Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation. This white paper by stackArmor provides an overview on how an organization can implement a Secure DevOps pipeline and its key elements.
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
Ever wondered how to find bug fixes residing in Microsoft patches? In this presentation we will take a look at the tools and techniques used to reverse engineer Microsoft security patches. Many organizations take weeks to push out patches to their domains. If an attacker can locate the fix and get a working exploit going, they can use it to compromise your organization.
(Source: RSA USA 2016-San Francisco)
SafeLogic is Better than Open Source Encryption - The Top 10 ReasonsWalter Paley
When it really counts, SafeLogic encryption modules are what you need to install in your technology solution. Don't get us wrong - open source crypto is great. OpenSSL and Bouncy Castle provide a secure cryptographic foundation for most of the world's websites and applications, but here are 10 reasons you should upgrade.
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
Ever wondered how to find bug fixes residing in Microsoft patches? In this presentation we will take a look at the tools and techniques used to reverse engineer Microsoft security patches. Many organizations take weeks to push out patches to their domains. If an attacker can locate the fix and get a working exploit going, they can use it to compromise your organization.
(Source: RSA USA 2016-San Francisco)
SafeLogic is Better than Open Source Encryption - The Top 10 ReasonsWalter Paley
When it really counts, SafeLogic encryption modules are what you need to install in your technology solution. Don't get us wrong - open source crypto is great. OpenSSL and Bouncy Castle provide a secure cryptographic foundation for most of the world's websites and applications, but here are 10 reasons you should upgrade.
Protecting your organization against attacks via the build systemLouis Jacomet
Organisations build software all the time, from developer machines to CI, even public pull requests.
There are security risks associated with these actions! Come discover what they are and how to mitigate them.
The build tool is about execution of modifications and thus inherently insecure. However risks can be mitigated through:
* Trusted dependencies
* Reproducibility
* Vulnerability tracking
Gradle will be used for examples
Network Security Open Source Software Developer CertificationVskills
Vskills certification for Network Security Open Source Software Developer assesses the candidate as per the company’s need for network security software development. The certification tests the candidates on various areas in writing Plug-ins for nessus, ettercap network sniffer, Nikto vulnerability scanner, extending hydra and nmap, writing modules for the Metasploit framework, extending Webroot, writing network sniffers and packet-injection tools.
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Ukraine
16 грудня 2021 року відбувся GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Personal Skill”! Анатолій Сахно (Software Testing Consultant, GlobalLogic) розібрав принципи TDD (розробки, керованої тестами) та приклади їх застосування. Крім того, поговорили про:
- Ефективне використання модульних тестів у повсякденних задачах;
- Використання TDD при розробці тестових фреймворків;
- Застосування принципів TDD при написанні функціональних автотестів.
Більше про захід: https://www.globallogic.com/ua/about/events/globallogic-test-automation-online-techtalk-test-driven-development-as-a-personal-skill/
Приємного перегляду і не забудьте залишити коментар про враження від TechTalk!
Ця активність — частина заходів в рамках GlobalLogic Test Automation Advent Calendar, ще більше заходів та цікавинок за посиланням: https://bit.ly/AdventCalendar_fb
The workshop will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
Course Content:
Android Introduction & Basics
Setting up the Pen testing environment
Reverse engineering & runtime manipulation
Application dynamic runtime analysis
Application Components and security issues
Data and Network interception – manipulation and analysis
Defensive Tools & Techniques for Android application
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
Imagine we had the power to understand the code before its complied or embedding a backdoor or even stealing legitimate certificates of a well known vendor and using them to sign malware?
Join me in the journey of exploring security issues that tend to happen during Build Time in typical enterprise environments.
Containers have been crucial in helping organizations orchestrate their infrastructure requirements. The scalability and reproducibility aspects of containerized environments have enabled applications and web components to be deployed seamlessly in the cloud. While containers have multiple benefits, they also come with distinct security issues, resulting in attackers gaining access to the container, the host, and eventually the data. The first step towards implementing Container Runtime Security is to understand the current threat scenarios and adversary trends affecting the cloud containers. To aptly evaluate the container threat landscape in any environment, an attack matrix should be formulated to ensure that relevant techniques and tactic are identified for every attack stage.
The ATT&CK framework from MITRE has been a go-to framework to formulate a threat matrix, identify an adversary’s tactics and methods/techniques used to attain their end game of privilege escalation or data exfiltration. This presentation is targeted towards:
Today’s container runtime security landscape
Apply ATT&CK methodology on the container runtime environment
Provide a practical approach towards attack surface, scenarios, and attack trends
Validations and Security Best Practices
Karen Easterbrook, Microsoft
Brian LaMacchia, Microsoft
Quantum computers may be 10 years away, but well-funded adversaries are already preparing for their arrival. Even if they can’t read high-value encrypted traffic today, they are recording and storing for when they can decrypt it in the future. If your secrets need to be protected for more than 10 years, you need to take action now. In this talk, we will explore how sufficiently large quantum computers will catastrophically break all public-key cryptography commonly used today, the overall scope of this threat, and the steps underway to develop and deploy quantum-resistant replacement algorithms and security protocols. We will introduce the code and tools that you can use today to fend off these future advanced threats.
Oplægget blev holdt ved InfinIT-arrangementet "Temadag: Java for real-time and embedded systems", afholdt hhv. 12. og 13. september 2013. Læs mere om arrangementet her: http://infinit.dk/dk/arrangementer/tidligere_arrangementer/temadag_java_for_real-time_and_embedded_systems.htm
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
Protecting your organization against attacks via the build systemLouis Jacomet
Organisations build software all the time, from developer machines to CI, even public pull requests.
There are security risks associated with these actions! Come discover what they are and how to mitigate them.
The build tool is about execution of modifications and thus inherently insecure. However risks can be mitigated through:
* Trusted dependencies
* Reproducibility
* Vulnerability tracking
Gradle will be used for examples
Network Security Open Source Software Developer CertificationVskills
Vskills certification for Network Security Open Source Software Developer assesses the candidate as per the company’s need for network security software development. The certification tests the candidates on various areas in writing Plug-ins for nessus, ettercap network sniffer, Nikto vulnerability scanner, extending hydra and nmap, writing modules for the Metasploit framework, extending Webroot, writing network sniffers and packet-injection tools.
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Ukraine
16 грудня 2021 року відбувся GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Personal Skill”! Анатолій Сахно (Software Testing Consultant, GlobalLogic) розібрав принципи TDD (розробки, керованої тестами) та приклади їх застосування. Крім того, поговорили про:
- Ефективне використання модульних тестів у повсякденних задачах;
- Використання TDD при розробці тестових фреймворків;
- Застосування принципів TDD при написанні функціональних автотестів.
Більше про захід: https://www.globallogic.com/ua/about/events/globallogic-test-automation-online-techtalk-test-driven-development-as-a-personal-skill/
Приємного перегляду і не забудьте залишити коментар про враження від TechTalk!
Ця активність — частина заходів в рамках GlobalLogic Test Automation Advent Calendar, ще більше заходів та цікавинок за посиланням: https://bit.ly/AdventCalendar_fb
The workshop will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
Course Content:
Android Introduction & Basics
Setting up the Pen testing environment
Reverse engineering & runtime manipulation
Application dynamic runtime analysis
Application Components and security issues
Data and Network interception – manipulation and analysis
Defensive Tools & Techniques for Android application
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
Imagine we had the power to understand the code before its complied or embedding a backdoor or even stealing legitimate certificates of a well known vendor and using them to sign malware?
Join me in the journey of exploring security issues that tend to happen during Build Time in typical enterprise environments.
Containers have been crucial in helping organizations orchestrate their infrastructure requirements. The scalability and reproducibility aspects of containerized environments have enabled applications and web components to be deployed seamlessly in the cloud. While containers have multiple benefits, they also come with distinct security issues, resulting in attackers gaining access to the container, the host, and eventually the data. The first step towards implementing Container Runtime Security is to understand the current threat scenarios and adversary trends affecting the cloud containers. To aptly evaluate the container threat landscape in any environment, an attack matrix should be formulated to ensure that relevant techniques and tactic are identified for every attack stage.
The ATT&CK framework from MITRE has been a go-to framework to formulate a threat matrix, identify an adversary’s tactics and methods/techniques used to attain their end game of privilege escalation or data exfiltration. This presentation is targeted towards:
Today’s container runtime security landscape
Apply ATT&CK methodology on the container runtime environment
Provide a practical approach towards attack surface, scenarios, and attack trends
Validations and Security Best Practices
Karen Easterbrook, Microsoft
Brian LaMacchia, Microsoft
Quantum computers may be 10 years away, but well-funded adversaries are already preparing for their arrival. Even if they can’t read high-value encrypted traffic today, they are recording and storing for when they can decrypt it in the future. If your secrets need to be protected for more than 10 years, you need to take action now. In this talk, we will explore how sufficiently large quantum computers will catastrophically break all public-key cryptography commonly used today, the overall scope of this threat, and the steps underway to develop and deploy quantum-resistant replacement algorithms and security protocols. We will introduce the code and tools that you can use today to fend off these future advanced threats.
Oplægget blev holdt ved InfinIT-arrangementet "Temadag: Java for real-time and embedded systems", afholdt hhv. 12. og 13. september 2013. Læs mere om arrangementet her: http://infinit.dk/dk/arrangementer/tidligere_arrangementer/temadag_java_for_real-time_and_embedded_systems.htm
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYIJNSA Journal
In this paper, we propose and implement an internal continuous integration system, based on two opensource tools Jenkins and GitLab, taking into account the safety factor for servers in the system. In the proposed system, we use a combination of firewall function and reverse proxy function to protect Jenkins server itself and reduce the risk of this server against attacks on the CVE-2021-44228 security vulnerability, may exist in plugins of Jenkins. This system is highly practical, and it can be applied to immediately protect service servers when a vulnerability in it has been discovered but the corresponding patch has not been found or the condition to update the patch is not allowed yet.
Top 5 DevSecOps Tools- You Need to Know AboutDev Software
The increased efficiency brought about by DevSecOps Tools can be attributed to its ability to streamline processes across all three groups involved: development, operations and security teams. For example, if there's an issue with your application's code or infrastructure configuration that needs fixing before it goes live on production servers (i.e., somewhere where users could see it), this process will now happen much faster because everyone involved has access to all relevant information at once instead of having separate conversations between each individual group member who might not know what another person knows about a particular problem area within their respective domains
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
stackArmor - FedRAMP and 800-171 compliant cloud solutionsGaurav "GP" Pal
Conducting a Security Assessment and Authorization (SA&A) phase is essential to deliver a fully compliant solution and ensure adequate verifiable evidence to support the assertion that the system is compliant with FedRAMP or 800-171 requirements. Documentation standards as prescribed by FIPS-199, NIST SP 800-53 and the newly released Rev 5 as well as the DOD RMF are proven frameworks for ensuring a secure and compliant cloud system.
stackArmor - FedRAMP and 800-171 compliant cloud solutionsGaurav "GP" Pal
Providing a FedRAMP or 800-171 compliant solution requires a strong continuous monitoring and management program. DHS' CDM initiative is a robust blueprint for architecting a proven set of policies, procedures and tools that effectively provide the information needed to detect issues and anomalies.
stackArmor Security MicroSummit - Next Generation Firewalls for AWSGaurav "GP" Pal
stackArmor Security MicroSummit
How to select a Next Generation Firewall by Palo Alto Networks:
Ed Caswell from Palo Alto Networks will talk about how to select and deploy a next generation firewall. He will cover the topics described below.
Understand key threats and use cases for NGFW : Understand the threat vectors and use cases that are driving NGFW adoption.
Key features and benefits of NGFW : Understand key capabilities and the protections that are delivered for cloud hosting environments.
NGFW Best Practices : Common deployment models and cloud-architecture best practices for security focused organizations leveraging cloud platforms such as AWS.
stackArmor MicroSummit
Securing the AWS Environment by McAfee:
Larry Kovalsky will cover topics relevant to securing the AWS hosting environment for compliance and security focused customers. He will cover the topics described below.
Endpoint Focused : McAfee Public Cloud Security Suite – Workload Discovery, Visibility, and Comprehensive Threat Protection for AWS
Network Focused : McAfee Virtual Network Security Platform – Network intrusion prevention featuring advanced signature-less detection techniques and true East/West IPS/prevention capabilities within AWS.
Data Focus : Pervasive Data Protection Suite – Visibility, Encryption, Data Loss Prevention, Web/Cloud Access Service Broker (CASB) protection. Follow the data between on-prem and AWS.
stackArmor MicroSummit - Niksun Network Monitoring - DPIGaurav "GP" Pal
stackArmor Security MicroSummit
Deep Packet Inspection on AWS by Niksun:
Shivank Dua will talk about how Deep Packet Inspection on AWS provides critical capabilities required to detect data breaches, malware and other threat scenarios. The ability to reconstruct the packet stream and perform forensics is critical to speedy incident response protecting from emerging and dynamic threat patterns. Topics will include:
Threat scenarios and the need for Deep Packet Inspection / Deep Content Inspection
Limitations of flow and log-based analysis techniques
Use cases for ‘knowing the unknown’ via deep packet and content inspection
stackArmor Security MicroSummit - AWS Security with SplunkGaurav "GP" Pal
stackArmor MicroSummit
Creating a SOC/NOC and Security Insights with Splunk and SplunkCloud:
Splunk talk about how to leverage and deploy Splunk ES and the latest SplunkCloud offering to rapidly develop a SIEM and Operational Insights platform quickly. Learn about the latest SplunkCloud offering from Splunk and available on the AWS Marketplace.
Secured hosting and maintenance of e-commerce websites has become the need of the hour. Modern day websites are highly vulnerable to threats such as hacking, phishing, pharming, denial of access etc. Magento is considered to be one of the most secured e-commerce platform that is easy to install and ready to use. The inbuilt security features of Magento and the additional benefits of AWS makes it the safest and secured platform for modern applications.
Magento is an open source cloud based digital commerce platform that empowers merchants to integrate digital and physical shopping experiences. Magento enterprise edition provides an engaging shopping experience to the users by providing personalized content, fast checkout and a seamless shopper experience. However, in order to ensure the integrity of the user experience and sensitive customer data, it is important to follow security and deployment best practices. stackArmor’s cybersecurity and cloud deployment experts have developed a proven and full-stack methodology to help protect and secure applications and data. The diagram below provides an overview of the key layers and security countermeasures.
AWS offers a wide variety of configuration and deployment choices requiring infrastructure, systems engineering and AWS engineering expertise. The cloud experts at stackArmor, have developed an easy to use deployment automation harness called StackBuilderTM. StackBuilderTM allows users to quickly deploy and use their Magento e-commerce website hosted on AWS. StackBuilder’s intelligent cloud deployment engine takes care of instance selection, AWS VPC configuration and software installation. The fully managed Magento service includes patching, vulnerability management, continuous monitoring, data encryption, and recovery & backup support.
stackArmor StackBuilder provides a rich and easy to use consumer-grade experience for non-technical users to jumpstart their projects by answering a series of simple questions. StackBuilder’s intelligent provisioning and capacity estimation engine leverages the rich set of services provided by the AWS cloud platform including wide variety of EC2 instances, Virtual Private Cloud (VPC), Auto Scaling Groups, Clustering and Elastic Load Balancers (ELB) amongst others. The user of StackBuilderTM does not have to go through the various steps associated with configuring and setting up the AWS infrastructure as they are handled automatically. This allows the user to focus on his project without waiting for costly consultants or the need for cloud infrastructure expertise.
Amazon Web Services (AWS) offers a cost-effective and flexible hosting platform for enterprise applications such as Sitecore. This white paper describes about the motivation behind the use of Sitecore and how it can be hosted on cloud infrastructure “As-A-Service”. This paper also talks about the features provided by Sitecore, the System Requirements for its installation, and the add-on features provided by AWS to make the service robust, secure, and reliable.
The cloud experts at stackArmor have successfully migrated and supported large cloud-based systems on the AWS platform for customers such as US Treasury, US Department of Defence and other large security-focused organizations in Healthcare and Financial Services. StackBuilderTM is a cloud deployment automation platform that has a “Turbo-Tax” like wizard that helps users quickly select and jumpstart their content management system on AWS.
stackArmor’s StackBuilderTM is a cloud deployment wizard designed to assist companies in the rapid deployment and installation of Sitecore on Amazon Web Services (AWS). The highly experienced AWS solution architects at stackArmor have developed StackBuilderTM to simplify the cloud migration and hosting experience by automating the configuration and setting up of secure cloud hosting environments based on the AWS Well-Architected Framework (WAF).
Secured Hosting of PCI DSS Compliant Web Applications on AWSGaurav "GP" Pal
Protecting card owner information has become very important for e-commerce companies as they have become frequent targets for hackers. In order to safeguard the interests of the card owners, four industry majors, VISA, MasterCard, Discover and American Express, joined hands to create a set of policies and procedures to protect the debit, credit and cash card transactions and to safeguard the personal information of the cardholders. These policies and procedures are collectively known as the Payment Card Industry Data Security Standard (PCI DSS). In simple terms these standards alert companies that they are wholly responsible for the credit card information of their customers. The PCI directs companies to use the information diligently and to store only that information that is required for their business. This white paper provides an overview of architectural features in the AWS cloud that ensure the hosting of e-commerce web applications that are PCI DSS compliant. This stackArmor white paper provides an overview of hosting PCI DSS compliant applications in AWS.
FGMC - Managed Data Platform - CloudDC MeetupGaurav "GP" Pal
First Guaranty Mortgage Corporation (FGMC) is a full service national lender offering mortgage solutions to clients. The Enterprise Data team is focused on leveraging Enterprise Data as a differentiator. By embracing data science, analytics and cloud technologies, new and innovative solutions are delivered to support the business mission.
The rapid evaluation and deployment of a flexible, scalable, and secure cloud-based data platform was critical to jumpstarting enterprise data initiatives.
FGMC leveraged Amazon Web Services (AWS) and conducted a agile and iterative transformation process that included a pilot using stackArmor's StackBuilder solution for rapidly deploying services.
DevOps for ETL processing at scale with MongoDB, Solr, AWS and ChefGaurav "GP" Pal
Large scale data processing for Extract Transform and Loading (ETL) jobs is a very common practice. The stackArmor DevOps team developed a Chef based automation solution to automate the AWS environment provisioning, code deployment and data ingestion processing to ingest and process over 2 TB of Data.
This presentation covers the technologies used, the planning phase, AWS instance selection and optimizing the ETL processing for not only performance but also cost.
The target was to process 500 million rows within 72 hours with a processing rate of 5 million transactions per hour.
The presentation also provides pitfalls and automation optimizations performed to accomplish the targeted processing rates.
The presentation was delivered at the DevOpsDC Meetup on May 17, 2016
Organizations are looking for rich visualization solutions to enable better decision making and collaboration. Tableau is a market leading data analytics solution that can be easily hosted on AWS and offers variety of pricing models to get started quickly. Learn more about how you can jumpstart your Tableau project by using the new cloud based pricing model.
AWS Security Best Practices, SaaS and ComplianceGaurav "GP" Pal
As more SaaS businesses come online it is critical they follow security architecture and operational best practices. The changing regulatory framework from agencies such as SEC, FTC and other agencies requires SaaS companies to implement security best practices.
Big Data - Accountability Solutions for Public Sector ProgramsGaurav "GP" Pal
Enhancing Program Oversight and Integrity through Agile Systems Development and Advanced Analytics requires the application of advanced algorithms and technologies for proactive oversight.
The Recovery Operations Center (ROC) deployed advanced analytics and data analytics staff to help identity and prevent waste, fraud and abuse in the $840 billion ARRA 2009 program.
2013 11-06 adopting aws at scale - lessons from the trenchesGaurav "GP" Pal
Enterprise adoption of elastic cloud computing platforms such as AWS require new management and operations processes.
Highlights:
--“Pay-as-you-go” is an asset only if strong governance is in place
--Who should be performing this optimization? Developers? Ops? PM’s? What should be the frequency?
--What is the playbook?
----Resizing instances based on demand
----Reviewing storage consumption
----Standard/Reserved Instances
--Shut-down instances when not needed
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suroGaurav "GP" Pal
DevOps helps accelerate the delivery of software applications through automation and by removing Development & Operations silos. The Netflix Platform Engineering team has developed a robust data pipeline solution called SURO that has been open sourced. Come learn from the experiences of pioneers like Netflix how they are leveraging the data pipeline for new and innovative use cases. This is the presentation by Danny Yuan, Netflix Platform Engineering Team on operational and monitoring aspects of applications on cloud platforms.
Enterprise transformation with cloud computing Jan 2014Gaurav "GP" Pal
We concluded on Jan 31, 2014 another fabulous edition of the Digital Innovation Breakfast. Over 60 people registered and listened to the keynote address by Mr. Bernie Mazer, CIO, US Department of the Interior. This was followed by a lively panel discussion that included US Department of the Interior, US Department of the Treasury, Accenture, Microsoft and Gartner. We are now set to execute on the third edition of the event scheduled for late April 2014/early May 2014 titled “Big Data in Financial Services”.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Implementing Secure DevOps on Public Cloud Platforms
1. IMPLEMENTING SECURE
DEVOPS ON PUBLIC CLOUD
PLATFORMS
White Paper
stackArmor DevOps Solutions Team
This document is provided for informational purposes only. Readers are responsible for making their own independent assessment of the
information in this document and any use of products or services, each of which is provided “as is” without warranty of any kind,
whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or
assurances. All copyrights and trademarks are acknowledged.
2. 1
Contents
Abstract...................................................................................................................................................2
What is Secure DevOps or SecDevOps?..................................................................................................2
Implementing a CI/CD Security Process..................................................................................................2
Develop Code......................................................................................................................................3
Commit Code to CI/CD........................................................................................................................3
Tools for a Secure DevOps Pipeline ........................................................................................................4
YASCA Static Code Analysis.................................................................................................................4
Yasca Severity Levels.......................................................................................................................4
SonarQube ..........................................................................................................................................4
Yasca-SonarQube Severity Mapping...............................................................................................4
Yasca Sample Reports.....................................................................................................................5
HPE Fortify Static Code Analyzer (SCA)...............................................................................................6
Fortify Severity Levels.....................................................................................................................6
Fortify-SonarQube Severity Mapping .............................................................................................6
Fortify Sample Reports....................................................................................................................7
Nessus.................................................................................................................................................9
OpenSCAP ...........................................................................................................................................9
OpenSCAP Severity Levels) .............................................................................................................9
OpenSCAP-SonarQube Severity Mapping.......................................................................................9
OpenSCAP Sample Report.............................................................................................................10
ClamAV..............................................................................................................................................10
Windows Defender ...........................................................................................................................10
Conclusion.............................................................................................................................................11
About stackArmor.................................................................................................................................11
Resources..............................................................................................................................................11
3. 2
Abstract
Businesses are looking to accelerate the delivery of production quality software with fewer defects,
and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps
is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into
production. The rapid automation of the integration and deployment activities is common especially
on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the
needs of regulated, compliance and public sector focused organizations. This white paper describes
the use of open source technologies and commercial packages to design and deploy a Secure
DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated
with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust
SecDevOps implementation.
What is Secure DevOps or SecDevOps?
Secure DevOps is the integration of security scans and
reviews as part of the application development and
deployment process. The figure on the right shows a high-
level view of a CI/CD Environment. The CI/CD or DevOps
pipeline includes common enabling components such as
Jenkins, Nexus, Chef and SonarQube amongst others. This
white paper is primarily focused on the security aspects of
DevOps and therefore does not go into the details of a
DevOps pipeline.
Implementing a CI/CD Security Process
The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is
committed for deployment, the CI/CD security processes are activated. Common action items
including static code analysis, vulnerability scanning, anti-virus scans and other similar integrity
functions. The results from the security scans are provided to project management and the Chief
Information Security Officer (CISO) within the organization.
4. 3
Figure: CI/CD Security Processes integrating within the overall code deployment and integration
processes as an integral part of the overall pipeline
Key aspects of the CI/CD security pipeline are described in greater detail below.
Develop Code
Development is performed on an independent virtual machine (VM) within the CI/CD environment
by the application development teams. In order to comply with NIST requirements for applying
secure engineering principles, application developers should utilize code analysis utilities to ensure
safe coding practices are followed. Project teams should leverage code analysis utilities as early as
possible in the development lifecycle.
By leveraging code analysis capabilities, and correcting identified issues prior to submission to the
formal Security process, the project will experience fewer delays and incidents of rework due to
flaws and other security concerns.
At a minimum, code analysis should be performed as code modules are completed, but it is not
necessary for modules to be completely finished for code review to be useful. Any supported
language source file can be individually scanned or scanned within a directory along with other
source files.
Commit Code to CI/CD
As application code is committed to the CI/CD branch in the git repository CI/CD performs a security
review utilizing automated static code analysis tools. The commit step formally triggers the security
checks and scans are described in greater detail below.
5. 4
Tools for a Secure DevOps Pipeline
SecDevOps includes the execution of automated scanning tools and manual security reviews of
results by the Security Team in order to facilitate the application deployment process.
YASCA Static Code Analysis
Yasca is a static source code analysis tool that performs a number of tests to identify actual and
potential coding issues, to include those identified in the OWASP Top 10 listed in Section 3. It should
be noted that Yasca, an open source tool is only one of tools to support secure coding practices.
Other code analysis tools include HP Fortify, IBM AppScan, and others. Yasca utilizes individual
plugins to perform scanning of targeted files. The Yasca implementation may include the following
plugins (depending on the development environment):
• Grep Plugin. Uses external GREPfiles to scan target files for simple patterns.
• PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
• JLint Plugin. Uses J-Lint to scan Java .class files for issues.
• antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
• FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
• Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.
Yasca Severity Levels
Yasca plugins implement five (5) severity levels:
• 1 – Critical
• 2 – High
• 3 – Warning
• 4 – Low
• 5 – Informational
When code has been committed to the CI/CD Git repository the associated Jenkins job builds the
code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca
report in HTML format as well as CSV format. The Yasca results CSV file is further processed and
formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to
analyze the created XML file using custom rules to map the Yasca results into the SonarQube
dashboard.
SonarQube
SonarQube (formerly known as Sonar) is an open source tool suite to measure and analyse to quality
of source code. SonarQube provides reporting and management oversight for the CISO and Security
team to collect and monitor security issues as part of the CI/CD pipeline.
Yasca-SonarQube Severity Mapping
SonarQube implements five (5) severity levels:
• Blocker
• Critical
• Major
• Minor
• Info
Yasca severity levels are mapped to SonarQube severity levels in accordance with the table below:
6. 5
Yasca Severity Level SonarQube Severity Level
1 – Critical Blocker
2 – High Critical
3 – Warning Major
4 – Low Minor
5 – Informational Info
Yasca Sample Reports
Once the mappings are established, Yasca scans performed as part of the CI/CD build process are
configured to generate a detailed report of findings and piped into SonarQube. An example of a
Yasca report finding is shown.
CSV formatted reports are condensed versions providing Finding #, Plugin Name, Severity, Location,
and Message fields. These CSV files are converted to an XML file that is imported to SonarQube.
An example SonarQube report is provided below.
7. 6
HPE Fortify Static Code Analyzer (SCA)
Depending on the security needs of the organization additional security checks can be added.
Commercial packages such as HPE Fortify Static Code Analyzer (SCA) provide static application
security testing (SAST). It is used to analyse the source code of an application for security
vulnerabilities. It reviews code and helps developers identify and resolve issues during development
and testing.
Fortify Severity Levels
Fortify SCA implements four (4) severity levels:
• Critical
• High
• Medium
• Low
Fortify-SonarQube Severity Mapping
SonarQube implements five (5) severity levels:
• Blocker
• Critical
• Major
• Minor
• Info
Fortify severity levels are mapped to SonarQube severity levels in accordance with the table below:
8. 7
Fortify Severity Level SonarQube Severity Level
Critical Blocker
High Critical
Medium Major
Low Minor
-- Info
Fortify Sample Reports
By default HPE Fortify SCA natively produces a proprietary result file with an FPR extension. Fortify
SCA may also be configured to produce a text (TXT) or an xml-based FVDL file. Fortify SCA also
provides a Report Generator utility to produce PDF or XML files. For issues related to the flow of
data, Fortify identifies a Source, the code that collects and sends input, and a Sink, the code that
receives/processes the input.
An example of the PDF report is shown below:
10. 9
Nessus
Nessus Vulnerability Scanner is a vulnerability scanner by Tenable. Nessus identifies system
vulnerabilities, missing patches, and non-compliant system configurations. Scans can be performed
on a periodic basis and the results are to the CI/CD Project Manager.
Consistent with the DevOps culture, the application development teams are responsible for
mitigating findings related to hosted applications. The CI/CD team is responsible for mitigating
findings related to the underlying platform (OS, Database, Web Server). The CI/CD team coordinates
with application development teams and/or the security team to address platform findings that may
affect hosted applications.
OpenSCAP
OSCAP utilizes XCCDF checklist profiles to evaluate system configurations for the operating system
against an established checklist profile. The CI/CD pipeline utilizes OSCAP to evaluate the system
configurations for the instances supporting the CI/CD development pipeline.
OpenSCAP Severity Levels
OpenSCAP implements four (4) severity levels:
• High
• Medium
• Low
• Other
OpenSCAP-SonarQube Severity Mapping
SonarQube implements five (5) severity levels:
• Blocker
• Critical
• Major
• Minor
• Info
OpenSCAP severity levels are mapped to SonarQube severity levels in accordance with the table
below:
OpenSCAP Severity Level SonarQube Severity Level
High
Blocker
Critical
Medium Major
Low Minor
Other Info
11. 10
OpenSCAP Sample Report
ClamAV
ClamAV is an antivirus scanner for Linux operating systems. ClamAV will be installed on Linux
servers supporting application development. ClamAV is configured to scan local directories and files
for known malicious code on a nightly schedule.
The application development teams are responsible for mitigating findings related to hosted
applications. The CI/CD team is responsible for mitigating findings related to the underlying
platform (OS, Database, Web Server).
Windows Defender
Windows Defender is an antivirus scanner for Windows operating systems. Windows Defender will
be configured on Windows servers and workstations supporting application development. Windows
12. 11
Defender is configured to scan local directories and files for known malicious code on a nightly
schedule.
The application development teams are responsible for mitigating findings related to hosted
applications. The CI/CD team is responsible for mitigating findings related to the underlying
platform (OS, Database, Web Server).
Conclusion
The rapid adoption of cloud platforms such as Amazon Web Services (AWS) and use of Continuous
Integration/Continuous Deployment (CI/CD) practices presents a unique opportunity to deliver more
secure code by integrating security practices into the pipeline. There is a wide variety of open source
and commercial tools that allow the creation SecDevOps pipelines that assist with the security and
information assurance function. By integrating the performance of security testing and scanning as
part of the build and deploy process, SecDevOps allows the ability to deliver Continuous Information
Assurance.
About stackArmor
stackArmor is a AWS Certified partner with experienced cybersecurity and AWS solution architects
with an experience deploying compliant applications for Healthcare, Financial Services, Public Sector,
Department of Defense and Commercial customers including Non-profits. We help customers in the
following areas:
• AWS Cloud Architecture and Migration Services
• DevOps and Automation Architecture and Implementation Services
• AWS Managed Services and Cloud Operations
• AWS Value-Added Resale and Hosting Support Services
• Cybersecurity Compliance and Penetration Scanning Services
Additionally, we have an out-of-the-box solution - stackArmor StackBuilderTM
is a “Turbo Tax” like
wizard for helping application owners quickly configure a fully functional AWS environment. The
wizard walks the user through a series of simple questions through a 5 step process. Upon submission
of the request, the user is presented with login credentials to a fully configured and operational
environment ready to go.
StackBuilderTM
provides a rich and easy to use consumer-grade experience for non-technical users to
jumpstart their projects by answering a series of simple questions. StackBuilder’s intelligent
provisioning and capacity estimation engine leverages the rich set of services provided by the AWS
cloud platform including wide variety of EC2 instances, Virtual Private Cloud (VPC), Auto Scaling
Groups, Clustering and Elastic Load Balancers (ELB) amongst others. The user of StackBuilderTM
does
not have to go through the various steps associated with configuring and setting up the AWS
infrastructure as they are handled automatically. This allows the user to focus on his project without
waiting for costly consultants or the need for cloud infrastructure expertise.
Please contact us at solutions@stackarmor.com or call at 888-964-1644.
Resources
1. White paper on Cloud Security Best Practices and Common Errors.
https://www.stackarmor.com/resources/