DevSecCon London 2018: A Journey to Continuous Cloud Compliance
•
1 like•252 views
PAUL SCHWARZENBERGER Access keys in GitHub, open security group rules, misconfigured Identity and Access Management roles, private SSL certificate keys kept in code repositories and open S3 buckets. Just some of the security issues which led to a journey towards automated compliance solutions for cloud infrastructure and applications. Paul describes a framework for Continuous Cloud Compliance, and demonstrates some of the techniques and tools he has used while working on cloud migration projects and operational cloud applications for both public and private sector organisations.
Report
Share
Report
Share
Download to read offline
Recommended
DevSecCon London 2018: Is your supply chain your achille's heel
COLIN DOMONEY
The advent of DevOps and large scale automation of software construction and delivery has elevated the software supply chain – and its underpinning delivery pipeline – to mission critical status in any modern enterprise. The increased velocity of modern pipelines and the removal of manual checks and balances has meant that modern pipelines are potential single points of failure in the delivery of secure software.
Automotive and consumer electronics industries have long understood the need for both provenance (understanding the origin of materials) and veracity (ensuring the integrity of their manufacturing processes) in their supply chains; this presentation will address threats to software supply chains and practical approaches to reducing the fragility of your supply chain. Several examples of software supply chain failures will be presented and deconstructed to understand the typical failure modes.
At the most elementary level many pipelines are poorly constructed with low levels of repeatability and poor test coverage, in other organisations there is a lack of governance over the supply chain allowing careless or willingly negligent actors to subvert or bypass controls or testing within the pipeline. There is also no standard mechanism to ensure a ‘chain of custody’ within a pipeline due to a lack common interchange format between tools, or a standard manner to represent the steps within a pipeline build process.
This presentation will cover approaches (using ‘people and process’) in enforcing governance within a supply chain by describing best practices used in large-scale AppSec programmes. Several emerging technology initiatives will be presented: Google’s Grafeas is a means to ensure vulnerability information is represented in a uniform manner across all steps of a pipeline process, while In-Toto is a project to formally enforce the integrity of a pipeline process. A reference secure pipeline will be presented demonstrating both tools working in symphony, along with standard open source and commercial AppSec tools.
Finally the pipeline itself may become the Achille’s Heel in an organisation – many pipelines are not sufficiently hardened and are themselves open to attack by use of vulnerable components and their extensible nature, often along with very wide open permissions. Guidance will be given on hardening of typical pipelines, and a fully secured ephemeral Jenkins pipeline will be demonstrated.
Benefits of this Session: The attendee will gain an increased awareness of the pivotal importance of the software supply chain, and gain an understanding of some common failure modes and weaknesses. Most importantly the attendee will come away with practical guidance on enforcing higher levels of governance on their supply chain without reducing delivery velocity, as well as how to harden the pipeline infrastructure itself.
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
ERNESTO BETHENCOURT
At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions.
DevSecCon London 2018: Whatever happened to attack aware applications?
MATTHEW PENDLEBURY
Today’s security detection and response capabilities are usually focused on endpoints and network devices. Applications are often considered a distant cousin, more of a potential liability whose logs should be ingested into remote monitoring solutions such as SIEMs. Projects such as OWASP AppSensor however have loads of promise, putting the application back at the heart of attack detection and response, plus offering a really exciting opportunity to development teams. But these ideas have been around for more than 10 years, and AppSensor itself is getting close to this age, yet they still aren’t commonplace, why might this be? An attack aware application is one that can detect and report suspected malicious events, evaluate a series of events and take action if it suspects that series of events, that when considered together are malicious in nature. Examples of events may be a high number of login attempts over a period, a forceful browsing attempt or an obvious XSS string. Many of these events are routinely intercepted today by inline security appliances such as a Web Application Firewall (WAF). However, suspicious events may also be a lot more contextual to the application such as a change to a parameter that should not be changed. This context may not be available to an external device such as a WAF but it is to the application and this leads to the ability to generate very high-fidelity security alerting and opens the possibility of the application itself making pragmatic defensive choices.
Machine Learning at E*Trade
The Elastic Stack has been integral to the growth of E*Trade’s real-time operational intelligence pipeline. Hear their journey to adopting Elastic machine learning features and see firsthand how they’re using them to identify anomalies using full-text aggregations and performance data.
#MondayMoney - Public sector procurement for digital SMEs
Talk given by Chris Farthing of Advice Cloud for TechResort's #MondayMoney business development series
Finodex - Resuls 1st and 2nd call
Explanation of FINODEX accelerator. Results of the first and second call.
IoT MQTT Projects For Research Students
MAJOR RESEARCH TOPICS ON IOT MQTT
DISTINCT TYPE OF DEVELOPMENT TOOLS IN MQTT
RECENT RESEARCH IDEAS IN IOT MQTT
The Case for Disaggregation of Compute in the Data Center
Maximizing Data Center Performance in Financial Services.
Andrew Bach, Chief Architect for Financial Services, Juniper Networks.
Recommended
DevSecCon London 2018: Is your supply chain your achille's heel
COLIN DOMONEY
The advent of DevOps and large scale automation of software construction and delivery has elevated the software supply chain – and its underpinning delivery pipeline – to mission critical status in any modern enterprise. The increased velocity of modern pipelines and the removal of manual checks and balances has meant that modern pipelines are potential single points of failure in the delivery of secure software.
Automotive and consumer electronics industries have long understood the need for both provenance (understanding the origin of materials) and veracity (ensuring the integrity of their manufacturing processes) in their supply chains; this presentation will address threats to software supply chains and practical approaches to reducing the fragility of your supply chain. Several examples of software supply chain failures will be presented and deconstructed to understand the typical failure modes.
At the most elementary level many pipelines are poorly constructed with low levels of repeatability and poor test coverage, in other organisations there is a lack of governance over the supply chain allowing careless or willingly negligent actors to subvert or bypass controls or testing within the pipeline. There is also no standard mechanism to ensure a ‘chain of custody’ within a pipeline due to a lack common interchange format between tools, or a standard manner to represent the steps within a pipeline build process.
This presentation will cover approaches (using ‘people and process’) in enforcing governance within a supply chain by describing best practices used in large-scale AppSec programmes. Several emerging technology initiatives will be presented: Google’s Grafeas is a means to ensure vulnerability information is represented in a uniform manner across all steps of a pipeline process, while In-Toto is a project to formally enforce the integrity of a pipeline process. A reference secure pipeline will be presented demonstrating both tools working in symphony, along with standard open source and commercial AppSec tools.
Finally the pipeline itself may become the Achille’s Heel in an organisation – many pipelines are not sufficiently hardened and are themselves open to attack by use of vulnerable components and their extensible nature, often along with very wide open permissions. Guidance will be given on hardening of typical pipelines, and a fully secured ephemeral Jenkins pipeline will be demonstrated.
Benefits of this Session: The attendee will gain an increased awareness of the pivotal importance of the software supply chain, and gain an understanding of some common failure modes and weaknesses. Most importantly the attendee will come away with practical guidance on enforcing higher levels of governance on their supply chain without reducing delivery velocity, as well as how to harden the pipeline infrastructure itself.
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
ERNESTO BETHENCOURT
At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions.
DevSecCon London 2018: Whatever happened to attack aware applications?
MATTHEW PENDLEBURY
Today’s security detection and response capabilities are usually focused on endpoints and network devices. Applications are often considered a distant cousin, more of a potential liability whose logs should be ingested into remote monitoring solutions such as SIEMs. Projects such as OWASP AppSensor however have loads of promise, putting the application back at the heart of attack detection and response, plus offering a really exciting opportunity to development teams. But these ideas have been around for more than 10 years, and AppSensor itself is getting close to this age, yet they still aren’t commonplace, why might this be? An attack aware application is one that can detect and report suspected malicious events, evaluate a series of events and take action if it suspects that series of events, that when considered together are malicious in nature. Examples of events may be a high number of login attempts over a period, a forceful browsing attempt or an obvious XSS string. Many of these events are routinely intercepted today by inline security appliances such as a Web Application Firewall (WAF). However, suspicious events may also be a lot more contextual to the application such as a change to a parameter that should not be changed. This context may not be available to an external device such as a WAF but it is to the application and this leads to the ability to generate very high-fidelity security alerting and opens the possibility of the application itself making pragmatic defensive choices.
Machine Learning at E*Trade
The Elastic Stack has been integral to the growth of E*Trade’s real-time operational intelligence pipeline. Hear their journey to adopting Elastic machine learning features and see firsthand how they’re using them to identify anomalies using full-text aggregations and performance data.
#MondayMoney - Public sector procurement for digital SMEs
Talk given by Chris Farthing of Advice Cloud for TechResort's #MondayMoney business development series
Finodex - Resuls 1st and 2nd call
Explanation of FINODEX accelerator. Results of the first and second call.
IoT MQTT Projects For Research Students
MAJOR RESEARCH TOPICS ON IOT MQTT
DISTINCT TYPE OF DEVELOPMENT TOOLS IN MQTT
RECENT RESEARCH IDEAS IN IOT MQTT
The Case for Disaggregation of Compute in the Data Center
Maximizing Data Center Performance in Financial Services.
Andrew Bach, Chief Architect for Financial Services, Juniper Networks.
Products and Services - Bitdharma
We aim to aid everyone to achieve financial freedom by delivering an ecosystem of tools for the simple use of blockchain technology
Practical Applications of Blockchain Technology in the Certification Industry
Georg Karner – Intact GmbH
BIOFACH Congress 2019, Nuremberg
February 14, 2019
Open source industrial IoT
Athens IoT meetup #7 - AI, Bots and DevOps - May 2018
How to setup a powerful industrial IoT solution for a typical energy monitoring use-case, built on open source technologies. Architecture approaches and challenges.
Eclipse Kura / Kapua / Hawkbit, Thingsboard.io, AgileIoT, Resin.io, NodeRED, OpenHAB, RPi, ESP8266/32, Modbus, MQTT
https://www.meetup.com/Athens-IoT-Meetup/events/250458102/
Archangel: trusted archives of digital public records
The National Archives has collaborated with the University of Surrey and the Open Data institute on the ARCHANGEL Project to research the potential of blockchain technology to underscore trust in digital records.
Presentation given at CILIP Blockchain Briefing 2020, 27 February 2020
RIPE Atlas - A Measurement Network
Presentation given by Christian Teuschel at Cisco IoT Symposium, Paris, France on 7 March 2016.
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart CitiesSouth Tyrol Free Software Conference
The development of advanced services that are the promise of smart cities are based on a connected infrastructure, devices (e.g., cars, IoT devices, etc.), and software systems. Therefore, the exchange of data among such components is a prerequisite that is based on the definition of common protocols and data formats that needs to be open to assure the availability in the long run. However, too many protocols and formats can create confusion and fragmentation that can produce the opposite effect making difficult the creation of a uniform architecture.
This talk will explore the main protocols and data formats used in the context of the smart cities identifying the main characteristics and the overlaps.ThingStudio_persys17
Presentation of ThingStudio for the course of PervasiveSystem 2017 Sapienza university of Rome
LinkedIn: https://www.linkedin.com/in/alessio-tirabasso-44a023140/
GitHub: https://github.com/alessiotirabasso
AI-Driven Fraud Detection
Discover in this webcast how AI-based solutions mitigate fraud, reduce losses, and help businesses remain competitive.
In this webcast you will learn:
- The main digital tools to mitigate fraud.
- Rule-based tools can be augmented by Machine Learning. How does this work? What are the advantages?
- Insights on how to implement ML-driven fraud monitoring solution.
- The challenges when working with AI-Based Fraud Management solutions.
Discover the Webcast: https://bit.ly/359lsu9
FIWARE Global Summit - Welcome & Opening Remarks
Presentation by Ulrich Ahle
CEO, FIWARE Foundation
FIWARE Global Summit
27-28 November 2018
Malaga, Spain
Realtime traffic monitoring
With CCTV we can monitored traffic in road. So maybe next time we could do another thing with data.
Bekraf Developer Day
Dicoding
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Dominig ar Foll, Intel
Always-On Web of Things Infrastructure Dynamic Software Updating
We report on our experiences with updating the moquette MQTT message broker[1,2] live/hot/at-runtime using our Dynamic Software Updating system Lusagent.
[1] https://github.com/teco-kit/moquette-lusagent
[2] https://github.com/teco-kit/moquette-lusagent-updatecode
ICT 2018 Smart Parking (University of Murcia, OdinS)
Presentation of the Smart Parking demonstrator presented during the ICT event 2018 in Vienna
FIWARE Global Summit - Creating Secured Value Chains for Smart Industries
Presentation by Ernö Kovacs
IoT Platform Research Group (IoT), NEC Laboratories Europe GmbH
FIWARE Global Summit
21-22 May 2019 - Genoa, Italy
Monitoring with Elastic Machine Learning at Sky
Learn how Sky leveraged the power of Elastic’s machine learning feature to process over seven billion documents and help discover trends, learn from real-time data, and generate alerts when anomalies occur.
See the video: https://www.elastic.co/elasticon/tour/2019/london/monitoring-with-elastic-machine-learning-at-sky
OSGi -Simplifying the IoT Gateway - Walt Bowers
OSGi Community Event 2015
Why do IoT gateways have to be so difficult? Currently the fragmentation, complexity, and potential lock-in of the gateway make picking an IoT gateway solution appear difficult. Add to that developer integration challenges and the gateway picture seems overly complex. Enter OSGi to simplify the development and deployment of the IoT Gateway.</p>
Built on OSGi, Eclipse Kura provides an open platform for developing and deploying IoT gateways. Combining live demonstrations on the Raspberry Pi and Eurotech Reliagate with real world Eurotech use cases, this talk will provide an overview of Kura demonstrating how it leverages OSGi to simplify IoT gateway solutions.
FIWARE Global Summit - Identity Management and Access Control
Presentation by Joaquin Salvachúa (Professor, UPM) & Álvaro Alonso (Professor, UPM)
FIWARE Global Summit
21-22 May 2019 - Genoa, Italy
IoT Key Elements
IoT Key Elements demonstrated on Homie framework
Presented in IoT Bratislava meeting
Recorded session (in Slovak): https://www.youtube.com/watch?v=ov4M9oxFLxI
I can haz cake: Benefits of working with MITRE on ATT&CK
From ATT&CKcon 4.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how the linux-malware repo came to take shape and how we've used it to inform our view on adversarial behaviour over the last couple of years. Since the original reason for staring this project was to look at Linux coverage in ATT&CK, we'll play back some of the interesting points and reflect on how they've affected ATT&CK itself.
Evolution of Container Security - What's Next?
Talk delivered at BSides Toronto on Sep 29, 2018 on positioning container security in context of application lifecycle, as well as observed trends and upcoming technologies.
More Related Content
What's hot
Products and Services - Bitdharma
We aim to aid everyone to achieve financial freedom by delivering an ecosystem of tools for the simple use of blockchain technology
Practical Applications of Blockchain Technology in the Certification Industry
Georg Karner – Intact GmbH
BIOFACH Congress 2019, Nuremberg
February 14, 2019
Open source industrial IoT
Athens IoT meetup #7 - AI, Bots and DevOps - May 2018
How to setup a powerful industrial IoT solution for a typical energy monitoring use-case, built on open source technologies. Architecture approaches and challenges.
Eclipse Kura / Kapua / Hawkbit, Thingsboard.io, AgileIoT, Resin.io, NodeRED, OpenHAB, RPi, ESP8266/32, Modbus, MQTT
https://www.meetup.com/Athens-IoT-Meetup/events/250458102/
Archangel: trusted archives of digital public records
The National Archives has collaborated with the University of Surrey and the Open Data institute on the ARCHANGEL Project to research the potential of blockchain technology to underscore trust in digital records.
Presentation given at CILIP Blockchain Briefing 2020, 27 February 2020
RIPE Atlas - A Measurement Network
Presentation given by Christian Teuschel at Cisco IoT Symposium, Paris, France on 7 March 2016.
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart CitiesSouth Tyrol Free Software Conference
The development of advanced services that are the promise of smart cities are based on a connected infrastructure, devices (e.g., cars, IoT devices, etc.), and software systems. Therefore, the exchange of data among such components is a prerequisite that is based on the definition of common protocols and data formats that needs to be open to assure the availability in the long run. However, too many protocols and formats can create confusion and fragmentation that can produce the opposite effect making difficult the creation of a uniform architecture.
This talk will explore the main protocols and data formats used in the context of the smart cities identifying the main characteristics and the overlaps.ThingStudio_persys17
Presentation of ThingStudio for the course of PervasiveSystem 2017 Sapienza university of Rome
LinkedIn: https://www.linkedin.com/in/alessio-tirabasso-44a023140/
GitHub: https://github.com/alessiotirabasso
AI-Driven Fraud Detection
Discover in this webcast how AI-based solutions mitigate fraud, reduce losses, and help businesses remain competitive.
In this webcast you will learn:
- The main digital tools to mitigate fraud.
- Rule-based tools can be augmented by Machine Learning. How does this work? What are the advantages?
- Insights on how to implement ML-driven fraud monitoring solution.
- The challenges when working with AI-Based Fraud Management solutions.
Discover the Webcast: https://bit.ly/359lsu9
FIWARE Global Summit - Welcome & Opening Remarks
Presentation by Ulrich Ahle
CEO, FIWARE Foundation
FIWARE Global Summit
27-28 November 2018
Malaga, Spain
Realtime traffic monitoring
With CCTV we can monitored traffic in road. So maybe next time we could do another thing with data.
Bekraf Developer Day
Dicoding
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Dominig ar Foll, Intel
Always-On Web of Things Infrastructure Dynamic Software Updating
We report on our experiences with updating the moquette MQTT message broker[1,2] live/hot/at-runtime using our Dynamic Software Updating system Lusagent.
[1] https://github.com/teco-kit/moquette-lusagent
[2] https://github.com/teco-kit/moquette-lusagent-updatecode
ICT 2018 Smart Parking (University of Murcia, OdinS)
Presentation of the Smart Parking demonstrator presented during the ICT event 2018 in Vienna
FIWARE Global Summit - Creating Secured Value Chains for Smart Industries
Presentation by Ernö Kovacs
IoT Platform Research Group (IoT), NEC Laboratories Europe GmbH
FIWARE Global Summit
21-22 May 2019 - Genoa, Italy
Monitoring with Elastic Machine Learning at Sky
Learn how Sky leveraged the power of Elastic’s machine learning feature to process over seven billion documents and help discover trends, learn from real-time data, and generate alerts when anomalies occur.
See the video: https://www.elastic.co/elasticon/tour/2019/london/monitoring-with-elastic-machine-learning-at-sky
OSGi -Simplifying the IoT Gateway - Walt Bowers
OSGi Community Event 2015
Why do IoT gateways have to be so difficult? Currently the fragmentation, complexity, and potential lock-in of the gateway make picking an IoT gateway solution appear difficult. Add to that developer integration challenges and the gateway picture seems overly complex. Enter OSGi to simplify the development and deployment of the IoT Gateway.</p>
Built on OSGi, Eclipse Kura provides an open platform for developing and deploying IoT gateways. Combining live demonstrations on the Raspberry Pi and Eurotech Reliagate with real world Eurotech use cases, this talk will provide an overview of Kura demonstrating how it leverages OSGi to simplify IoT gateway solutions.
FIWARE Global Summit - Identity Management and Access Control
Presentation by Joaquin Salvachúa (Professor, UPM) & Álvaro Alonso (Professor, UPM)
FIWARE Global Summit
21-22 May 2019 - Genoa, Italy
IoT Key Elements
IoT Key Elements demonstrated on Homie framework
Presented in IoT Bratislava meeting
Recorded session (in Slovak): https://www.youtube.com/watch?v=ov4M9oxFLxI
What's hot (20)
Practical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification Industry
Archangel: trusted archives of digital public records
Archangel: trusted archives of digital public records
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
SFScon 2020 - Alberto Sillitti - An Analysis of Open Protocols for Smart Cities
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Always-On Web of Things Infrastructure Dynamic Software Updating
Always-On Web of Things Infrastructure Dynamic Software Updating
ICT 2018 Smart Parking (University of Murcia, OdinS)
ICT 2018 Smart Parking (University of Murcia, OdinS)
FIWARE Global Summit - Creating Secured Value Chains for Smart Industries
FIWARE Global Summit - Creating Secured Value Chains for Smart Industries
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
Similar to DevSecCon London 2018: A Journey to Continuous Cloud Compliance
I can haz cake: Benefits of working with MITRE on ATT&CK
From ATT&CKcon 4.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how the linux-malware repo came to take shape and how we've used it to inform our view on adversarial behaviour over the last couple of years. Since the original reason for staring this project was to look at Linux coverage in ATT&CK, we'll play back some of the interesting points and reflect on how they've affected ATT&CK itself.
Evolution of Container Security - What's Next?
Talk delivered at BSides Toronto on Sep 29, 2018 on positioning container security in context of application lifecycle, as well as observed trends and upcoming technologies.
Toronto Virtual Meetup #5 - API Security and Threats
Why is API security a big deal? In the last 10 years there has been a substantial increase in API usage. APIs are everywhere, transforming business systems around the world. This rise will continue with the further adoption of IoT devices. As more APIs are created, cybersecurity risks and threats must be considered. Data and privacy breaches are major pain points for business and IT.
Cloud Best Practices
The benefits of Cloud are impacting all industries - but the route to adoption isn't always straight forward.
Once implemented, many organisations find it more difficult to manage than originally expected. There are growing challenges at every stage and knowing what to focus on and how to holistically migrate and optimise cloud systems can save you from what can become a very costly series of learning curves.
This webinar explores how businesses can adopt, migrate and optimise cloud systems within their organisation with a step-by-step roadmap.
Red flags and attention points in cloud security audit, watch the security ga...
In his presentation, Peter will share his insights and experiences on Red flags and attention points in cloud security audit, watch the security gates.
Social connections14: Super charge your API’s with Reactive streams
Super charge your API’s with Reactive streams, learn more about Reactive programming and build your first reactive API with Webflux
The Gib Five - Modern IT Architecture
How should IT architecture look like in the ages of Cloud and Devops? How do the changes and the technological evolution of the last years affect our systems and processes? Why is innovation and digitalization important? What means 'cloud-native', how should I build my solutions? To anwer these questions we will look at the "Big Five": Microservices and Containers, cloud and DevOps and finally BigData, IoT and last-but-not-least artificial intelligence.
Is code review the solution?
In this talk I will present a brief introduction to Code Review, where we will try to understand its value and why it is so hard to implement effectively. I will also present some of the challenges we had at SAPO and how we tried to fix them.
The Art of Container Monitoring
According to service scale, there are hundreds or thousands of running containers in your service. Should we monitor each container by microscope or monitor each microservice by magnifier? This depends which granularity can help us find and solve the problems. In this sharing, I will introduce how to use cAdvisor, Icinga2, InfluxDB and Grafana to build a self-hosted monitoring system. In addition, I also discuss with how to embrace open source and share some practical experiences.
Perception of Security Issues in the Development of Cloud-IoT Systems by a No...
This is the PowerPoint presentation held by Luca Mannella during WoRIE'21: 10th Workshop on the Reliability of Intelligent Environments.
The presented paper is entitled: Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer.
Security as an Enabler for the Digital World - CISO Perspective
A successful API strategy requires a strong partnership between the business, IT, and security functions. Rather than as a hindrance, security increasingly is viewed as a business enabler, with CISOs and CSOs playing a critical role in implementing “guardrails” for safe, secure and compliant API services and security architectures free of unnecessary complexity.
Ultimately, a secure API platform enables developers and DevOps to focus on innovation—by improving the mobile user experience and deploying apps in the cloud, with appropriate security controls built-in. In this webcast, Apigee’s Subra Kumaraswamy and Saba Software CSO Randy Barr will explore how CISOs and CSOs partner with IT and business leaders for a safe and secure journey to cloud, SaaS, and mobile services.
Join to learn about:
- The role of the security officer in helping IT and business meet objectives
- How smart and secure API guardrails remove friction in consuming APIs while protecting sensitive data exposed via APIs.
- Best practices that work for an API centric enterprise
Download podcast: http://bit.ly/1B6h3TR
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
This session includes Information Security - basics & protection of information from threats, Cyber Risks & Threats, Targeted & Non-Targeted Attacks, Attack Life Cycle - Kill Chain, Cyber Threat Intelligence, CTI Jargons, Research Ethics, OSINT, OSINT Using Google, Deep Web Search Engine, Image Search Engines, Using Social Media, Phishing URLs, Mailing Lists, RSS Feeds, Operation Security (OPSEC) - Basics & Best Practices, Tor - The Onion Router, Dark Net Forums, Zero Net, Communication Channels & more
IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...
IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...Conclusion Connect enabling industry 4.0 with IoT
Programma
16.30 Ontvangst
17.00 Robbrecht van Amerongen - Head of IoT, Conclusion Connect
• Welkom en opvallendste zaken van het congres
• Stand van zaken PaaS/SaaS, Digital Twin, Context IoT, Big Data en Machine Learning
• IoT en Security
• IoT-projecten: stand van zaken, opvallende voorbeelden en best practices
• Waar staan de vendors/ platformleveranciers
18.00 Diner
18.45 Gertjan van het Hof - IoT Solutions Architect, Conclusion Connect
• Platformen: Microsoft Azure IoT Reference Architecture en Google Cloud IoT
• CrateDB
• EdgeX Foundry en NetFoundry
• Intel Video processing
• Beacons
• Security Maturity Model
• Industrial Internet Consortium (IIC)
19:45 Pauze
20:00 Henk Jan van Wijk - IoT Solution Engineer, Conclusion Connect
• Microsoft Azure Sphere (connected devices)
• Low Power Connectivity (Thingstream)
• Digital Twin
• Anomaly detection at Intel (predict robots failure)
21.00 Afsluiting en borrel
Monitoring & Securing Microservices in Kubernetes
Application running in containers provide a myriad of choices to the end developer. But how do you provide the necessary services to monitor and secure these applications running in platforms such as Kubernetes. This presentation covers some common sense principles to monitor and secure your Kubernetes based applications.
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
Bart van der Sloot joined FiberRing as Managing Director in April 2014, with the objectives to further grow and enhance the footprint, quality and business of FiberRing’s 2 Tbps global IP network, covering over 50 locations on 3 continents. From 1999 to 2013 Bart worked at Global Crossing (acquired by Level 3 in 2011), where he developed staffing, systems and business processes for Global Crossing’s European brand new sales team, built and coached a Wholesale Sales team to sign new telecom customers and grow revenues in various countries across Europe, led Global Crossing’s expansion into Central and Eastern Europe and established Level 3’s position in the Benelux broadcast market.
Samer Abdel-Hafez joined the FiberRing network team in December 2013 as Network Design Engineer. Samer’s responsibilities within the team include planning capacity for the large traffic volume of FiberRing, arranging interconnections in new locations and markets, designing advanced ad-hoc solutions for the FiberRing network and customers and advise the Network support team on day to day issues.
Abstract: FiberRing operates one of the largest content networks in the world, peaking at over 2 Tb/s. In order to facilitate troubleshooting, detect attacks and saving important data as router configurations, we implement a series of tools mostly implemented in house or open source.
The key point of this presentation is to describe how FiberRing is using these tools for:
monitoring: FiberRing makes extensive use of Opsview (Nagios) and NMIS. We utilise Opsview for alerts and reporting and NMIS for detailed traffic analysis.
capacity planning: FiberRing choose PMACCT as netflow collector software and implemented an in house front-end solution that helps us locate strategic peering partners and explore ways to reduce the costs to deliver our content.
DDOS attacks detection: As every large hosting provider, we are regularly target of DDoS attacks. We implement a set of linux boxes running running nfcapd to collect traffic flows with 1 minute/per host granularity. This gives us great flexibility and incredibly valuable data to quick detect attacks and take corrective actions.
routers’ configuration backups: FiberRing is actively involved in the development of Oxidized, an innovative configuration backup tool which poses itself as rancid replacement.
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
Presenter: Antonio Alcocer, Big Data Architect at Stratio
Telefonica is the incumbent telecommunications network operator in Spain and the fourth one in capitalisation in the world. Cyber security is one of our most successful businesses worldwide. We provide monitoring and protecting clients from attacks. We analyze millions of data from multiple sources including social media, DNS records, and underground internet, to generate alerts and security reports for our clients. This use case required a Big Data component capable of processing the data and extract its information in real-time; warnings and alerts are time-sensitive in order to deal efficiently with security attacks. Our original architecture was the typical one used for data fusion systems. It included several collectors, a processing layer based on legacy systems, and a data store. The initial setup included a MongoDB database and an ad-hoc application. This solution however proved to be unfit for the specific purpose of dispatching alerts. We proposed to use Cassandra and Spark instead. This approach did manage to fulfill our original specifications as intended. Our talk will explain the reasons why we migrated the architecture and how the adopted solution based on Spark and Cassandra solved our problem.
Security tools
My presentation in the One day National Level Workshop on
Privacy and Data Security in Online Social Media organised by Department of Mechanical Engineering, Sri Ramakrishna Institute of Technology.
Why we decided on RSA Security Analytics for network visibility
2016/07/19 RSA APJ SUMMIT 2016での、松原の講演資料になります
Similar to DevSecCon London 2018: A Journey to Continuous Cloud Compliance (20)
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
Red flags and attention points in cloud security audit, watch the security ga...
Red flags and attention points in cloud security audit, watch the security ga...
Social connections14: Super charge your API’s with Reactive streams
Social connections14: Super charge your API’s with Reactive streams
Perception of Security Issues in the Development of Cloud-IoT Systems by a No...
Perception of Security Issues in the Development of Cloud-IoT Systems by a No...
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...
IoT solutions world congress 2018 review - Robbrecht van Amerongen - Conclusi...
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
More from DevSecCon
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
Xavier Garceau-Aranda
Senior Security Consultant at NCC Group
With the steady rise of cloud adoption, a number of organizations find themselves splitting their resources between multiple cloud providers. While the readiness to deal with security in cloud native environments has been improving, the multi-cloud paradigm poses new challenges.
The workshop will aim to familiarize attendees with Scout Suite (https://github.com/nccgroup/ScoutSuite), a key component of NCC Group’s cloud agnostic approach to security assurance.
Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than pouring through dozens of pages on the web consoles, Scout Suite provides a clear view of the attack surface automatically.
The following cloud providers are currently supported:
- Amazon Web Services
- Microsoft Azure
- Google Cloud Platform
- Oracle Cloud Infrastructure
- Alibaba Cloud
During the workshop, attendees will leverage Scout Suite to assess a number of cloud environments designed to simulate typical flaws. We will display how the tool can be leveraged to quickly identify and help with remediation of security misconfigurations.
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
Mitun Zavery
Senior Engineer at Sonatype
Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities. This new form of assault, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. In this session, Mitun will explain how both security and developers must work together to stop this trend. Or, risk losing the entire open source ecosystem.
Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry
Define what the future of open source looks like in today’s new normal
Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
Jan Harrie
Security Analyst at ERNW GmbH
OpenShift by Red Hat is one of the major Platform as a Service (PaaS) solutions on the market. It is used to automatically deploy Kubernetes clusters and provides useful extensions for cluster management mixed with some magic under the hood.
Instantiating a Kubernetes cluster is often a crucial step in setting up a modern application stack. But be aware – a lot of configuration parameters are awaiting you. And here several misconfigurations may occur that can lead up to a compromise of the cluster. Privileged containers, tainting of masters and executing workloads on them, missing role-based access controls, and misconfigured Service Accounts are part of the problem.
In this talk, I will explain which configuration parameters of an OpenShift environment are critical to ensure the overall security of the deployed Kubernetes clusters. Implications of misconfigurations will be demonstrated during live demos. Finally, recommendations for a secure configuration are provided.
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
Matt Carroll
Infrastructure Security Engineer at Yelp
"Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems!
Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet.
So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell...
At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems.
This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP!
As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
Kristóf Tóth
Software Engineer at Avatao
The world is getting eaten alive by software. At this point, almost nothing can be done without interacting with some sort of software system. Not even buying your groceries.
As we keep dumping out huge piles of code like there is no tomorrow, our far from perfect systems keep getting worse and worse from a security standpoint.
What could possibly go wrong?
We believe that education is the missing link.
As appsec is still a curiosity topic on top universities, freshly graduated engineers simply have no clue. And how could they?
The number of programmers keeps on doubling every few years and generations of software professionals are stuck without a proper background in ITSec.
As this trend continues, our responsibility to do something about this is on the rise.
In hopes of fighting this trend, we, at Avatao, have decided to share some of our dreams with the community.
Our Tutorial Framework allows you to easily create interactive learning environments running inside Docker containers.
These environments are capable of automatically guiding users through a set of topics by allowing them to interact with real software through a simple web browser.
Users can attack webservices, write code to fix them or use a terminal to deploy websites by creating and pushing git tags.
Nothing here is a mock-up: Every software component is real.
In this talk, I am going to demonstrate the capabilities of the framework, talk about the technology behind it and explore some use cases for it.
During the session we will open source the framework with the hope of creating a better, secure future together.
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
Sitaraman Lakshminarayanan
Sr Security Architect at Pure Storage
Authorization has two components – Policy Definition and Policy Enforcement. Traditionally both used to be centralized and we spent all the time Integrating products- Built or Bought with Centralized Access Management. This typically led to increased cycle time to change any access policy or change software/deployment to fit into one particular authorization model. When that doesn’t fit, we would end up with multiple authorization enforcements written in different languages with or without any adherence to any standards such as XACML or others.
Imagine building few different or hundreds of products or services or micro services and you have to centrally manage all possible access policies. It’s definitely not a scalable solution in fast moving CI/CD world.
Now imagine a way where every developers or products can externalize its authorization and we can modify authorization enforcement in a consistent manner? Imagine where developers can write their own implementation of how authorization should be enforced for their environment? Remember there is no one size fits all authorization policy. A policy that works for your environment does not work for my environment – for any number of reasons from Risk management to type of business applications.
Open Policy Agent provides a consistent way to write authorization logic and expose it as REST API. Applications can easily integrate with OPA and can also write their own authroziation logics. Whether you are shipping products to customers or integrating a Product or Service into your environment, how awesome it would be to enforce your own authorization rules instead of changing your business process of who can gain access to what features.
In this talk we will explore the benefits of Decentralized Authorization and how to use Open Policy Agent to achieve decentralized authorization. A closer look at few applications /integrations whether it is REST API /Micro Services, or Kubernetes to control various authorization policies as to who can deploy/what can you deploy. We will also look at how to build Integration tests to check our authorization policies.
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
Ofir Azoulay-Rozanes
Senior Product Manager at JFrog
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
Matt Lavin
Software Architect at LifeOmic
It's possible to have rapid feature delivery and happy developers without sacrificing high security and compliance. At LifeOmic, we've built an automated change management system that allows production deployments without slow human approval. We maintain HIPAA and HITRUST compliance while still allowing continuous delivery. I'll show how to collect data from BitBucket, Jenkins, and security scan tools to ensure that the approved processes have been followed.
You'll hear how fast production approval incentivizes developers to follow good practices, and become advocates for following the process instead of pushing against it. Automating process checks as a gate to deployments is a great framework for promoting the behavior you want in your organization. Don't give up on rapid feature delivery just because you work in a regulated industry.
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
Julian Berton
Preventing a company from becoming the newest data breach statistic can be a daunting prospect. Especially working within a company that employs hundreds of engineers pushing code to production daily, it often feels like everything is on fire and the holy grail of producing a security inspired product is but a dim light growing further and further away. The same feeling is true for security aware engineers being pushed to develop products quickly but also expected to consider quality assurance, operations, security and the reliability of their application or service.
To help reduce the bleeding and build more security aware applications at scale, a balance of firefighting, preventative initiatives, automation and "JIT" education is required. So strap yourself in while we take you on a journey through 4 years of security successes and epic failures:
* Automation - Implementing a secure-by-default build system (Buildkite) that makes detecting vulnerable dependencies (Snyk), storing secrets (AWS Secrets Manager) and scanning Docker containers, an effortless process.
* Prevention - Eradicate several classes of bugs by selecting secure architectural patterns and using automated scripts to detect operational misconfigurations like dangling DNS entries, open S3 buckets, secrets checked into source code and repositories that have been made accidentally public.
* "JIT” Education - Changing a companies security culture with RFC's for security standards, security integrated PIR via bug bounty program reports, visibility through security maturity frameworks (BSIMM).
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
Rahul Kumar & Rupali Dash
In the current era of blockchain technology, mining crypto currency is one of the biggest hit. The talk covers how the attackers use the insecure containers to mine crypto currency and earn million dollar profits. Cryptojacking activity surged to its peak in December 2017, when more than 8 million cryptojacking events were blocked by many intrusion detection companies. While there have seen a slight fall in activity in 2018, it is still at an elevated level, with total cryptojacking events blocked in July 2018 totalling just less than 5 million.
The talk will cover how the mining activities has been done using browsers as well as cloud containers. We will also discuss how the cloud provides like amazon, azure and go are detecting such kind of activities and how minor misconfigurations leads to million dollar currency mining. The talk will also cover how 3rd party security providers like symantec and z-scalar and other intrusion detection system has configured signatures to block such kind of attacks. As well as from a sec-ops prospective what configuration checks should be done to prevent against such kind of attacks as well as detection of attacks. It will also cover some case studies and attack scenarios of mining Monero and the huge financial losses because of this attacks.
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
Trinh Tran & Dennis Stötzel
Are you trying to stay secure while developing and running a bunch of services and applications every day? So are we and it’s a huge pain in the… pipeline. We have been juggling these aspects while working with one of the biggest insurance companies in the world.
In this talk, we will share our experiences of the last three years: Trinh, as a software engineer in Vietnam and Dennis, as a security engineer in Germany. We will present our experiences of making "dev", "sec" and "ops" coexist – without sparing any dirty details. Our goal has always been fast delivery and secure applications using pipelines, containers, orchestration, and the cloud. Let us explain which of these goals we have met and which remain goals, where we messed up and where we found glory.
We will cover the following topics in our talk:
* Evolution of our project, from beginning with four engineers running in one office, to expanding to fifty engineers coming from three continents and different backgrounds,
* Development, delivery and security as a requirement in an agile project,
* The good, the bad and the ugly in technology, architecture and infrastructure.
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
Sanoop Thomas & Samandeep Singh
Burp suite is the de-facto proxy application for web security testers. This hands-on workshop will explore the different capabilities of burp proxy application, also dive into the extensions and tooling options to perform improved application security test cases.
The workshop will start with a quick overview of burp usage, different settings, features, some commonly useful extensions and then explore deep into its extension APIs to build your own custom extensions. We will provide a suitable development environment in Java and Python platforms. This will be a hands-on workshop and participants will learn how to automate different application security test scenarios and build burp extensions with the help of templates.
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
Cameron Townshend
Today’s pace of innovation and need to out “innovate” competitors can often cause developers to bypass key portions of Gene Kim’s Three Ways of DevOps - specifically to never pass a known defect downstream and emphasize performance of the entire system.
As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps.
Instinctively, we understand how critical this is. In Sonatype’s recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it.
Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road. By creating automated governance and compliance guardrails that are embedded early and throughout the software development lifecycle, developers have transparent access to digital guardrails integrated within our native tools — an approach that ensures security is being built in without slowing us down. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48%.
Over time, this approach ensures developers procure the best components from the best suppliers, while continuously tracking components across the entire lifecycle.
Attendees of this session will walk away with:
Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks
Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts
A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suite
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
Tilak T
Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
Sharath Kumar Ramadas
Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a wide variety of attack possibilities, ranging from attacks against access control tech like JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.
On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others.
This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications. The author will release an intentionally vulnerable Serverless and GraphQL app at the end of the talk for the benefit of the audience and the security community at large.
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
Nadira Bajrei
IT Continuous Improvement and Knowledge Management at Bank Mandiri Tbk
We all know that the Banking industry is highly regulated. But due to recent changing factors, we had to trigger something we call transformation. Two of the most important reasons why we need transformation are firstly digital disruption, a wave our industry is hard pushed to follow, and secondly the evolving customer expectation and competitive environment, which are impacting the way organisations are delivering value. We need a new way of working to help us stay relevant in the market.
This session will focus on our journey as one of the biggest banks in Indonesia to do digital transformation into DevOps while maintaining security compliance requirements. I will elaborate on the main reason why we need transformation, our journey roadmap, the step by step adoption of CALMS Values in our organisation and how we faced challenges from internal and external site.
DevSecCon Singapore 2019: Preventative Security for Kubernetes
Liz Rice
The latest Kubernetes version provides many security-related enhancements and controls, but it is far from being secure by default. Kubernetes is a complex orchestration platform with many different implementations, across multi-cloud/hybrid environments. Configuring it to comply with security best practices and specific security requires time and expertise that most organizations don’t possess.
Aqua’s open source tools arm Kubernetes administrators and developers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers.
During this presentation, we’ll review how these open source tools offer preventive security for Kubernetes:
Kube-Bench: checks a Kubernetes cluster against 100+ checks documented in the CIS Kubernetes Benchmark.
Kube-Hunter: conducts penetration tests against Kubernetes clusters that hunt for exploitable vulnerabilities and misconfiguration - both from outside the cluster as well as inside it (running as a pod)
DevSecCon London 2018: Get rid of these TLS certificates
Paweł Krawczyk
Most network services and daemons now offer TLS transport protection and their managing certificates and TLS configuration for server farms may use more resources than actual configuration of these services. What if you could get rid of all this complexity and replace it by single transport protection protocol, securing all of the traffic between your servers trasparently and with single centralized key and configuration management? This will be a story of a successful implementation of IPSec protocols, largely and undeservedly forgotten in that purpose, for securing a farm of production cloud servers, with configuration centrally managed with Ansible.
DevSecCon London 2018: Open DevSecOps
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
MIKE SHEMA
Effective appsec emerges from DevSecOps tactics like feedback loops, automation, and the flexibility to respond to situations quickly. These tactics emphasize process and tools, sometimes neglecting the knowledge and skills of working with others to build and maintain apps. And the solutions they strive for don’t always catch the importance of how different users can have different threat models. On the technology side of appsec we have clouds, top 10 lists, and tools. But we haven’t built up equivalent resources, references, or models for the people we build apps with and who we build them for. This presentation dives into specific techniques and references for working with people and building threat models that go beyond basic technical concerns. Tabletop role-playing games are a great model for understanding and building skills that are important to DevSecOps teams. They encourage communication, collaboration, and the achievement of shared goals. And they also face the same challenges in solving conflicts, avoiding derailing behaviors, and ensuring everyone participates. Come discover how RPGs can positively influence your security teams. Security is an integral part of DevSecOps. And, yes, it’s made of people.
More from DevSecCon (20)
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
Recently uploaded
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Artificial Intelligence for XMLDevelopment
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Removing Uninteresting Bytes in Software Fuzzing
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications.
Essentials of Automations: The Art of Triggers and Actions in FME
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentationsBy Design, not by Accident - Agile Venture Bolzano 2024
As presented at the Agile Venture Bolzano, 4.06.2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Mind map of terminologies used in context of Generative AI
Mind map of common terms used in context of Generative AI.
GridMate - End to end testing is a critical piece to ensure quality and avoid...
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
20240609 QFM020 Irresponsible AI Reading List May 2024
Everything I found interesting about the irresponsible use of machine intelligence in May 2024
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Recently uploaded (20)
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
- 1. LONDON 18-19 OCT 2018 A journey to continuous cloud compliance PAUL SCHWARZENBERGER
- 2. LONDON 18-19 OCT 2018 A journey to continuous cloud compliance • I joined a DevOps team as their first hands-on security specialist • I started by being polite and nice • This is the story of what happened next …
- 3. LONDON 18-19 OCT 2018 • Production application in AWS • 30 – 40 DevOps / Cloud Ops • Agile development • 2 week sprints • Most infrastructure coded • Some manual configuration A journey to continuous cloud compliance … my job was to make sure it was secure
- 4. LONDON 18-19 OCT 2018 AWS Foundations • 43 controls across 4 domains • IAM • logging • monitoring • networking I downloaded the CIS AWS Benchmark
- 5. LONDON 18-19 OCT 2018 and started with a manual review using the console … • Open security groups • Password policies not compliant • Dangerous IAM policies • Public S3 buckets • Access keys not rotated • I fixed some things myself • I asked people nicely to fix things …
- 6. LONDON 18-19 OCT 2018 Then I downloaded NCC’s Scout2 … Can you rotate your access key please? Can you reconfigure your security group please?
- 7. LONDON 18-19 OCT 2018 and moved from detection to prevention … • I wrote security tests in Python • Integrated to CI / CD pipeline • That helped • But only for those repos integrated with the security tests
- 8. LONDON 18-19 OCT 2018 So I put in automated remediation and enforcement … Tech • Cloud Custodian – Capital One • Lambda functions for notifications Example policies • Require MFA token • Access key rotation • Remove open security group rules
- 9. LONDON 18-19 OCT 2018 And then started looking for keys and secrets … GitRob • Keys • Secrets • Passwords • Public and private repositories
- 10. LONDON 18-19 OCT 2018 Continuous Cloud Compliance Framework Prevention Policy as code CI / CD pipeline tests Detection Infrastructure scans Data Discovery Remediation Serverless functions Runbooks
- 11. LONDON 18-19 OCT 2018 Contact details info@celidor.net Paul Schwarzenberger Cloud Security | DevSecOps www.celidor.co.uk @paulschwarzen Paul Schwarzenberger
- 12. LONDON 18-19 OCT 2018 Thank you