presented at Codemotion Rome 2016)
This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
"Turning TDD upside down - For bugs, always start with a passing test" - Common workflow on TDD is to write failed tests. The problem with this approach is that it only works for a very specific scenario (when fixing bugs). This presentation will present a different workflow which will make the coding and testing of those tests much easier, faster, simpler, secure and thorough'
Presented at LSCC (London Software Craftsmanship Community) http://www.meetup.com/london-software-craftsmanship on sep 2016.
As technology and software become more and more important to Portuguese society, it is time for Portugal to take them more seriously, and become a real player in that world.
The amazing presentation from Michael Howard that was hard to find at it's original location
With permission from Michael https://twitter.com/michael_howard/status/724990374834360320
Surrogate dependencies (in node js) v1.0Dinis Cruz
Present idea of Surrogate dependencies which:
- tests the API and replays responses
- use integration tests to ‘lock’ the api used
- save responses in JSON format
- sllow client to run offline
Slides from presentation delivered at InfoSecWeek in London (Oct 2016) about making developers more productive, embedding security practices into the SDL and ensuring that security risks are accepted and understood.
The focus is on the Dev part of SecDevOps, and on the challenges of creating Security Champions for all DevOps stages.
SharePoint Saturday Ottawa - How secure is my data in office 365?AntonioMaio2
When considering a cloud based service like Office 365, questions about security and trust often gets asked – questions like: Can I trust Office 365 with my company’s data? How secure is my data in Office 365? Organizations are often cautious when it comes to trusting cloud services with storing and providing access to corporate data. This becomes even more of a concern when we think about sensitive data, personally identifiable data or data that requires regulatory compliance controls. Being cautious and asking a cloud service provider questions about security and trust is a positive step. Answering those questions requires learning about the security strategy the provider has employed, and the specific controls they have put in place to protect your data. This session will answer those questions and provide an overview of the robust set of security capabilities available in Office 365.
APT or not - does it make a difference if you are compromised?Thomas Malmberg
This is my presentation from the Cyber Security Summit held in Prague 2015 at the Boscolo Prague Spa Hotel. For the missing slides and further information, contact me directly.
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
Lastline co-founder and chief architect Engin Kirda presents new insights into malware in the wild including new research coming out of Lastline Labs on high resolution dynamic analysis of Windows kernel root kits at SXSW Interactive.
A Smarter, more Secure Internet of Things from NetIQ at Gartner IAM Summit 2015bmcmenemy
A smarter, more secure Internet of Things?
We stand on the very brink of the most fundamental change in the way human beings use technology since the introduction of agriculture, over 6 thousand years ago. The Internet of Things will not just change our work or home, it will change every aspect of our lives, including redefining the very concepts of privacy, industry and government.
When something is so important, how can we build in the security and intelligence necessary? What are the key challenges we face? And what will an always on, hyperconnected world mean to the concept of identity itself?
In this presentation,we discuss the opportunities and challenges of the Internet of Things, as well as some of the early indicators of what the IoT world will look like. We also address thinking on security and privacy, and the critical role that the concept of identity will play in the future.
Privacy and Security for the Emerging Internet of ThingsJason Hong
Intel iSecCon2016 conference
I talk about the pyramid of IoT devices, sketch out some of the security and privacy issues, and present some of the ongoing work we are doing in this space at Carnegie Mellon University.
Cybersecurity Course in Chandigarh Join Nowasmeerana605
While cyber threats are serious, advancements in the field can make our lives significantly better and more secure. Leave the audience with a sense of cautious optimism that while the cybersecurity field is always evolving, it's driven by brilliant minds dedicated to keeping us protected.
Blockchain, IoT and AI are foundational to the Fourth Industrial Revolution -...David Terrar
This is my keynote session at Channel Live on 12 September 2019. It covers Blockchain explaining what it is and isn’t. I cover why it is so transformational relevant for any Business Model. I go through real world case studies, not just proof of concepts.
I touch on what implementations and frameworks exist and should be considered? I then talk about what the future look like?
Blockchain is significant and business systems will evolve because of it. I move on to IoT (M2M), Industry 4.0 and why are they important. I explain the underlying factors and what the opportunity is for a reseller. I go on to demystify AI. What is it and why should you be interested now? Lastly I talk through why you should you factor blockchain, IoT and AI into your plans.
Presented at the Gartner Identity & Access Management Summit, London, Travis Greene discussed the opportunities and challenges of the Internet of Things (IoT), as well as the early indicators of what the IoT world will look like. He also addressed IoT security and privacy, and the critical role that identity will play in the future.
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.
The term “Internet of Things” refers to all those objects or
devices of everyday life that are connected to the Internet
and that have some kind of intelligence.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Over the last few years, there has been an increase in the number of cybersecurity headlines. Cybercriminals steal customer social security numbers, steal company secrets from the cloud, and grab personal information and passwords from social media sites. Keeping information safe has become a great concern for both big and small businesses
We Are Instructor Led Online Training Hub.Get access to the world’s best learning experience at our online learning community where millions of learners learn cutting-edge skills to advance their careers, improve their lives, and pursue the work they love. We provide a diverse range of courses, tutorials, resume formats, projects based on real business challenges, and job support to help individuals get started with their professional career.
(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)Rui Miguel Feio
Have you ever thought the perils of smart home devices? In this presentation we discuss the Internet of Things (IoT) and the concept of Bring Your Own Device (BYOD) and the security challenges and risks they can be to companies, systems, and ultimately to the mainframe.
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
Here is my CV (this format is much easier to consume than documents)
You can reach me on LinkedIn (https://www.linkedin.com/in/diniscruz/) , twitter (https://twitter.com/diniscruz) or email (dinis.cruz@owasp.org)
Created on 30 Oct 2019
CISO Application presentation - Babylon health securityDinis Cruz
This is the presentation that I created while applying for the CISO position at Babylon Health (note that I ended up taking up the CISO role at Revolut)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
Here is an introduction to the Slack Bot we created at Photobox Group Security
This bot is based on the OWASP Security Bot project (https://github.com/owasp-sbot)
NOTE: See https://www.slideshare.net/DinisCruz/dinis-cruz-cv-ciso-and-transformation-agent-v12 for the latest version of my CV
Presentation with CV for Dinis Cruz
Created on 12 aug 2019
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
Example of workflows created by the OWASP SBot (Security Bot)
https://github.com/owasp-sbot
See also https://www.slideshare.net/DinisCruz/osbot-jira-data-import-from-gsheet-to-jira-via-jupyter-v09
Evolving challenges for modern enterprise architectures in the age of APIsDinis Cruz
As presented at https://www.prnewswire.com/news-releases/forum-systems-and-infosecurity-magazine-to-host-api-security-best-practices-briefing-and-ai-workshop-300709787.html on 20 Sep 2018
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
2. Extended version
• Available on:
https://diniscruz.github.io/keynote-bsideslisbon/
https://github.com/DinisCruz/keynote-bsideslisbon
• Please contribute at
https://github.com/DinisCruz/keynote-bsideslisbon/issues
• All content released under
Creative Commons (CC BY 4.0)
• Even more ‘interesting’ ideas :)
3. Hacking Portugal
• Hacking Portugal and making it a global player in Software
development
• As technology and software becomes more and more
important to Portuguese society it is time to take it seriously
and really become a player in that world.
• Application Security can act as an enabler, due to its focus on
how code/apps actually work, and its enormous drive on
secure-coding, testing, dev-ops and quality.
• This presentation will provide a number of paths for making
Portugal a place where programming, TDD, Open Source,
learning how to code, hacking and DevOps are first class
citizens.
3
5. Allergic to insecure code
• Make Portugal’s internet a hostile place to create,
publish, and host insecure applications and IoT
appliances
• Portugal has sovereignty over it’s network, it can pass
laws to protect it
• Supported by an collaborative commons
• Strong enforcement, regulation and market pressure
5
6. Attack vulnerable code
• I want vulnerable apps and appliances that are plugged
into the PT national network to be hacked within seconds
• Hacked by good guys who are trying to help, by fixing
or by disabling
• Mandate from government to authorise hacking to
vulnerable devices (computers, routes, IoT) and fix
them
• This mandate is ‘given’ to us by the manufacturers, once
they push apps/code with vulnerabilities
• initiative supported by insurance (for the cases when
something goes wrong and a device is ‘bricked’)
6
7. Next generation of internet users
• We can’t allow them to:
• fear the internet
• allow fear to govern their actions
• have an first experience the internet in a negative way, for
example
• a hacked doll,
• light bulb,
• website,
• email account,
• car
• or door (asking for ransomware to be paid)
7
9. Hacking created the Internet
• It is important to state that hackers are the good guys.
• ‘Hack’ is to solve problems, to find innovative solutions in
a creative way.
• The press abuses the term ‘hacker’.
• Instead, they should qualify the word by saying ‘Malicious
Hackers’ or ‘Cyber Attacks’ or ‘Cyber Criminals’.
• The internet and just about most of the technology we
use today was dreamed and created by hackers.
9
10. Hacker’s values
• The Software, InfoSec and Hacking community has a
strong ethical foundation, based on the following
qualities:
• sharing
• respect
• friendship
• trust
• non-discrimination
• humanity and companionship
10
11. Inspire next generation
• We want to inspire the next generation with these values.
• it is very important to have frames of reference for
things that work
• we need to provide an alternative narrative to the
current mainstream narrative of ‘lies’, ‘non-experts-
welcome’ and ‘infotainment’.
11
12. Creating your future
• the ‘hackers’ that will grow-up creating distributed bots
to attack insecure apps/code/appliance in the PT
network (as part of the PT Hacking Service)
• are the same ones who will create a ‘distributed peer-to-
peer drone network, to combat fires in Portugal’
12
13. Be different
• Just because 99.9% of the world doesn’t do something,
that doesn’t mean that you shouldn’t do it
• most things you value today (and do) were once illegal
and considered immoral
13
15. Dataleaks .pt
• Total number of emails present in dataleaks:
1,556,490
• Number of companies in dataleaks:
26,192
• Average number of leaks per company:
24.0
• Number of dataleaks analysed:
55
• thx to:
Tiago Henriques (@Balgan) and
Ana barbosa (@anabarbosaBE)
15
21. What about Web Applications and DDoS?
• Not covered by that report
• But since they are even harder to protect, they will be in
an event worse state
• Latest DDoS are bringing down major companies (800
Gb per sec of traffic, 145k IoT devices attacking)
21
22. Attackers ROI (return on investment)
• What can they do with $100K investment
• buy zero-days
• buy compromised machines inside .pt networks
• buy botnets to be used to attack .pt companies
• How much money
is it worth?
• What is the ROI for the
attacker?
• Who would survive?
22
Cost of to buy an zero day
23. The financial market’s hack
• I would argue that Portugal has already been a victim of
certain kinds of financial manipulation.
• If you look at what happened during the financial crisis, a
substantial part of it was artificially created by the
markets.
• The markets pushed the Portuguese economy hard and
made a lot of money by betting that Portugal was not
going to default, but would continue to struggle in the
financial markets.
23
24. Thank your attackers
• “If the attacker tells you about the attack, they are your
friends”
• The real attackers (namely criminals and nation states)
will not tell you since it is against their own interests.
• Once you know about it, you will find a way to protect it
and fix the vulnerability exploited.
• The positive side effects of any public attack (data
dumps, site defacing, DDoS) are bigger budgets, board-
level attention and demands for security, an increase in
AppSec staff hires, and more collaboration between
‘companies on the defence side of things’.
24
25. How Secure is Portugal?
• How secure and safe are Portuguese companies and
infrastructures?
• Portugal today is a very digital country, and most Portuguese
companies are software companies.
• If you look at how they operate, all of them use software and
controlled by software
• The question is, how secure are they?
• How well can they sustain an attack?
• How well can they detect and react to a possible attack on their
digital infrastructure?
• What is the probability of an attack happening in the short term?
• How safe are they?
25
26. Are we safe?
• Yes!
• Are we secure?
• No!
• Portugal’s Government, Companies and citizens current ‘secure
state’ (i.e likelihood of attack is low), depends on:
• A low number of attackers
• A low level of skills of existing attackers
• Unsophisticated business model of existing attackers
• Bottom line:
• we are not attacked due to how secure we are
• we are not attacked due to the lack of attackers
26
27. The Emperor has no clothes
• To be clear, Portuguese government agencies and companies are NOT
secure, and have many high-risk vulnerabilities and exploitable assets.
• It is very important that we accept this fact so that we can find the
necessary political, economic, educational, and social solutions
• There are no silver bullets or easy solutions, and anyone who says so is a
snake-oil merchant.
• The ideas in this presentation are about making Portugal a player, rather
than being played, and giving Portugal a chance to defend itself, and
improve Portuguese society.
• The worst aspect of our status is that we are not prepared for what is
coming next, in terms of AppSec.
• Our response to terrorist incidents in the past shows how badly we
respond as a society to security incidents for which we are not prepared.
27
28. Think I’m wrong?
• If you don’t believe that Portugal is insecure, then prove me wrong
in your answers to the following questions:
• Where is the evidence of Security and AppSec practices?
• How big is the Cyber/App Security market in Portugal?
• How many threat models are created per week?
• How many lines of code are reviewed for security per week (aka
‘security eyeballs’)? (Bear in mind that secure code reviews are
very different from normal code reviews).
• The current Portuguese security model is based on ‘Security
Fairies magic pixie dust’.
• However, the good news is that we have lots of great InfoSec and
AppSec talent in Portugal.
28
29. Don’t worry, you’re safe
• Although these are contradictory concepts, my thesis is
that Portugal is both highly insecure, and, for the
moment, quite safe.
• Portugal is safe is because there are not enough
attackers targeting the current insecurities of the system.
• This will probably remain the case for the next couple of
years.
• The problem is what happens after that, when the
criminals improve their business models and start to
focus on Portuguese assets.
29
30. Sane defence model
• “Our defense model should not be based on having no
vulnerabilities, no insecure code, no malicious
developers, no compromised APIs/dependencies, no
zero-days issues”
• “Our defense model should be based on the attacker
making mistakes, and being ready to detect and mitigate
their actions”
• Stuxnet was caught via a mistake that caused a crash in
an obscure Anti-Virus product (see ‘Countdown to Zero
Day’ book)
30
31. Where is the AppSec industry
• The AppSec industry in Portugal is comparatively small. There
are very few Portuguese companies with public AppSec teams.
• The market for security companies is small, and while there are
a couple of interesting pen testing companies, you don’t see a
lot of activity in that space.
• The creation of an AppSec infrastructure is a direct
consequence of being attacked.
• After an attack, companies create AppSec teams and hire
security experts. If anything, Portugal exports its security
experts.
• I know a lot of great Portuguese AppSec and InfoSec
specialists in the UK.
31
32. Be proactive
• The reality is the Portuguese AppSec industry isn’t very
mature.
• The question is, does Portugal want to be like the rest of
Europe and get caught in the crossfire?
• Or does it want to be proactive, and create an industry
which could become very powerful, very effective, and
very profitable for Portugal,
• that could also help to secure Europe and help the
world?
32
34. Hacking Service
• In the past Portugal had a Military Service called ‘Servico Militar
Obrigatorio’.
• We should update this service to the 21st Century and make it a
Hacking Service for 15 to 21 year olds, with the following mission
objectives:
• hack everything that is plugged-in into PT’s network
• hack companies with public bug-bounties
• code-review Open Source code developed in PT
• code-review code marked as ‘strategic interest for Portugal’ (i.e.
widely used by PT companies and mission critical for them)
• contribute to Open Source projects with patches and fixes
• help SMEs with their digital security and DevOps
34
35. Military
• It is probably fair to say that Portuguese cyber and code
defences are as good as Portugal’s current military status
• The problem is that the cyber attackers who will hit
Portugal are as sophisticated as the best physical military
attackers (and armies)
• Imagine the PT army against the UK, France or Russia
(never mind the US or China)
• note how even the best companies and security
agencies in the world are not able to detect and
mitigate most attacks
• recent DDoS attacks and zero-days exploits
35
36. Why do we have F16s
• Military budget is €2.1 Billion
• Why does Portugal needs an offensive air force?
• I understand the need to have a civil air-force (to combat fires or
for border patrol)
• But offensive? (with F16s?)
• What is the ‘war scenario’ where that makes sense?
• Btw, the way you fight an airborne battle in the 21st century is by
hacking into the offensive planes/drones via their communication
channels
• see Ghost Fleet Book
• What about using 10% of the military budget to fund the ideas the
ideas in this presentation?
36
37. Hit by the cross fire
• “Do we want to do something about it, or be hit by the
cross-fire?”
• Note that as attackers get more sophisticated they will
gravitate to countries/companies with weaker defences
(since they take longer with ramp up)
• Massive cyber/app security skills shortage today
37
38. Portugal Hackathon Leage
• Organize Hackathons in Portugal
• Just like we do for Football
• Bring ‘PT Hacking’ teams to DefCon
• sponsored by PT Government and PT Companies
• See these teams as source of pride
• best way to learn is to be asked to solve a problem from
all sorts of angles (and technologies)
38
39. Great source of talent
• teach convicted criminals how to hack
• good use of their ‘skills’
• give them a career
• show them a way to make money legally
• teach them ethics and the value of collaborating
• most criminals are there due to bad choices or
unfortunate events (and deserve a chance at a better
life)
39
40. Even more talent
• Retired people are another great source of talent, and
they have time
• we lose a lot by not using their expertise (and by not
learning from them)
• In the past, the old ones, where the wise ones
(remember that you too will be old soon)
• They are engineers, doctors, programmers, teachers,
accountants, architects, parents, etc.
• People grow old, not because of age, but because they
stop being mentally and physically active
40
41. Working together
• In technology/hacking world, is it ok to have teams made
of:
• 16 year olds
• graduates
• retired people
• convicted criminals
• a dog
• a professional
• if they are capable, can work together, respect each
other and deliver on their tasks, it will work
41
43. Why is Portugal so good at Football
• Everybody can play football
• Because our kids play it all the time
• They love it when they play, so they are in the ‘zone’
• most optimal place to learn
• Supported by school’s activities
• Good social rewards and locally community support
• Great support system (to find, select and nurture talent)
• Good financial rewards for a large number of players (not
just the top)
43
44. Let’s do the same for hacking
• Everybody can hack (from the kids, to the unemployed, to the
convicted criminals, to the retired)
• Our kids should be hacking all the time
• They will love it when they hack, so they are in the ‘zone’
• most optimal place to learn
• Support those activities on school
• ‘Caputure the (school) flag’ should be an source of pride
• Provide good social rewards (vs treating them as criminals)
• Create support network to find, select and nurture talent
• There will be good financial rewards for a large number of
hackers (there is a massive skills shortage in our industry)
44
46. Past innovations
• Portugal has a great history of
inventions:
• Carrack (Nau) - the Oceanic Carrack
(a new and different model, and
largest carrack)
• Galleon (the Oceanic Galleon)
• Square-rigged caravel (Round
caravel). …
• The Nonius.
• The Mariner’s astrolabe.
• The Passarola, the first known airship.
• The Pyreliophorus.
• Tempura.
47. Drugs
Decriminalisation
• great success story of what
happens when bold decisions
are made.
• Portugal went from a very high
rate of consumption and
overdose, to one of the lowest
(in 14 years)
49. Best in world
• Just as in football, where Portugal is one of the best teams
in the world
• Portugal is currently 8th in the Fifa world ranking (and we
deserve to be there)
• Portugal needs to be one of the best in the world in
Coding and Cyber/Application Security.
49
50. Portugal as a Leader in AppSec
• Portugal could be a leader in AppSec.
• Portugal has a rich history of providing leading innovators
and ground-breaking researchers in navigation, in
maritime research, and exploration.
• In the same way that Portugal navigated and lead the
seas, Portugal could now an lead in coding.
• Portuguese researchers are highly innovative.
• Let’s follow our great history of leading important change
and discovery.
50
51. “Code Made in Portugal” brand
• Code written in Portugal will make a massive difference
• Key to create supply chains of quality and talent
• Good software development teams (from developers to management)
are one of the most important assets of a company and country.
• They are the ones who add value.
• They create reality, and ultimately they control your lives.
• “Made in Portugal” is the key for PT economy (and Europe’s
sustainability)
• key objective is to encourage and foment the Portuguese software
industry (which will have massive multiplier in other industries)
• The age of sustainability is upon us, let’s put Portugal in the middle of
it
51
52. Secure coding
activities
• Security Champions
• Security Champion Mug
• Secure Code Review
• Secure Coding Standards
• AppSec tools automatically executed
on CI Pipeline
• Two release pipelines
(with and without security checkpoint)
• Threat Models per:
App, Feature and Layer
53. For the developers in the room
• If you are developing code today, and you are not thinking in terms of:
• CI automation (multiple deploys per day)
• everything is code (including CI scripts, firewall rules, app’s authentication
models)
• 100% code coverage with real-time code coverage visualisation
• graphs for data representation, analysis and visualisation
• containers (aka Docker)
• version control for data storage (aka Git)
• AI and machine learning
• cloud (aka AWS, Azure, GCloud, Rackspace)
• serverless code (aka AWS lambda)
• liquid code, message queues, self-defending applications, big data, etc…
…. you are already writing legacy (code), because these are the future
53
54. Real time unit test execution and CC
• If you code in Javascript and are not using WallabyJS
• You are living in the dark ages
• You will NOT be able to code in TDD
54
56. Red or blue pill?
• We need to choose whether the paradigm for cyber
security is one based on
• the military (offensive, top-down)
• or on public health (defensive, distributed)
• There is a reason why the army is not supposed to be
involved in civil activities such as crowd control or
disaster support
• the military is designed to defend us from our enemies
• police and other civil forces should focus on protecting
the individual
56
57. Public health problem
• Cyber Security is a public health problem
• We should be training cyber/AppSec specialists using
similar techniques to the ones we use to train doctors,
nurses, etc
• We have an epidemic at hand at the moment
• We need to gain immunity
• The decisions that we make in the next couple of years
will determine how well prepared we will be to deal with
wider outbreaks, and how quickly we can learn
57
59. Defend privacy
• The right to privacy is a human right.
• All should be innocent until proven guilty.
• The US and the NSA redefined the notion of surveillance
to be ‘looking at data’, rather than ‘capturing data’.
• Large tech companies’ business models are often based
on their users having no, or reduced privacy
• Governments are actively making the internet less secure
in order to continue to easily access user’s data
59
60. Crypto
• privacy is essential for human dignity
• cryptography is a public service and capability. It is crucial to
protect user data
• crypto also has an excellent tradition of not relying on security
by obscurity, and expecting the attacker to have all code and
encrypted data (the only private data are the encryption keys)
• Strong Crypto should be seen as a good thing, specially if it
enables the end-user to control their data.
• We need a healthy level of civil disobedience in society, or
new ideas will not get the space to flourish and gain wider
acceptance by society.
60
62. The Need for Disclosure
• We need disclosure of what is going on with technology in
companies.
• Companies today, even Open Source ones, don’t have to offer full
disclosure.
• The market doesn’t work, doesn't reward good, ethical players.
• To change this system, we need to use the power of disclosure to
make Government and companies play fairly and correctly.
• The government could use its purchasing power to define the
rules of engagement,
• and if the EU doesn’t like it, then Portugal should sue the EU :)
• It’s time we pushed some of our rules and ideas onto the table.
62
63. Whistleblowers have an important role
• Whistleblowers are important because they can make the
markets more efficient.
• Whistleblowers are not needed when public actions, and
statements, match (the real) private actions.
• Of course, there will still be secrets, but in smaller
numbers, and they will be very well protected (as they are
today).
• “When everything is a secret, nothing is a secret”.
63
64. Protected by law
• we need strong technological legislation that will prevent
companies from playing the game of ‘Security by
obscurity’, and will protect whistleblowers
• Rule of thumb should be that “if law is broken or crimes
are committed to disclose the materials, it is ok if the
benefits from disclosure are worth it”
• It is important that companies and individuals know that
they will not get away with it.
64
65. Limited privacy for state and companies
• We want the opposite of privacy for companies, instead we
want maximum visibility and transparency from them.
• People/individuals should have maximum privacy
• Companies and public bodies should have maximum
transparency and openness, which is better for all involved,
and will allow for much fairer competition and better profits
• Many companies will not like any shift toward increased
transparency, just as they didn’t like when annual reports
where mandated in the last century.
• Technology can be used in a positive way to enable this
openness.
65
66. Learn from music industry
• For an example of how technology can be used in a
perverse and negative way, look at what happened with
the music industry,
• where they viewed their customers (using new digital
and sharing technologies) as criminals,
• pushed draconian laws designed to protect their own
interests
• rather than innovating and learning to succeed in the
new technological world
• a decade was lost, at a massive cost to artists and
public
66
68. Openness is key
• For most of the ideas defended here to work, and not back-
fire even if they create strong command-and-control systems/
environments, we need a very high degree of transparency
and openness.
• This is exactly what the Open Source and Creative Commons
worlds provide.
• OWASP is a good example of an organisation that has a very
strong open model, from what is created, to its governance
and fiscal transparency.
• Git is also a key part of this, since Git enables effective
collaboration, allowing others to contribute, even if they are
direct competitors in other products/services
68
69. FOSS values
• FOSS (Free and Open Source) programs are a good model to
use, as they allow users to share and collaborate programs.
• They empower users, and could potentially create thousands
of PT based FOSS companies.
• The positive values of Open Sourcing are as follows:
• access to code
• no lock in
• no discrimination
• liquid collaboration
• Of course, using Open Source code doesn’t mean that it will
be perfect.
69
70. Open Source is expensive
• We need companies to sell Open Source code
• The take-up of Open Source will help us to remove the
‘proprietary lock’ of closed software, which creates
perverse incentives and does not allow the peripheral
countries (or players) to have a strong role in the quality
and security of that code.
• Open Source software is not Free
• Any code has a cost and a side effect. Using Open
source code doesn’t mean that you don’t pay for it, it
just means that you pay in other ways than a direct
financial transaction.
70
71. Market of lemons
• The current economic model is not working for secure
code and secure software development.
• In many cases, it doesn’t make business sense to spend
the time and effort creating secure code, because the
customer cannot measure it (just like pollution in the 50s)
71
72. Open source lingua franca
• Remove ‘closed and proprietary’ agendas, they allow the
best teams and ideas to win, and they reward good
behaviour
• Closeness and lack of sharing are more valuable to the
attacker than the defender.
• We have tons of evidence that the more we know about
security issues and risk, the better we can protect and
mitigate.
• Principal reason why it is so important that Open Source and
Creative Commons are the lingua franca between all players.
• How we communicate (together with tests and TDD)
72
73. OpenSource.pt
• All code written (and paid) for Government agencies to be
released under an Open Source license
• All Government created documents to be released under
Creative Commons
• Portuguese companies to publish their code under Open Source
license, and technical documentation under Creative Commons
• Pay for Open Source software (in license and per usage)
• The financial model for this needs careful consideration.
• The key is that the makers of Open Source code that is used,
should have a revenue stream equivalent to that use, so that
they can spend more time with that software, and even hire
more devs to work on it
73
74. Open the source of Portuguese code
• Government and private companies to create venture
capital funds to buy existing software companies and
Open Source their code
• Those companies should use part of that money to
transform their business model into one based on the
Open Source stack
• they wrote it, so have a massive competitive advantage
• but local companies would also be able to provide
those services
• ROI of investment on PT economy would be much bigger
then amount invested
74
76. Collaborative commons
• great vision for the future and how it could work
• model of organisation where citizens and entities
collaborate for common goals
• “…Commons is a third model that breaks with the
binomial market-state notion, formed by the only two
organisations models able to meet the needs of the
population. Although it is not new, new technologies have
greatly promoted its expansion and its
scalability” (Procumuns)
• Massively empowered by the move towards a Zero
Marginal Cost society
76
77. Government’s role
• The Government has a big role to play in this
transformation, not as a ‘Command and Control’ entity,
but as a benign influence to level the playing field.
• A major problem at the moment is that many world
governments view technology as a way to exert more
control over their citizens.
77
78. Code is law
• Software is made of Code
• Code is Law and is becoming more and more important.
• Code controls Portugal, and so software controls
Portugal.
• The problem is, Portugal controls very little of the
software it uses
• It is time for Portugal to take control of the software.
• This should be a strategic objective of both Portuguese
companies and the Portuguese government.
78
79. Who controls the world
• The world is dominated by entities and companies who:
• control finance
• control technology
• control networks (made of technology)
• control intellectual property
• Unfortunately for Portugal, it’s strength does not lie in these
areas,
• Portugal must challenge the rules of the game
• aligned with its strategy and sovereign interests
• Moving to Open Source values and activities, and embracing
secure coding/hacking will change how this game is played.
79
80. Governments can make the difference
• Governments exist to serve their citizens, and as a citizen
with ideas for my Government, I have a duty to share
them
• we (as tech community) should be requesting that the
Government adopts ideas like this, especially when the
benefits are not for a small group of companies, but for a
large section of the tech and IT user population
80
81. Iterate Exponentially
• All ideas presented should NOT be implemented as a Big Policy or a Big
Vision!
• Anyone who sells a big, expensive solution, that only major companies can
implement, is selling a scam.
• Small changes, and marginal gains, are the right way to implement DevOps
and government policies:
1.Start small
2.Deploy
3.Learn from deployment
4.Make changes (enhance, fix or refactor)
5.Go to step 2, and repeat
• These are the solutions for SMEs, individuals, and small teams who work on
the ground, understand reality, and are accountable to their local communities.
81
82. Ministry of Code
• Everything is code (including all DevOps scripts and even things like
Firewall rules)
• Managed at high level within Government
• PT CTO and CISO
• Create Code For Portugal initiative using a collaborative commons
model (similar to the USA’s @codeforamerica)
• Manage the PHS (Portuguese Hacking Service)
• Commitment to only buy, commission and use applications/websites that:
• have released their code under Open Source licenses
• have released all their info and schemas under non-restrictive Creative
Commons licenses
• Manage wide bug-bounty and hacking championships
82
83. Clear Software Act
• Clear Software Act, like the ‘Clean Air Act’, but focused on code
quality and security, would go some way to changing the game and
how it’s played.
• Large numbers of our community are resistant to any kind of
regulation, and there are many companies that profit from this
resistance.
• As Upton Sinclair said, “It is difficult to get a man to understand
something, when his salary depends upon his not understanding it”.
• The problem however is not regulation and standards, but bad
regulation and standards.
• Good regulation, in areas like health and environment, has made
major improvements, and we need to do the same for software and
code.
83
84. Software Testing Institute
• We need to measure and visualize the side effects of code,
and we need to measure the ‘pollution’ created by insecure
code and apps.
• We need a focus on Quality and Services, where we want to
encourage innovation and make it easy and cheap to create
(secure) code in Portugal.
• Portugal could adopt, and use testing as a way to leapfrog
more advanced nations.
• A Software Testing Institute would allow us to measure and
capture this information. The work of such an institute should
focus on testing code and apps and creating labels for them.
84
85. ASAE for code
Autoridade de Segurança
Alimentar e Económica
Authority for Economic and
Food Security
86. When regulation loses the plot
• We need to learn from what worked and what didn’t work
with ASAE
• There was a severe lack of common sense and
everything that is bad with ‘security regulation’
• An ASAE for code mustn’t kill innovation and become a
‘TAX’.
• It needs to empower and reward good behaviour, and
have a common-sense approach to its operations.
• As cyber security gets worse, if we don’t have good,
positive alternatives, an ASAE is exactly what we will get.
This is not a good prospect.
86
87. Portugal wide bug bounty
• A Portuguese Software Testing Institute could also include bug-
bounties as a core activity.
• Today, there are bug bounties everywhere, and they are a sign
of good InfoAppSec.
• Even the Pentagon has a bug-bounty program
• Is there any public bug-bounties for a Portuguese company?
• These must be a core activity of both business and government
• Receiving appropriate investment and publicity.
• Crowdsourcing the solution
• Lead the creation of standards and metrics for the Insurance
companies/industry.
87
88. Insurance
• The insurance industry is key to making this work. It will
push for good metrics to measure secure coding and
secure deployments (i.e. how code/apps/software are
used in the real world).
• It will provide a way to compare companies and
technologies, and this will make the market more efficient.
• Many companies will decide to insure insecure code, and
teams that create insecure code/apps.
• That is ok, as long as that information is disclosed.
• The insurance companies will increase the premiums to
pay via higher fines and financial losses.
88
89. Code Nationalisation
• Nationalising code is a nuclear option for cases where
companies refuse to share their code. It is essential to move to
a world where good regulation will allow every line of code that
is running and touches our data to be
• public
• peer-reviewable by independent parties
• compilable by independent parties
• signed
• This not only includes websites and ‘traditional software’, but
also operating systems, device drivers, IoT devices, network
devices, microchips, etc.: in short, anything that can access or
manipulate data.
89
90. 90
• I’m a strong European and I believe in Europe
• But Europe needs to change and refocus on country sustainability
• Portugal should not have to ‘beg’ the EU for funds to support these ideas.
• EU, and other global organisations and companies, should choose to
invest in Portugal because they want to benefit from the perfect storm of
talent, energy, regulation, focus and activities that will exist here.
• They should invest and participate here because it is in their best interests,
and it is where they will get the best return on investment.
• This kind of collaboration and investment is what the EU should be all
about:
• a Collaborative Commons
• a global village
• shared care and respect for each other (and their contributions)
European Union
91. New currencies for southern Europe
• A good solution for the Euro Problem (for weaker
economies like Portugal) is to create alternative currencies
• We know how to do this now (with blockchain
technology)
• Multiple Fintech companies exploring all sorts of
business models and workflows
• These currencies should be 100% compatible with Euro
(so that they work side-by-side)
• Created by next generation of Portuguese Hackers
• Hacking a currency is quite a nice challenge
91
93. Easier in small country
• It is easy on a smaller country, with less agendas and big
lobby groups
• we already have the power to make these changes
• this is an issue of sovergenty and independence
• at this very moment we are three degrees of separation
from people who can make this happen
93
94. Raise the bar of the discussion
• We live in an era where ideas are not debated, experts
are ignored, science is not respected, and lies are
accepted
• this is very dangerous for us, our kids and Portugal
• I want to discuss and act on ideas (not on events or
people)
• we need a better, more informed, more
knowledgeable, more empowered media, to keep the
system accountable
94
95. Portugal has…
• Strong sense of ethics and community
• Good engineering and math education
• Good ability to ‘solve problems’ (and make it work)
• Learned the hard way what it feels like to be the junior
player (financial markets’ speculation on PT’s economy
helped to create the situation that lead to the EU bailouts)
• we have hit rock-bottom with multiple financial crises
and several a European bailouts
• only way is up
95
96. Big questions
• we are currently faced with big questions and changes on
privacy, liberty, humanity, freedom, work, which are all centered
on technology (and secure code), and these questions need to
be discussed, understood and addressed
• there are no perfect solutions
• we need to achieve a workable compromise and make sure
we take the best course of action
• I don’t claim that all my ideas are good, that they will work or
are even all realistic, especially in the current political and
economic ecosystem
• but I know that big changes occur when we head in the right
direction and can experiment, adapt, refactor and improve
96
97. What is Portugal the best at
• for PT it says “Portugal - rate - graduating high school”
• we can do better than that
• we should be world leaders in: software, craftsmanship,
cyber security, secure coding, devops, food 97
98. Our turn to fight for what we believe
• Our parents fought against fascism, against racism, for
pensions, for human rights, for women rights, for rock &
roll, etc…
• it is our turn to realign society and shift the balance of
power
• this is about removing control from central
organisations (governments, big companies) and give
them to individuals and collaborative commons
• currently the power is in the hands of who controls the
networks
• It’s time to change that
98
99. Protect the internet
• The internet is one of the biggest gifts given to humanity
• The first generation made it open and free (in both cost
and freedom)
• Internet’s success is a testament to those decisions
and their values
• Now the time has come for our generation to continue on
their footsteps and keep it that way (for the next
generation)
99
100. Portugal needs to export engineers
• Every one that leaves Portugal
• brings Portugal with them (in their hearts)
• becomes an ambassador for Portugal
• becomes a client of Portuguese products (assuming they
are easy to buy from abroad)
• has a connection with Portuguese companies (to bring
jobs back to Portugal)
• is an asset for Portugal
• is someone that will learn new skills, and eventually return
with those skills and references (net gain for Portugal)
100
101. What is the future of Portugal
• to be a garden for Europe, a holiday destination
• to be a small pawn in the global forces that control the
world
or
• To work together with CPLP (Community of the
Portuguese Speaking Countries) in an united partnership
• To be a powerhouse that inspires and leads the world in
technology and secure coding
101
102. Sail the code
• Lets use code to create a generation with strong work
ethic and values
• Lets create a new reality for Portugal
• The same way that Portuguese navigators once looked
at the unknown sea and conquered it
• Our new digital navigators must do the same with code.
102