This document discusses findings from the 2019 State of DevOps report regarding security integration. It finds that security is not always a top priority for development teams. It also analyzes different levels of security integration in software delivery cycles and the impact of security practices on organizations' confidence in their security posture. Practices that involve collaboration between security and development teams are found to most improve security. However, the document also notes there can be friction between teams and that fully integrating security is messy.
Splitting The Check On Compliance and SecurityNew Relic
Often times, developers and auditors can be at odds. The agile, fast-moving environments that developers enjoy will typically give auditors heartburn. The more controlled and stable environments that auditors prefer to demonstrate and maintain compliance are traditionally not friendly to developers or innovation. We'll walk through how Netflix moved its PCI and SOX environments to the cloud and how we were able to leverage the benefits of the cloud and agile development to satisfy both auditors and developers.
Now that you’ve learned how to create code confidence for better application security, the second webinar in this series focuses on ensuring your processes are secure.
With many organizations transforming development efforts from traditional environments toward Agile development, the need to redefine and establish security standards and testing methods is more important than ever.
In this second one-hour webinar you'll learn how to:
- Integrate security and compliance testing with Agile development
- Provide context for fast triage and remediation
- Create policies for code management in integrated testing environments
If you are doing CISSP then this might be useful for Application security domain, I prepared these slides to make sure i understand software development in an organized manner from security professional's perspective as well as create foundation for the Exam. primary references here are Shaun Harris CISSP book series and ISC2 official CBK as i mentioned in my previous slide shares on similar topics.
Splitting The Check On Compliance and SecurityNew Relic
Often times, developers and auditors can be at odds. The agile, fast-moving environments that developers enjoy will typically give auditors heartburn. The more controlled and stable environments that auditors prefer to demonstrate and maintain compliance are traditionally not friendly to developers or innovation. We'll walk through how Netflix moved its PCI and SOX environments to the cloud and how we were able to leverage the benefits of the cloud and agile development to satisfy both auditors and developers.
Now that you’ve learned how to create code confidence for better application security, the second webinar in this series focuses on ensuring your processes are secure.
With many organizations transforming development efforts from traditional environments toward Agile development, the need to redefine and establish security standards and testing methods is more important than ever.
In this second one-hour webinar you'll learn how to:
- Integrate security and compliance testing with Agile development
- Provide context for fast triage and remediation
- Create policies for code management in integrated testing environments
If you are doing CISSP then this might be useful for Application security domain, I prepared these slides to make sure i understand software development in an organized manner from security professional's perspective as well as create foundation for the Exam. primary references here are Shaun Harris CISSP book series and ISC2 official CBK as i mentioned in my previous slide shares on similar topics.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...Akond Rahman
In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to lack of adequate reviews. The goal of this paper is to aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment. We analyzed a selected set of Internet artifacts and surveyed representatives of nine organizations that are using DevOps to systematically explore experiences in utilizing security practices. We observe that the majority of the software practitioners have expressed the potential of common DevOps activities, such as automated monitoring, to improve the security of a system. Furthermore, organizations that integrate DevOps and security utilize additional security activities, such as security requirements analysis and performing security configurations. Additionally, these teams also have established collaboration between the security team and the development and operations teams.
Software engineering, Secure software engineering trainingBryan Len
Software security is the approach of engineering software to let it continues to function perfectly under infectious attack.
This is essential to stop:
Damage & loss of data
Premature leaks of data
Preventing resources downtime
Why do you need secure software engineering ?
Software fault can always lead to security vulnerabilities, which are costing businesses millions of dollars every year.
That is why, software must be trusted, reliable and secure; able to generate trustable and reproducible scientific results. The main objective of the secure software engineer is to integrate security all through the software development process.
Business perspectives for software engineering :
From a business view, well-structured security software may require an immense initial outlay of capitol,
But in the long run it saves organization money by preventing incredibly costly breeches as well as costly patches and security-related updates every time a new malware or vulnerability is discovered.
Secure Software Engineering Training :
Tonex presents Introduction To Secure Software Engineering Training,
This is a 2-day course that benefits all the participants to understand a wide range of software engineering agendas such as software engineering steps and metrics, real time, distribution, structural and object focusing software.
Other Relevant courses include:
—Software Security Training:
A 2-day course that presents a variety of topics in software security such as secure programming techniques, web security, risk management techniques.
—Software Testing Training:
A 2-day course that focuses on powerful tools and techniques to reduce software defects, improve the quality.
All the courses are recommended for :
Software developers,
Software engineers,
System engineers,
Test engineers,
Project managers,
Testing, verification project managers
Validation and configuration project managers.
Request more information. Visit tonex.com for software engineering courses and workshop detail.
Software engineering, Secure software engineering training
https://www.tonex.com/secure-software-engineering-training/
Embedded software engineering has become a much bigger and more complex domain than we could have imagined. As devices are expected to communicate with other devices and embedded subsystems, a much larger surface area has emerged for defects that threaten the safety, security, and reliability of the software. For example, the connected car not only introduces software safety and security concerns within the car as a system, interactions with environmental components, such as communicating with 'smart traffic lights' and vehicle-to-vehicle communication, potentially expose additional risk. Additionally, as car makers develop and merge functionality into 'the autopilot' mode, driver-assist technologies have become safety-critical technologies.
Embedded software organizations have always taken a 'shift-left' approach to software quality, rigorously applying defect prevention techniques early in the lifecycle. The demand for IoT requires a new testing paradigm that more closely resembles the challenges that Enterprise IT have faced for decades. As enterprise IT struggles to 'shift-left', embedded systems are struggling to 'shift-right' by testing more componentized and distributed architectures.
Applying formal methods to existing software by B.MonateMahaut Gouhier
"Applying formal methods to existing software: what can you expect?" Talk by Benjamin Monate, Co-founder and CTO of TrustInSoft, at the 2018 Sound Static Analysis for Security Workshop, in the NIST, USA, on June 27th.
This work has been supported by the Core Infrastructure Initiative of the Linux foundation.
Learn more about TrustInSoft
https://trust-in-soft.com/
Learn what formal methods are and how they make developing bug-free, impenetrable source code a possibility in this webinar by TrustInSoft, the leading provider of formal methods-based code analysis tools.
Towards 0-bug software in the automotive industryAshley Zupkus
What are the software safety and security standards that software developers in the automotive industry need to meet? How can safe, secure code be developed in accordance with the industry norms like ISO 26262, ISO 21434, and SOTIF? Experts specialized in the automotive industry will answer all your questions in this webinar dedicated to automotive software safety and security.
1. Latest safety and security standards for automotive software (ISO 26262, ISO 21434, and SOTIF) and how they impact software developers' work - Amin Amini, CertX
2. How to implement coding best practices to ensure the highest levels of safety & security in software in autonomous vehicles - Arnaud Telinge, EasyMile
3. How can code analysis tools be leveraged to help reach ISO 26262 and ISO 21434 demands more efficiently - Fabrice Derepas, TrustInSoft
Talk about application security in an agile world. How can security be integrated into agile and how can DevSecOps be leveraged to achieve security at scale at speed.
Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products.
During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...Akond Rahman
In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to lack of adequate reviews. The goal of this paper is to aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment. We analyzed a selected set of Internet artifacts and surveyed representatives of nine organizations that are using DevOps to systematically explore experiences in utilizing security practices. We observe that the majority of the software practitioners have expressed the potential of common DevOps activities, such as automated monitoring, to improve the security of a system. Furthermore, organizations that integrate DevOps and security utilize additional security activities, such as security requirements analysis and performing security configurations. Additionally, these teams also have established collaboration between the security team and the development and operations teams.
Software engineering, Secure software engineering trainingBryan Len
Software security is the approach of engineering software to let it continues to function perfectly under infectious attack.
This is essential to stop:
Damage & loss of data
Premature leaks of data
Preventing resources downtime
Why do you need secure software engineering ?
Software fault can always lead to security vulnerabilities, which are costing businesses millions of dollars every year.
That is why, software must be trusted, reliable and secure; able to generate trustable and reproducible scientific results. The main objective of the secure software engineer is to integrate security all through the software development process.
Business perspectives for software engineering :
From a business view, well-structured security software may require an immense initial outlay of capitol,
But in the long run it saves organization money by preventing incredibly costly breeches as well as costly patches and security-related updates every time a new malware or vulnerability is discovered.
Secure Software Engineering Training :
Tonex presents Introduction To Secure Software Engineering Training,
This is a 2-day course that benefits all the participants to understand a wide range of software engineering agendas such as software engineering steps and metrics, real time, distribution, structural and object focusing software.
Other Relevant courses include:
—Software Security Training:
A 2-day course that presents a variety of topics in software security such as secure programming techniques, web security, risk management techniques.
—Software Testing Training:
A 2-day course that focuses on powerful tools and techniques to reduce software defects, improve the quality.
All the courses are recommended for :
Software developers,
Software engineers,
System engineers,
Test engineers,
Project managers,
Testing, verification project managers
Validation and configuration project managers.
Request more information. Visit tonex.com for software engineering courses and workshop detail.
Software engineering, Secure software engineering training
https://www.tonex.com/secure-software-engineering-training/
Embedded software engineering has become a much bigger and more complex domain than we could have imagined. As devices are expected to communicate with other devices and embedded subsystems, a much larger surface area has emerged for defects that threaten the safety, security, and reliability of the software. For example, the connected car not only introduces software safety and security concerns within the car as a system, interactions with environmental components, such as communicating with 'smart traffic lights' and vehicle-to-vehicle communication, potentially expose additional risk. Additionally, as car makers develop and merge functionality into 'the autopilot' mode, driver-assist technologies have become safety-critical technologies.
Embedded software organizations have always taken a 'shift-left' approach to software quality, rigorously applying defect prevention techniques early in the lifecycle. The demand for IoT requires a new testing paradigm that more closely resembles the challenges that Enterprise IT have faced for decades. As enterprise IT struggles to 'shift-left', embedded systems are struggling to 'shift-right' by testing more componentized and distributed architectures.
Applying formal methods to existing software by B.MonateMahaut Gouhier
"Applying formal methods to existing software: what can you expect?" Talk by Benjamin Monate, Co-founder and CTO of TrustInSoft, at the 2018 Sound Static Analysis for Security Workshop, in the NIST, USA, on June 27th.
This work has been supported by the Core Infrastructure Initiative of the Linux foundation.
Learn more about TrustInSoft
https://trust-in-soft.com/
Learn what formal methods are and how they make developing bug-free, impenetrable source code a possibility in this webinar by TrustInSoft, the leading provider of formal methods-based code analysis tools.
Towards 0-bug software in the automotive industryAshley Zupkus
What are the software safety and security standards that software developers in the automotive industry need to meet? How can safe, secure code be developed in accordance with the industry norms like ISO 26262, ISO 21434, and SOTIF? Experts specialized in the automotive industry will answer all your questions in this webinar dedicated to automotive software safety and security.
1. Latest safety and security standards for automotive software (ISO 26262, ISO 21434, and SOTIF) and how they impact software developers' work - Amin Amini, CertX
2. How to implement coding best practices to ensure the highest levels of safety & security in software in autonomous vehicles - Arnaud Telinge, EasyMile
3. How can code analysis tools be leveraged to help reach ISO 26262 and ISO 21434 demands more efficiently - Fabrice Derepas, TrustInSoft
Talk about application security in an agile world. How can security be integrated into agile and how can DevSecOps be leveraged to achieve security at scale at speed.
Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products.
During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
This ppt explores the software testing strategy in Software Engineering. It is more useful for the Arts and Science and Engineering students to understand the Software Engineering. It is more useful in their examination time. This ppt is prepared based on their examination point of view.
Tim Mackey is a principal security strategist with the Synopsys Cybersecurity Research Center(CyRC). Within this role, he engages with various technical and business communities to understand how application security is evolving with ever-expanding attack surfaces and increasingly sophisticated threats. He specializes in container security, virtualization, cloud technologies, distributed systems engineering, mission critical engineering, performance monitoring, and large-scale data center operations. Tim takes the lessons learned from these activities and delivers talks globally at conferences like RSA, KubeCon and InfoSec. For more information, please visit www.synopsys.com/software.
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
Waterfall is based on the concept of sequential software development—from conception to ongoing maintenance—where each of the many steps flowed logically into the next.
Join this webinar presentation to learn:
- Why DevOps cannot effectively work in waterfall
- How to use DevOps tools to optimize processes in either development or operations through automation
We will also discuss what is needed to support full DevOps
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
Abstract:
See how an Ottawa company has built a SOC2 Type 2 audited software delivery system with less pain, and more value.
Build security, and compliance into the way software is delivered and operated to
* Make secure development easier
* Provide real customer value
* Avoid security theatre
* Reduce security and audit bottlenecks
Bio:
Dag Rowe is a BA in security and compliance. Passionate about improving systems of work, he is actively involved in the local software community. Dag helps to organize the Agile Ottawa Meetup group, and the Gatineau-Ottawa Agile Tour conference.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
Enumerating software security design flaws throughout the SSDLCJohn M. Willis
A tool and methodology to enumerate security functional requirements arising in the solution space is described. A proof of concept tool for use by security architects and security engineers is described. The tool facilitates use of community-developed security requirements packages, security functional requirements, threat model taxonomy including mitigations. A risk-based decision making process is facilitated. Tool outputs used for change checklist, new test requirements, system security plan, risk decision documentation, deferred controls, and inherited controls.
Similar to Key Findings from the 2019 State of DevOps Report (20)
Automating it management with Puppet + ServiceNowPuppet
As the leading IT Service Management and IT Operations Management platform in the marketplace, ServiceNow is used by many organizations to address everything from self service IT requests to Change, Incident and Problem Management. The strength of the platform is in the workflows and processes that are built around the shared data model, represented in the CMDB. This provides the ‘single source of truth’ for the organization.
Puppet Enterprise is a leading automation platform focused on the IT Configuration Management and Compliance space. Puppet Enterprise has a unique perspective on the state of systems being managed, constantly being updated and kept accurate as part of the regular Puppet operation. Puppet Enterprise is the automation engine ensuring that the environment stays consistent and in compliance.
In this webinar, we will explore how to maximize the value of both solutions, with Puppet Enterprise automating the actions required to drive a change, and ServiceNow governing the process around that change, from definition to approval. We will introduce and demonstrate several published integration points between the two solutions, in the areas of Self-Service Infrastructure, Enriched Change Management and Automated Incident Registration.
Simplified Patch Management with Puppet - Oct. 2020Puppet
Does your company struggle with patching systems? If so, you’re not alone — most organizations have attempted to solve this issue by cobbling together multiple tools, processes, and different teams, which can make an already complicated issue worse.
Puppet helps keep hosts healthy, secure and compliant by replacing time-consuming and error prone patching processes with Puppet’s automated patching solution.
Join this webinar to learn how to do the following with Puppet:
Eliminate manual patching processes with pre-built patching automation for Windows and Linux systems.
Gain visibility into patching status across your estate regardless of OS with new patching solution from the PE console.
Ensure your systems are compliant and patched in a healthy state
How Puppet Enterprise makes patch management easy across your Windows and Linux operating systems.
Presented by: Margaret Lee, Product Manager, Puppet, and Ajay Sridhar, Sr. Sales Engineer, Puppet.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
5. 5
Cost of fixing defects by delivery phase
Source: IBM System Science Institute
6. Security is not a priority
• 88% growth in application
vulnerabilities over two years
• 78% of vulnerabilities are
found in indirect
dependencies
• 37% of open source
developers don’t implement
any sort of security testing
during CI and 54% of
developers don't do any
docker image security testing
• Median of 2 years from when
a vulnerability was added to
an open source package until
it was fixed6
https://snyk.io/opensourcesecurity-2019/
7. Levels of security integration
During which of the following phases of your software delivery cycle is security involved?
Software delivery phases
• Requirements
• Design
• Building
• Testing
• Deployment
7
Levels of security integration
• Level 1- No integration in any phases
• Level 2 - Minimal integration (1 of 5 phases)
• Level 3 - Selective integration (2 of 5 phases)
• Level 4 - Significant integration (3 or 4 of 5 phases)
• Level 5 - Full integration (all phases)
% of respondents at each level of security integration
10. Security integration and confidence in security posture
10
Respondents feel their organization’s security processes and policies significantly improve their
security posture.
11. Top 5 practices that improve confidence in security posture
Practices that span multiple teams and promote collaboration are most impactful
• Security and development teams collaborate on threat models.
• Security tools are integrated in the development integration pipeline.
• Security requirements are prioritized as part of the product backlog.
• Infrastructure-related security policies are reviewed before deployment.
• Security experts evaluate automated tests.
11
12. Security practices and their effects on security posture
12
Frequent use / lower importance
• Domain specific tests
• Penetration testing
• Infrastructure provisioned / configured automatically using
security-approved procedures
• Dependency checkers
• Static code analysis
• Security requirements tested as design constraint
Infrequent use / lower importance
• Developers can provision security hardened infrastructure
stack on demand
• Security review occurs after new application code released to
production
• Security personnel review / approve minor code changes
before deployment
Frequent use / higher importance
• Infrastructure-related security policies tested/reviewed before
deployment
• Security requirements prioritized as part of product backlog
Infrequent use / higher importance
• Security and dev teams collaborate on threat models
• Security tools integrated into the dev ecosystem so developers
can implement security features during development phase
• Security experts evaluate automated tests
• Security personnel review/approve major code changes before
deployment
Hi, I’m Alanna Brown, Sr. Director of community and developer relations at Puppet. I started something called the State of DevOps Report back in 2012 before anyone really knew what DevOps was or what it would become. Like many of you, I thought DevOps would be dead in a year.
And here we are today, still talking about DevOps. In fact, I’ve spent the past eight years, surveying over 33,000 technical professionals from around the world, and working with the larger DevOps community and Puppet customers to understand how organizations adopt and scale DevOps practices and the outcomes they’re seeing.
In just a few hours, we’re releasing our 2019 State of DevOps Report.
This year’s report focuses on one of the most challenging aspects of DevOps: integrating security practices into the software delivery lifecycle.
Security is often seen as a necessary evil, but it doesn’t have to be that way.
This year’s research shows us that integrating security early and often delivers results even if the path to get there isn’t straightforward.
Intro slide - Welcome to the topic; introduce context; what we decided to focus on; introduce ourselves, what we found interstin
Testing in production / driving down costs
Tech advancements; microsfervices, containers; cheaper to fix in microservice vs. monolith
Why? What do you see about landscaipe?
Myike - doesn’t matter;
Org issues / feature development
How do we solve this problem?
We’ve seen successful patterns emerge from DevOps that have enabled organizations to build quality and deployability into the software delivery life cycle.
There are also organizations out there having success baking security in from the start.
We wanted to know if integrating security throughout the software delivery life cycle actually delivers positive outcomes.
I’ll be referring to “levels of security integration” throughout this presentation. The way we defined those levels was by asking people to select all the phases where security is involved.
We then broke those answers out into five levels:
Level 1 - No integration of security in any of the phases
Level 2 - Minimal integration (one of five phases)
Level 3 - Selective integration (two of five phases)
Level 4 - Significant integration (three or four of five phases)
Level 5 - Full integration (all phases)
60% of firms include security in two or fewer phases of their software delivery cycle. So most organizations aren’t at a very high level of integration.
Combine 2 slides
Nigel ask Andi about bell curves -
Roundtable
Yeah, I know, some of you are like “Obvious. Move on.” But most research exists just to prove what we all already know.
If you’ve already started on your DevOps journey, good news, you are building the capabilities that will enable you to deliver software more securely.
Use of version control and continuous integration, automated testing and automated deployment provide an amazing foundation to build other capabilities. It makes it so that making a security-related change is the same as making any other change.
Last year, we discovered that at the highest levels of DevOps evolution, security policies and incident response are highly automated and security teams were involved early in technology design and development.
We wanted to know if this works the other way around.
As you can see from this trendline, the more integrated security becomes the more likely a firm will also be at a high stage of DevOps evolution.
22 percent of firms at the highest level of security integration are also at an advanced stage of DevOps evolution.
We found that as security become more integrated, confidence in security posture improves.
Does confidence equote to actual security
81% of respondents at firms with high integration felt that their security policies and practices significantly improve their security posture. Compare this with respondents at firms with no security integration — just 38 percent had that level of confidence.
Now that doesn’t necessarily mean that they actually are more secure. What’s more important here is the shift in mindset.
When there’s no integration, there’s usually a lack of understanding of the work involved in security and a lot of cynicism.
But when teams are fully integrated, there’s a shared understanding and people feel like the things they’re being asked to do really do matter, which makes them more likely to actually do them.
If you were to guess what the most impactful practices are for improving confidence in security posture, what would they be?
What does it mean to actually collaborate across teams
How do you make this happen? How do you get people to collaborate on threat model: how do you get vp engaged? Inviting security expert on scrup, having htem sign off on release?
Practical and actionalable
Anectdotes; anti patters; if you don’t do this what blows up;
What works what doesn’t work;
We threw in a bunch of practices and I thought for sure that the more tactical practices, like testing would be at the top of the list.
Me and my fellow authors were delighted to find that the practices that require strong collaboration and sharing amongst teams were actually the top confidence-builders.
The top five practices that improve security posture are:
Security and development teams collaborate on threat models.
Security tools are integrated in the development integration pipeline so engineers can be confident they’re not inadvertently introducing known security problems into their codebases.
Security requirements — both functional and non-functional — are prioritized as part of the product backlog.
Infrastructure-related security policies are reviewed before deployment.
Security experts evaluate automated tests, and are called upon to review changes in high-risk areas of the code (such as authentication systems, cryptography, etc.).
Make a list of things -
We mapped all of the practices on a quadrant. The x axis represents the importance of the practice as it relates to improving confidence in security posture and the y axis represents the frequency of these practices.
The practices on the left are tablestakes. Those are the things you should be doing anyway.
The practices on the right are where you should be focusing your effort. Again, these practices require deep collaboration and happen early in the development cycle. It's not just about shifting security checks left, it's about fundamentally changing the way everyone works earlier in the pipeline.
Our recommendation is to start focusing on the practices in the bottom right quadrant because those are the ones that are infrequently used but are incredibly important to improving confidence in security posture.
Ok, so this is all great feel good stuff, but you might be wondering if any of this actually has an impact on business outcomes?
Just because you can doesn’t mean you should, but beting able to makes you agile in good ways;
Question: deployment frequency bullshit vnity metric discuss?
Goes up then goes doen then goes up again; pain is real; gets worse betfore it gets better;
Best thing you can do is not try and then not fail
This year, we asked two questions about deployment frequency. How often can you deploy versus how often do you deploy. We know of enough organizations now that can deploy more frequently than the business or their customers require. This is a far cry from a few years ago when everyone was obsessed with improving their deployment frequency. I actually think it’s a huge measure of success for a DevOps initiative if you can now deploy so frequently that your marketing team asks you to slow down because they can’t keep up.
If you focus on this teal green bar here to the left, this is the percentage of respondents at each level of integration that are able to deploy on demand. Firms at the highest level of security integration are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration — 61 percent of highly integrated organizations are able to deploy on demand compared to 49 percent of organizations with no integration.
Doing remedation is good; doing it well is hard;
Doing more security finding more problems
Unpack level 1 - not integration - same team that does everything; just ops work; small org so can move quickly; security team just process security people and you handle all the other stuff;
45 hae rigor in rpodess
A couple of interesting things to point out here.
First only 7% of total respondents are able to remediate a critical vulnerability in less than one hour. The majority of respondents are able to remediate in less than a week.
The main takeaway for me is that it’s really hard to actually reduce the time it takes to remediate vulnerabilities because there are too many factors involved, too many stakeholders, handoffs and approvals.
The differences you see here between each of the levels are statistically significant, but they’re not as dramatic as we’d like. But still, any reduction is a good thing because that does reduce your company's risk and exposure.
Low severeity different from other results: two of the most clustered; lowest severity and crtical ones why is that? Critcal security is blank check to do whatever it tkes to get it done; med and high interestin and prove processes work; drop everything and fix everything is simple;
Gap between level 1 and level 5; ; hard to do
Now imagine with me for a minute that you were asked to choose between making a security improvement or delivering a critical new feature that your customers have been asking for and will help you make your quarterly number. Which one would you choose?
We asked a series of questions about like this and found that firms with deeper security integration were more likely to prioritize security improvements over feature delivery.
So far, I’ve painted a rosy picture, but the reality is that integrating security is messy work, especially in the early stages.
When you’re just starting you don’t know what you don’t know. As you dig deeper though, it can feel a bit like opening Pandora’s box. All of the duct tape and glue that’s been holding everything together is suddenly laid bare before you.
We’ve seen this in past reports, too. It’s called the j-curve, which means things start out well because you’re seeing quick wins and then they take a turn for the worse before they get better again.
Crossing org boundaries
We asked if security teams encounter friction when collaborating with delivery teams. Friction is higher in the middle and it never really goes away, even when teams are fully integrated. When we compared those in security roles vs. non-security roles, we found that friction was even higher for security teams in the middle stages.
Understanding that DevOps is fundamentally about cultural change, it’s imperative to remember that different teams will experience this change differently.
Mike rant
Increasing security integration also doesn’t reduce the number of issues that require immediate correction that arise from audits. The path is hardest at levels 2 and 3. We looked at number of audits firms were performing at each level and it turns out that at higher levels of integration, firms are actually doing more audits per year, since often times audits are elective and you can select the degree of difficulty for some audits.
Add devopssurvey.@puppet.com
So far, I’ve painted a rosy picture, but the reality is that integrating security is messy work, especially in the early stages.
When you’re just starting you don’t know what you don’t know. As you dig deeper though, it can feel a bit like opening Pandora’s box. All of the duct tape and glue that’s been holding everything together is suddenly laid bare before you.
We’ve seen this in past reports, too. It’s called the j-curve, which means things start out well because you’re seeing quick wins and then they take a turn for the worse before they get better again.