This document discusses integrating security practices into continuous delivery processes. It describes Coveros' SecureAgile development process which includes threat modeling, risk analysis, penetration testing, security stories, secure code reviews, defensive coding and design, and secure testing. The goal is to assure timely delivery of software while achieving security objectives. Integrating security helps make applications more secure, reduces security costs, improves quality, and protects applications from attackers.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Devops security-An Insight into Secure-SDLCSuman Sourav
The integration of Security into DevOps is already happening out of necessity. DevOps is a powerful paradigm shift and companies often don’t understand how security fits. Aim of this session is to give an overview of DevOps security and How security can be integrated and automated into each phases of software development life-cycle.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
The development world has come to realize that the way we build applications opens the door to hackers.
We are starting to realize that it is the code itself that is enabling the attacks. It’s the responsibility of the
development team to build software that is inherently impervious to attack. Catching and dealing with
security defects earlier in the development lifecycle is much more economical than dealing with them once
the applications have been deployed.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Automating security tests for Continuous IntegrationStephen de Vries
Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests
Integration depends on the level of cultural integration of security into DevOps.
3 Models of test ownership:
1. Owned by Security team - least desirable
2. Owned by DevOps, overseen by security - better
3. Owned by SecDevOps, look Ma, no silos.
Overview of BDD-Security
Configuring Jenkins with BDD-Security as inline tests
Simplify Dev with Complicated Security ToolsKevin Fealey
Abstract:
Writing secure applications is not easy, but keeping a security mindset during development can help reduce the rework caused by pre-release security assessments. No one should expect developers to be security experts – that’s not the path you’ve chosen – but the prevalence of free, open-source security tools and information can enable devs to detect many common and critical security issues before QA. This talk will focus on how developers can maximize the return on their security investment by automating detection of many vulnerabilities that security teams would find later in the SDLC. We’ll talk about freely available tools and techniques – some of which may already be in your dev environment – that can enable non-disruptive security testing in development. And for those developers who are already security testing their code, we'll discuss how to take your testing to the next level by embedding it into your functional testing.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Devops security-An Insight into Secure-SDLCSuman Sourav
The integration of Security into DevOps is already happening out of necessity. DevOps is a powerful paradigm shift and companies often don’t understand how security fits. Aim of this session is to give an overview of DevOps security and How security can be integrated and automated into each phases of software development life-cycle.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
The development world has come to realize that the way we build applications opens the door to hackers.
We are starting to realize that it is the code itself that is enabling the attacks. It’s the responsibility of the
development team to build software that is inherently impervious to attack. Catching and dealing with
security defects earlier in the development lifecycle is much more economical than dealing with them once
the applications have been deployed.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Automating security tests for Continuous IntegrationStephen de Vries
Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests
Integration depends on the level of cultural integration of security into DevOps.
3 Models of test ownership:
1. Owned by Security team - least desirable
2. Owned by DevOps, overseen by security - better
3. Owned by SecDevOps, look Ma, no silos.
Overview of BDD-Security
Configuring Jenkins with BDD-Security as inline tests
Simplify Dev with Complicated Security ToolsKevin Fealey
Abstract:
Writing secure applications is not easy, but keeping a security mindset during development can help reduce the rework caused by pre-release security assessments. No one should expect developers to be security experts – that’s not the path you’ve chosen – but the prevalence of free, open-source security tools and information can enable devs to detect many common and critical security issues before QA. This talk will focus on how developers can maximize the return on their security investment by automating detection of many vulnerabilities that security teams would find later in the SDLC. We’ll talk about freely available tools and techniques – some of which may already be in your dev environment – that can enable non-disruptive security testing in development. And for those developers who are already security testing their code, we'll discuss how to take your testing to the next level by embedding it into your functional testing.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
Businesses are driving development teams to build, test and deliver app innovations faster and faster, while attackers continue to grow in sophistication and complexity. To protect the business, dev and security teams are deploying multiple app/network/OSS security testing tools, internal & 3rd party manual assessments, and other processes which in turn drives an exponential spike in volume of issues to analyze, correlate, triage, route and repair. Facing this data deluge, DevSecOps teams are turning to automation of mobile app security testing and orchestration of vulnerability management for speed and scale. Join Brian Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of Denim Group in this best practices session to learn how to drive efficiencies in team and pipeline performance at scale.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
s its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority:
- Integrate effective threat modeling into Agile development practices
- Introduce Security Automation into Continuous Integration
- Integrate Security Automation into Continuous Deployment
While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic:
- The talk will be replete with anecdotes from personal consulting and penetration testing experiences.
- I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle.
- I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app.
- My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools.
- Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
Application Asset Management with ThreadFixDenim Group
Too many organizations have an incomplete picture of their application portfolios. Because you are unable to protect attack surfaces that you don’t know about, this leaves them vulnerable. In this webinar, we will cover the capabilities that ThreadFix has to allows security teams to manage their application asset portfolios. We will also take a deeper dive into several tools such as nmap and OWASP Amass that can help security analysts better enumerate all of the applications in their organization’s portfolio.
Data Theorem is Proud to Be Named a DevSecOps Leader for the Second Year in a Row.
DevSecOps was the only category listed as providing transformational benefits among the Application Security categories listed. DevSecOps approaches enable security teams to keep pace with development and operations teams in modern development and deliver deep integration and automation of security tools.
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Sauce Labs
Test automation is all about running the most tests in the least amount of time. This is great for mature apps, but in the early stages of developing your web or mobile app, developers need to run a number of tests to ensure the app runs at all. Further complicating the issue is that often, your app is architect-ed differently for web and mobile which makes writing automated tests tricky.
Test Automation Specialist Max Saperstone from Coveros will cover some simple testing examples and demonstrate how to expand these for testing over multiple web architectures. He will briefly cover the difference in the design of these sites with a focus on how tests can be designed to overcome their limitations, minimizing duplicate code, and following best practices.
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
Explores how DevSecOps can enable continuous security assessment in Agile development by integrating various categories of security tools into your continuous integration / continuous delivery (CI/CD) pipeline.
Presented at OWASP Global AppSec DC, Sept 2019.
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
This presentation makes the case for adapting security requirements and processes to those used by developers. Specifically, it advocates the use of BDD (Given/When/Then) specifications to create self-verifying security requirements.
You've heard of infrastructure as code, with the BDD-Security framework, we can now write security-processes-as-code.
Security issues often neglected until coding step in
software development process, and changing in this step leads to
maximize time and cost consuming depending on the size of the
project. Applying security on design phase can fix vulnerabilities
of the software earlier in the project and minimize the time and
cost of the software by identifying security flaws earlier in the
software life cycle. This work concerns with discussing security
metrics for object oriented class design, and implementing these
metrics from Enterprise Architect class diagram using a
proposed CASE tool.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
Businesses are driving development teams to build, test and deliver app innovations faster and faster, while attackers continue to grow in sophistication and complexity. To protect the business, dev and security teams are deploying multiple app/network/OSS security testing tools, internal & 3rd party manual assessments, and other processes which in turn drives an exponential spike in volume of issues to analyze, correlate, triage, route and repair. Facing this data deluge, DevSecOps teams are turning to automation of mobile app security testing and orchestration of vulnerability management for speed and scale. Join Brian Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of Denim Group in this best practices session to learn how to drive efficiencies in team and pipeline performance at scale.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
s its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority:
- Integrate effective threat modeling into Agile development practices
- Introduce Security Automation into Continuous Integration
- Integrate Security Automation into Continuous Deployment
While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic:
- The talk will be replete with anecdotes from personal consulting and penetration testing experiences.
- I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle.
- I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app.
- My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools.
- Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
Application Asset Management with ThreadFixDenim Group
Too many organizations have an incomplete picture of their application portfolios. Because you are unable to protect attack surfaces that you don’t know about, this leaves them vulnerable. In this webinar, we will cover the capabilities that ThreadFix has to allows security teams to manage their application asset portfolios. We will also take a deeper dive into several tools such as nmap and OWASP Amass that can help security analysts better enumerate all of the applications in their organization’s portfolio.
Data Theorem is Proud to Be Named a DevSecOps Leader for the Second Year in a Row.
DevSecOps was the only category listed as providing transformational benefits among the Application Security categories listed. DevSecOps approaches enable security teams to keep pace with development and operations teams in modern development and deliver deep integration and automation of security tools.
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Sauce Labs
Test automation is all about running the most tests in the least amount of time. This is great for mature apps, but in the early stages of developing your web or mobile app, developers need to run a number of tests to ensure the app runs at all. Further complicating the issue is that often, your app is architect-ed differently for web and mobile which makes writing automated tests tricky.
Test Automation Specialist Max Saperstone from Coveros will cover some simple testing examples and demonstrate how to expand these for testing over multiple web architectures. He will briefly cover the difference in the design of these sites with a focus on how tests can be designed to overcome their limitations, minimizing duplicate code, and following best practices.
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
Explores how DevSecOps can enable continuous security assessment in Agile development by integrating various categories of security tools into your continuous integration / continuous delivery (CI/CD) pipeline.
Presented at OWASP Global AppSec DC, Sept 2019.
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
This presentation makes the case for adapting security requirements and processes to those used by developers. Specifically, it advocates the use of BDD (Given/When/Then) specifications to create self-verifying security requirements.
You've heard of infrastructure as code, with the BDD-Security framework, we can now write security-processes-as-code.
Security issues often neglected until coding step in
software development process, and changing in this step leads to
maximize time and cost consuming depending on the size of the
project. Applying security on design phase can fix vulnerabilities
of the software earlier in the project and minimize the time and
cost of the software by identifying security flaws earlier in the
software life cycle. This work concerns with discussing security
metrics for object oriented class design, and implementing these
metrics from Enterprise Architect class diagram using a
proposed CASE tool.
Impress your security team and avoid becoming a cautionary tale! Security needs to come first, but how? What do you do if you're not a security expert? From secure development to dealing with cloud-native infrastructure, and being ready for trouble, this presentation will help you feel secure.
Product Engineering teams have started to realize the importance of software security. This has resulted in the trend where teams are taking efforts to include it as part of their software development life cycle; as opposed to treating it as another item in their checklist prior to release. However, the real challenge is in trying to find the balance between agility and quality which is where many team find this an uphill task.
While there is no golden standard when it comes to implementing software security, product teams should focus on bringing about systematic and cultural practices within their teams. This should help them to bring about the required efficiency to enable software security as a market differentiator.
This slide-deck on Software Security Initiative focuses on translating a plan of action into sustainable activities as part of the secure software development life cycle that can be adopted by engineering teams. The slides will delve deep into aspects like identifying and designing security checkpoints in the SDLC alongside concepts such as Threat Modelling in Agile, AppSec Toolchain and Security Regressions.
This was presented as a we45 Webinar on April 12, 2018
Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs.
(Source : RSA Conference USA 2017)
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints.
But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.
4 approaches to integrate dev secops in development cycleEnov8
DevSecOps is an advanced extension of the DevOps technique in application engineering. In this model, developers/software engineers, operations teams and security teams collaborate and function closely throughout the software development lifecycle (SDLC) workflows and continuous integration / continuous deployment (CI/CD) pipelines.
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...QADay
Online Quality Assurance Day 2020 #2
ОЛЬГА АКСЬОНЕНКО
«Безпечна розробка програмного забезпечення в Agile проектах»
telegram: wwww.t.me/goqameetup
fb: www.fb.com/goqaevent
fb: www.fb.com/qaday.org
Сайт: www.qaday.org
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
Similar to Integrating security into Continuous Delivery (20)
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
DevSecOps adds on the DevOps by making Application Security part of the daily workflow of the team in order to improve the quality and security of a product. Shift AppSec practices left is the key enabler to making AppSec a first-class citizen in the development effort rather than an afterthought with limited ability to be successful.
Shifting Security Left from the Lean+Agile 2019 ConferenceTom Stiehm
DevSecOps changes the application security value proposition by leveraging DevOps principles to shift security practices left and automating the collection of security-related data.
Failure is inevitable but it isn't permanentTom Stiehm
Agile Transformation is harder than it needs to be because we often find ways to consciously or subconsciously sabotage our efforts if we can recognize this behavior it is possible to intervene and make a change for the positive.
Agile testing for embedded software developmentTom Stiehm
A large part of the success of agile adoptions is due to the automated testing approach used in agile projects. Because many of these techniques were pioneered in the development of web applications it can be hard to see how these techniques can be leveraged for a project where the software being built is for an embedded application. Discover ways to leverage agile testing techniques for embedded systems. Whether you are building a medical device, embedded controller, or Internet of Things device learn how to leverage these testing practices to create fully automated tests that fit into a DevOps build pipeline and help your team create higher quality, more reliable software. Test automation is the best way to maintain and execute a comprehensive suite of regression tests that allows you to take back control of your testing process while increasing test coverage. Learn how to be in control of your test process by stepping up your test automation to the next level.
Embedded development and Internet of Things development is often done on platforms that lack modern software development and test automation tools. The more esoteric or the smaller the target audience, the less likely tool vendors are to create products that directly support the deployment environment. This can make getting started with test automation using older tools that are not as actively supported by vendors can be a challenge that has to be overcome by a team that wants to move toward a Continuous Deployment process.
This session is aimed at people that are trying to adopt agile and continuous delivery with embedded technology, but might be worried that it can’t work in their particular environment due to their industry, technology stack, culture, or regulatory environment.
Overcoming problems implementing cloud based dev ops for distributed agile pr...Tom Stiehm
Cloud-base development, delivery and deployment are the future of IT operations. Getting to the Cloud and conducting the business of IT there is a journey of change and growth to an IT Organization. Discover potential problems and their solutions based the experiences in developing Cloud-Based operations for multiple large, distributed projects in a variety of challenging environments. Overcoming these challenges is the key to successful adoption of Cloud DevOps and realizing the operational and productivity gains of the Cloud. Learn the hard earned lessons we learned from creating successful DevOps projects using Cloud Technology.
Implementing cloud based devops for distributed agile projectsTom Stiehm
Cloud-based development, delivery and deployment environments are the future of IT operations, learn how to best leverage the Cloud to enable your teams to use it effectively and to give them an advantage. Learn why Cloud software delivery is different from traditional software delivery environments and how to optimize your platform and team to get the most out of the Cloud. Geographically distributed software delivery teams are now the norm for large projects and the Cloud is a perfect enabler to level the playing field for your distributed teams and give them all the same ability to achieve high productivity.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Threat modeling is about understanding who is going to attack your system, why they are going to attack it, what they are going to target and how they are going to attack it.SQL injection is a classic attack surface. Although we have known about it for 30+ years it is still a vulnerability that gets exploited on a regular basis.
Pen Testing is different from Security Testing in that Pen Testers will use all means to compromise the system including social engineering, zero day flaws, security analysis, code analysis, you name it. Security Testing is more about know vulnerability playback.Both are valuable and have their place. Neither is a substituent for the other.Pen testing is a specialized skill set, it is often necessary to get external pen test professionals
Example: User shall not be allowed unlimited login attempts. Potential attackers use unlimited login attempts to use dictionary password attack methodsExample: Use shall not be given details regarding authentication failure.Potential attackers can use authentication failure details to figure out if they have legitimate user names
Fail safe, it can mean different things based on your application and functionality. Don’t create your own encryption or random number generation, use open standards that have been vetted by industry recognized experts.Use tools to scan you source code for known dangerous code constructs, system and library functions. Replace dangerous code right away.
Fail safe, it can mean different things based on your application and functionality. Don’t create your own encryption or random number generation, use open standards that have been vetted by industry recognized experts.Use tools to scan you source code for known dangerous code constructs, system and library functions. Replace dangerous code right away.
Use automated secure code review tools to find specific well known problem patterns and to highlight areas where manual reviews should be conducted. Bugs tend to cluster so sections of the code where a number of secure issues are present is a good candidate for a manual code review.
All applications are now networked applications and all need application security requirements.