DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
This presentation simplifies Cloud, Cloud Security and Cloud Security Certifications. This includes the following:
- Understanding Cloud
- Understanding Cloud Security using the Risk Management and Cloud Security Control Frameworks
- Cloud Security Certifications
- Key Definitions
This AWS Security Checklist webinar will help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards. This security focused checklist builds on recently revised Operational Checklists for AWS, which helps you evaluate your applications against a list of best practices before deployment.
Learning Objectives:
* Evaluate the ability of AWS services to meet information security objectives and ensure future deployments within the AWS cloud are done in a secure and compliant way
* Assess your existing organisational use of AWS and to ensure it meets security best practices
* Develop AWS usage policies or validate that existing policies are being followed
Presentation "Security Model in .NET Framework" on .NEXT conference (dotnext.ru). In this briefing, I tell about security architecture in .NET Framework 4.0 and later, using AppDomains and Code Access Security (CAS) in various applications, development of their own sandbox, design of pluginable security-sensitive architecture and using sandboxing in ASP.NET applications. I demonstrated the sample of Trusted Chain attack to bypass CAS restrictions.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
This presentation simplifies Cloud, Cloud Security and Cloud Security Certifications. This includes the following:
- Understanding Cloud
- Understanding Cloud Security using the Risk Management and Cloud Security Control Frameworks
- Cloud Security Certifications
- Key Definitions
This AWS Security Checklist webinar will help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards. This security focused checklist builds on recently revised Operational Checklists for AWS, which helps you evaluate your applications against a list of best practices before deployment.
Learning Objectives:
* Evaluate the ability of AWS services to meet information security objectives and ensure future deployments within the AWS cloud are done in a secure and compliant way
* Assess your existing organisational use of AWS and to ensure it meets security best practices
* Develop AWS usage policies or validate that existing policies are being followed
Presentation "Security Model in .NET Framework" on .NEXT conference (dotnext.ru). In this briefing, I tell about security architecture in .NET Framework 4.0 and later, using AppDomains and Code Access Security (CAS) in various applications, development of their own sandbox, design of pluginable security-sensitive architecture and using sandboxing in ASP.NET applications. I demonstrated the sample of Trusted Chain attack to bypass CAS restrictions.
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
You automated your deployment, elasticized your workloads, and dynamically provisioned your fleet. What do you do next?
Tackle automating your security needs using the latest capabilities in the cloud! There’s no single path to building an automated and continuous security architecture that works for every organization, but certain key principles and techniques are used by the early adopter cloud elite that give them distinct advantages. It's time to re-think your organization’s processes and behaviors to demonstrate the latest efficiencies in your security operations. In this webinar, learn how Intuit implements cloud security automation with Evident.io and other innovative cloud technologies.
Join us to learn:
• How security will be integrated into the overall processes of development and deployment.
• How to tie security acceptance tests, a subset of your key security controls, right into the end of your functional testing process to promote builds with confidence at greater speed.
• How to be successful with API-enabled, continuous security tools in the cloud.
• How to operationalize security alarms, enabling world-class incident response and remediation capabilities.
Lets talk about: Azure Kubernetes Service (AKS)Pedro Sousa
Let's talk about the Azure Kubernetes Service (AKS), starting off by some background on the container's evolution through time up to the new management features provided by Azure like Azure ARC for Kubernetes. Key differences of Azure Kubernetes Service, Azure Container Instances, Web App for Containers and Containers on Azure Service Fabric.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Software composition analysis (SCA) is often sold as an easy win for application security, but ensuring that we have full visibility on the vulnerable components is a lot more challenging that it looks. The remediation costs can also stack up pretty quickly as we try to get rid of deeply nested vulnerable transitive dependencies.
This slide deck explores the challenges of securing microservices, best practices to overcome them, and how WSO2 Identity Server can be used in microservice architecture.
Watch webinar recording here: https://wso2.com/library/webinars/2018/09/the-role-of-iam-in-microservices/
DevOps and security. There's still no standard or even agreed-upon name, but two things are clear: DevOps is here to stay and security must be speeding up to keep pace with the speed of business, so DevSecOps.
Shift Left Security - The What, Why and HowDevOps.com
The shift left approach in DevOps moves software testing earlier in its lifecycle to prevent defects early in the software delivery process. How can developers use this approach to ensure security? Josh Thorngren, VP of Marketing at Twistlock, will explain what it means to shift left, and share five steps to ensure a successful transition to a shift left approach with DevOps.
Join this webinar to learn:
Best practices in adopting a successful shift to the left
How ‘shifting left’ promotes security
How developers are the new security guards in protecting company information
Whether you’re just beginning to explore cloud computing or adopting it at enterprise-scale, it is important to build security into your architecture. But gone are the days of manual security audits that slow down agile development. Your modern continuous integration and continuous delivery architecture demands continuous security that doesn’t hinder DevOps. In this session, we’ll share tips to help your organization embrace DevSecOps. Presented by RedLock.
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that “Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?”. That’s the level of granularity you can choose to implement if you wish. In this session, we’ll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.
Speakers:
Rob Whitmore, AWS Solutions Architect
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions).
Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
You automated your deployment, elasticized your workloads, and dynamically provisioned your fleet. What do you do next?
Tackle automating your security needs using the latest capabilities in the cloud! There’s no single path to building an automated and continuous security architecture that works for every organization, but certain key principles and techniques are used by the early adopter cloud elite that give them distinct advantages. It's time to re-think your organization’s processes and behaviors to demonstrate the latest efficiencies in your security operations. In this webinar, learn how Intuit implements cloud security automation with Evident.io and other innovative cloud technologies.
Join us to learn:
• How security will be integrated into the overall processes of development and deployment.
• How to tie security acceptance tests, a subset of your key security controls, right into the end of your functional testing process to promote builds with confidence at greater speed.
• How to be successful with API-enabled, continuous security tools in the cloud.
• How to operationalize security alarms, enabling world-class incident response and remediation capabilities.
Lets talk about: Azure Kubernetes Service (AKS)Pedro Sousa
Let's talk about the Azure Kubernetes Service (AKS), starting off by some background on the container's evolution through time up to the new management features provided by Azure like Azure ARC for Kubernetes. Key differences of Azure Kubernetes Service, Azure Container Instances, Web App for Containers and Containers on Azure Service Fabric.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Software composition analysis (SCA) is often sold as an easy win for application security, but ensuring that we have full visibility on the vulnerable components is a lot more challenging that it looks. The remediation costs can also stack up pretty quickly as we try to get rid of deeply nested vulnerable transitive dependencies.
This slide deck explores the challenges of securing microservices, best practices to overcome them, and how WSO2 Identity Server can be used in microservice architecture.
Watch webinar recording here: https://wso2.com/library/webinars/2018/09/the-role-of-iam-in-microservices/
DevOps and security. There's still no standard or even agreed-upon name, but two things are clear: DevOps is here to stay and security must be speeding up to keep pace with the speed of business, so DevSecOps.
Shift Left Security - The What, Why and HowDevOps.com
The shift left approach in DevOps moves software testing earlier in its lifecycle to prevent defects early in the software delivery process. How can developers use this approach to ensure security? Josh Thorngren, VP of Marketing at Twistlock, will explain what it means to shift left, and share five steps to ensure a successful transition to a shift left approach with DevOps.
Join this webinar to learn:
Best practices in adopting a successful shift to the left
How ‘shifting left’ promotes security
How developers are the new security guards in protecting company information
Whether you’re just beginning to explore cloud computing or adopting it at enterprise-scale, it is important to build security into your architecture. But gone are the days of manual security audits that slow down agile development. Your modern continuous integration and continuous delivery architecture demands continuous security that doesn’t hinder DevOps. In this session, we’ll share tips to help your organization embrace DevSecOps. Presented by RedLock.
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that “Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?”. That’s the level of granularity you can choose to implement if you wish. In this session, we’ll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.
Speakers:
Rob Whitmore, AWS Solutions Architect
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions).
Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
Strong Security Elements for IoT Manufacturing GlobalSign
GlobalSign’s Vice President of IoT Identity Solutions, Lancen LaChance, presented a session on Strong Security Elements for IoT Manufacturing at the Internet of Things Expo in New York.
Lancen will run through some ideas and perspectives around incorporating strong information security elements into your IoT devices during the manufacturing process. Within this context we'll look at how we are examining the risks associated with IoT Products, Then we'll discuss some of the approaches for implementing these technologies in the manufacturing cycle. And finally we'll cover some example IoT use cases which are well aligned with the application of these technologies
As we look at the evolving IoT space, one bet we're willing to make is that the privacy and security of IoT products will continue to become more distinguishing features and differentiators. In this vein, Lancen address' how products can be built to achieve these goals through security by design, leveraging past technology successes, as well as the nuances and requirements of implementing within the manufacturing process
If you didn’t get a chance to make it to the conference and see Lancen live, we wanted to share the recorded presentation with you.
Watch the whole talk here: https://www.youtube.com/watch?v=fycAaOkpMrs
Implementing Fast IT Deploying Applications at the Pace of Innovation Cisco DevNet
Fast innovation requires Fast IT: the new model for IT that transforms the way we deliver new business application capabilities to our clients.
Cisco IT has created solutions that enable automated provisioning of environments and fast deployment of cloud applications through “Software Development-as-a-Service”.
In this session, we’ll provide a hands-on experience of how application teams use an automated toolset to combine quality and agility, while reducing operational expense. We’ll also provide a view of the key technologies that enable this solution.
Finally, there’s a quick glimpse into what’s next: containerization and IOE Application Enablement.
It's clear that Docker speeds up development and makes testing and deployment more efficient. As Docker moves into production new use cases and patterns are emerging that address availability and security concerns. With microservices, safety is part of the architecture that developers need to understand and build for. It's no longer good enough to wrap a firewall around an entire app when it goes to production, and have a cold standby in case it breaks.
How EverTrust Horizon PKI Automation can help your business?mirmaisam
Seamless Certificate Lifecycle Automation Hub
RNTrust presents EverTrust Horizon which extends your current PKI(s) capabilities so that you can manage certificate lifecycle automatically. Supporting various automation protocols such as ACME as well as management protocols from a wide range of third party appliances and cloud services, Horizon will take care of the issuance, renewal and revocation of certificates hosted on servers, appliances or in PaaS solutions. Seamlessly integrated in your information system, Horizon allows PKI teams to control certificate lifecycle management, while keeping service administrators in charge of the data of the certificates they need. Check out this video https://www.youtube.com/watch?v=Kurermln7nQ&t=67s
The security practitioner's role is changing significantly. Trends like mobile, cloud, DevOps, and Zero Trust are creating new roles and erasing others. This presentation navigates these changes and makes some recommendations for folks wanting to keep up with the curve.
This webinar was co-hosted by Testery.io and Curiosity Software on 10th November 2022. Watch the on demand recording here: https://www.curiositysoftware.ie/hitting-the-right-test-coverage-ci-cd-webinar-testery
Testing today too often faces a choice between introducing bottlenecks to software delivery, or allowing an unacceptable level of negative risk. A lack of traceability between tests, changing code, user stories and data leaves testers no way of knowing reliably which tests to run, when. They further have no time to create the tests required for optimal in-sprint coverage, instead being held back by slow and manual test creation. Pipeline configuration and environmental constraints further force testing behind parallelised development, rendering true CI/CD an unobtainable ideal for many organisations.
This webinar will set out how you can automatically identify, generate, and execute optimized tests at the speed of CI/CD. Curiosity Software’s CTO, James Walker, and Testery CEO Chris Harbert will discuss how automated test generation and test orchestration integrate into CI/CD pipelines, running the right blend of tests to de-risk continuous deployments. A live demo will then show you how you can execute these targeted tests on-the-fly, setting out how:
1. Model-based test generation dynamically creates the smallest set of tests needed to satisfy different risk profiles on demand.
2. Automated test orchestration triggers the right blend of tests to de-risk deployments, executed across environments and ranging from smoke tests to full regression.
3. Sequentially triggering tests from different repositories targets bugs across APIs, UIs, and back-end systems, delivering rigorously tested software at speed.
Watch the on demand webinar: https://www.curiositysoftware.ie/hitting-the-right-test-coverage-ci-cd-webinar-testery
Meeting Mobile and BYOD Security ChallengesSymantec
This white paper is written for enterprise executives who wish to understand what digital certificates are and why they are invaluable for mobile and Bring Your Own Device (BYOD) security on wired and wireless networks. The paper also illustrates the benefits of adopting Symantec Managed PKI Service and provides real-world use cases.
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
Watch the webinar here: https://codefresh.io/security-feedback-loop-lp/
Sign up for a FREE Codefresh account today: https://codefresh.io/codefresh-signup/
We're all looking at ways to prevent vulnerabilities from escaping into our production environments. Why not require scans of your Docker images before they're even uploaded to your production Docker registry? SHIFT LEFT!
Codefresh has worked with Twistlock to run Twist CLI using a Docker image as a build step in CI pipelines.
Join Codefresh, Twistlock, and Steelcase as we demonstrate setting up vulnerability and compliance thresholds in a CI pipeline. We will show you how to give your teams access to your Docker images' security reports & trace back to your report from your production Kubernetes cluster using Codefresh.
Modernizing on IBM Z Made Easier With Open Source SoftwareDevOps.com
In the past decade, IDC has seen IBM Z evolve first from a siloed platform to what they call a "connected" platform, and then to a "transformative" platform. This transition has been driven by IBM, by the IBM Z software vendors, like Rocket Software, and by businesses themselves.
IDC research shows that businesses that choose to modernize IBM Z achieve higher satisfaction than re-platformers and many are using open source software (OSS) in their modernization initiatives. Employing OSS makes it possible to crack the platform open and enable it to connect to the rest of the datacenter and the outside world. Join IDC guest speaker, Al Gillen and Peter Fandel as they take a deeper look at the value proposition associated with using commercially supported OSS in mission-critical environments, like IBM Z. In this webinar we’ll discuss:
How OSS can neutralize the disparity between seasoned IBM Z and emerging developers
The modernization initiatives that involve OSS
What to consider before bringing OSS to IBM Z
How Rocket Software is delivering commercially supported OSS to IBM Z
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
With the growing adoption of Kubernetes, organizations want to take advantage of containerized Microsoft SQL Server 2019 to optimize transactional performance and accelerate time-to-insights from their business-critical data. However, as enterprises embrace hybrid cloud strategy, they need to consider several aspects based on the performance, cost and data protection requirements for running enterprise-grade SQL Server databases.
In this webinar, we will compare and contrast various cloud-native platforms for SQL Server that would help CIOs, DevOps engineers, database administrators and applications architects to determine the most suitable platform that fits their business needs.
Join us as we explore some exciting results from a recent performance benchmark study conducted by McKnight Consulting Group, an independent consulting firm, to compare the performance of Microsoft SQL Server 2019 on the best possible configurations of the following Kubernetes platforms:
Diamanti Enterprise Kubernetes Platform
Amazon Web Services Elastic Kubernetes Service (AWS EKS)
Azure Kubernetes Service (AKS)
Topics will include:
Platform considerations and requirements for running Microsoft SQL Server 2019
Performance comparison and analysis of running SQL Server on various platform
Best practices for running containerized SQL Server databases in Kubernetes environment
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
With the growing adoption of Kubernetes, organizations want to take advantage of containerized Microsoft SQL Server 2019 to optimize transactional performance and accelerate time-to-insights from their business-critical data. However, as enterprises embrace hybrid cloud strategy, they need to consider several aspects based on the performance, cost and data protection requirements for running enterprise-grade SQL Server databases.
In this webinar, we will compare and contrast various cloud-native platforms for SQL Server that would help CIOs, DevOps engineers, database administrators and applications architects to determine the most suitable platform that fits their business needs.
Join us as we explore some exciting results from a recent performance benchmark study conducted by McKnight Consulting Group, an independent consulting firm, to compare the performance of Microsoft SQL Server 2019 on the best possible configurations of the following Kubernetes platforms:
Diamanti Enterprise Kubernetes Platform
Amazon Web Services Elastic Kubernetes Service (AWS EKS)
Azure Kubernetes Service (AKS)
Topics will include:
Platform considerations and requirements for running Microsoft SQL Server 2019
Performance comparison and analysis of running SQL Server on various platform
Best practices for running containerized SQL Server databases in Kubernetes environment
Next Generation Vulnerability Assessment Using Datadog and SnykDevOps.com
Vulnerability assessment for teams can often be overwhelming. The dependency graph could be thousands of packages depending on the application. Triaging vulnerability data and prioritizing actions has historically been a very manual process, until now. With Datadog and Snyk, learn how to trace security and performance issues by leveraging continuous profiling capabilities for actionable insight that help developers remediate problems.
Join us on Thursday, January 21 for a unique opportunity to learn more about continuous profiling, vulnerability management, and the benefit to customers from using both of these products. In this webinar, you will:
Bust some myths around continuous profiling and learn how Datadog differentiates itself
See decorated traces in action for sample Java applications and understand how Snyk + Datadog reduce time to triage supply chain vulnerabilities
Learn roadmap information for upcoming public announcements from both partners
In the era of cloud generation, the constant activity around workloads and containers create more vulnerabilities than an organization can keep up with. Using legacy security vendors doesn't set you up for success in the cloud. You’re likely spending undue hours chasing, triaging and patching a countless stream of cloud vulnerabilities with little prioritization.
Join us for this live webinar as we detail how to streamline host and container vulnerability workflows for your software teams wanting to build fast in the cloud. We'll be covering how to:
Get visibility into active packages and associated vulnerabilities
Reduce false positives by 98%
Reduce investigation time by 30%
Spot a legacy vendor looking to do some cloud washing
2021 Open Source Governance: Top Ten Trends and PredictionsDevOps.com
If you work in software development, jumpstart your engineering team in 2021—get ahead of the engineering curve and your competitors—by attending this must-watch open source trends and predictions webinar.
Alex Rybak, Director of Product Management at Revenera, and Russ Eling, founder and CEO of OSS Engineering Consultants, share their top 10 open source usage, license compliance and security insights for the new year.
Just a few hints at what you’ll learn more about:
Where the adoption of shift-left is headed and the decisions you’ll face going forward
The impact of a lack of software developer security training relative to pandemic fallout
The broader role of the engineering team in open source management and governance
The expanding role and impact of open source marketplaces such as GitHub
Don’t miss the discussion for valuable insight and learning for software engineering teams
2020 was a brutal year for ransomware. Cybercriminals operated without any human decency, targeting the most vulnerable and at-risk parties, such as hospitals, scientists, and global manufacturers. The approach has become more sophisticated and life-threatening, shifting from individual targets to global enterprises, destroying backups, blackmailing victims with public leakage of exfiltrated data, and paralyzing critical systems and infrastructure.
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)DevOps.com
As containers and Kubernetes are adopted in production, security is a critical concern and DevOps teams need to go beyond image scanning. Use cases such as runtime security, network visibility and segmentation, incident response and compliance become priorities as your Kubernetes security framework matures.
In this talk, we’ll share an overview of runtime security, discuss approaches used by open source and commercial tools, and hear how users are getting started quickly without impacting developer productivity.
In any fast-paced engineering environment, unexpected incidents can arise and escalate without warning. Without strong leadership within teams, you get chaotic, stressful, and tiring situations that waste valuable engineering time, slow down resolution, and most importantly, impact your customers.
Operationally mature organisations use proven incident response systems led by Incident Commanders. Incident Commanders provide the leadership needed to help stabilize major incidents fast.
In this webinar, we’ll take lessons learned from formalized incident response, such as those used by first responders, and show you how to apply those same practices to your organization. By utilising these methods you’ll improve both the speed and effectiveness of your team’s response, reducing the amount of downtime experienced.
In this workshop, attendees will:
Be introduced to the Incident Command System and learn how it can be adapted to their organisation
Walk through the basics of incident response best practices
Discuss examples of formal incident response from multiple organisations
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureDevOps.com
Chaos engineering is becoming a critical part of the DevOps toolchain when adopting Site Reliability Engineering (SRE) practices. Every system is becoming a distributed system and chaos engineering proclaims many advantages for them.
It improves infrastructure automation, increases reliability and transforms incident management. However, an often-overlooked benefit of chaos engineering and SRE involves culture transformation. Culture is often touched upon when talking about chaos engineering and SRE but not as often as skills and process.
In this webinar, we will discuss how you can build out a chaos engineering practice and how you can adopt a true blameless culture and maximize the potential of your team.
You will learn how to:
Hold blameless postmortems
Share post mortems with other teams
Run regular fire drills and game days
Automate chaos experiments for continuous validation
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportDevOps.com
Enterprises are best served by leveraging an RBAC system to manage access to their SSH and Kubernetes resources. With Teleport, an open source software, employers are able to provide granular access controls to developers based on the access they need and when they need it. This makes it possible for employers to maintain secure access without getting in the way of their developers’ daily operations.
Join Steven Martin, solution engineer at Teleport, as he demonstrates how to assign access to developers and SRE’s across environments with Teleport through roles mapped from enterprises’ identity providers or SSOs.
Monitoring Serverless Applications with DatadogDevOps.com
Join Datadog for a webinar on monitoring serverless applications with AWS Lambda. You'll learn how to get the most of Datadog's platform, as well ask the following key takeaways:
Learn how to set up a Twitter bot that makes API calls with Node.js
Deploying Serverless Applications
What does observability look like with less infrastructure?
Deliver your App Anywhere … Publicly or PrivatelyDevOps.com
Developers are increasingly adopting a microservices approach for their apps in order to gain rapid iteration capabilities required for delivering new services faster. However, delivering the App still requires multiple steps such as allocation of virtual IPs, provisioning the front load balancer, configuring firewall rules, configuring a public domain, and DDOS. At present, each of these steps requires coordination across multiple teams with multiple iterations per team. The time efficiencies gained by adopting microservices and cloud-native technologies is negated due to the time taken to deliver the App.
In this session, Pranav Dharwadkar, VP of products at Volterra, and Jakub Pavlik, director of engineering, will help you understand these challenges and introduce a distributed proxy architecture that can alleviate the challenges across different cloud environments. This webinar will include a live demo using a distributed proxy architecture to advertise an App publicly and privately.
In this webinar, you will learn:
The steps required to deliver an App using the current approaches
How a distributed proxy architecture can be used to deliver the app publicly and privately
The operational benefits of a distributed proxy architecture for delivering new services
Securing medical apps in the age of covid finalDevOps.com
The COVID-19 pandemic has drastically altered the connected healthcare landscape, accelerating the usage of telemedicine and other remote healthcare delivery systems by as much as 11,000% for some populations. How has this unprecedented push affected healthcare and medical device application security? The security team at Intertrust recently analyzed 100 Android and iOS medical apps to find out.
In this webinar, we'll discuss:
Medical application and device threat trends
The top mHealth security vulnerabilities uncovered in our analysis
Strategies to keep your mHealth apps safe
Future advances in digital healthcare and how your security can evolve with it
Raise your hand if you enjoy being buried in alerts or woken up at 2 a.m. — yeah … thought so. Ever-rising customer expectations around high availability and performance put massive pressure on the teams who develop and support SaaS products. And teams are literally losing sleep over it. Until outages and other incidents are a thing of the past, organizations need to invest in a way of dealing with them that won’t lead to burn-out.
In this session, you’ll learn how to combine the latest tooling with DevOps practices in the pursuit of a sustainable incident response workflow. It’s all about transparency, actionable alerts, resilience and learning from each incident.
The Evolving Role of the Developer in 2021DevOps.com
The role of the developer continues to change as they sit on the front line of application and even cloud infrastructure security. Today, developers are focused on innovating fast and improving security, but how do high-performing teams accomplish this? They commit code frequently, release often and update dependencies regularly (608x faster than others).
In this webinar, we'll discuss the key traits of high-performing teams and how that impacts the role of the developer.
Key Takeaways:
Choose the best third party dependencies
Determine the lowest effort upgrades between open source versions
Solve for issues in both direct and transitive dependencies with a single-click
Block and quarantine suspicious open source components
Service Mesh: Two Big Words But Do You Need It?DevOps.com
Today, one of the big concepts buzzing in the app development world is service mesh. A service mesh is a configurable infrastructure layer for microservices application that makes communication flexible, reliable and fast. Let’s take a step back, though, and answer this question: Do you need a service mesh?
Join this webinar to learn:
What a service mesh is; when and why you need it — or when and why you may not
App modernization journey and traffic management approaches for microservices-based apps
How to make an informed decision based on cost and complexity before adopting service mesh
Learn about NGINX Service Mesh in a live demo, and how it provides the best service mesh option for container-based L7 traffic management
Secure Data Sharing in OpenShift EnvironmentsDevOps.com
Red Hat OpenShift is enabling quicker adoption of DevOps practices. Containers are an essential component of DevOps and the OpenShift Kubernetes Container Platform is integral for orchestration within these environments. Data security is now challenged to keep pace with the size and scope of container usage. The migration from legacy in-house deployments to hybrid-cloud installations has created new attack surfaces as data is shared more freely in Kubernetes deployments.
Protecting data at rest and in motions is a necessity. Learn how you can keep data protected and securely share data in OpenShift environments with real-time data protection solutions.
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...DevOps.com
Managing access permissions in the public cloud can be a very complex process. In fact, by 2023, 75% of cloud security failures will result from the inadequate management of identities, access and privileges, according to Gartner.
Join us as Guy Flechter, CISO of AppsFlyer, presents a real-world case of how his company works to enforce least-privilege and to govern identities in their cloud. This webinar will also provide an overview of how to govern access and achieve least privilege by analyzing the access permissions and activity in your public cloud environment. With thousands of human and machine identities, roles, policies and entitlements, this webinar will give you the tools to examine the access open to people and services in your public cloud, and determine whether that access is necessary.
In this workshop, you will learn about:
The risks of IAM misconfiguration and excessive entitlements in cloud environments
The challenges in identifying and mitigating Identity and access risks for both human and machine identities
How to automate cloud identity governance and entitlement management with Ermetic
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...DevOps.com
Open-source machine learning can be transformative, but without the proper tools in place, enterprises struggle to balance the IT security and governance requirements with the need to deliver these powerpoint tools into the hands of their developers and modelers.
How can organizations get the latest technology from the open-source brain trust, while ensuring enterprise-grade management and security? In this webinar, we will discuss how Anaconda Team Edition, available on RedHat Marketplace, enables IT departments to mirror a curated set of packages into their organization in a safe and governed way.
Join Michael Grant, VP of services at Anaconda, to discuss:
How IT organizations are using Anaconda Team Edition to curate, govern and secure Python and R packages
Tips for how development and data science teams can get the most out of Team Edition, from uploading your own packages to building custom channels for groups or projects
How to distribute conda environments to desktops, servers and clusters:
GUI-based installers for desktop users
“Conda packs” for automated delivery to remote servers and distributed computing clusters
Conda-enabled Docker containers for application deployment
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
1. PKI in DevOps:
HOW TO DEPLOY CERTIFICATE AUTOMATION IN CI/CD
CYBERSECURITY SME
INFINITE RANGES
CHRIS PAUL
VP, SOLUTIONS ENGINEERING
KEYFACTOR
ANTHONY RICCI
PRODUCT MANAGER
KEYFACTOR
RYAN SANDERS
2. 2
A Bit About Chris
► Cyber Network Warfare Specialist
► Military Intelligence Systems Maintainer/Integrator
► NOC/SOC
► Tech Lead/Engineer
► Cyber Course Developer
► Cyber Operations Instructor (Contractor)
CYBERSECURITY SME
CHRIS PAUL
3. 3
DevOps Mantra vs Security
Deliver Fast
Nearly 60% deploy multiple times a day, once a
day, or once every few days.
Run Anywhere
Almost 70% of Ops pros report that developers
can provision their own environments.
Automate Everything
A majority of Ops teams (38%) described the
development lifecycle as “mostly automated.”
But…Security is Left Out
Most sec teams don’t have security processes in
place for microservices/containers/APIs/cloud
native or serverless.
And Who Really Owns it?
33% of security respondents say they own
security, but almost as many (29%) said everyone
is responsible for security. Clarity is needed.
*GitLab – Mapping the DevSecOps Landscape | 2020 Survey Results
CYBERSECURITY SME
CHRIS PAUL
4. 4
Cybersecurity Concerns
⊲ Do you know where all your critical assets are?
⊲ Are you confident these assets are deployed
and configured to meet business objectives?
⊲ Are you confident in your ability to measure
drift in these configurations?
CYBERSECURITY SME
CHRIS PAUL
⊲ Lack of oversight and control
⊲ Poor configuration or accidental
misconfiguration
⊲ Environmental drift
Top Cybersecurity Concerns: Questions to ask yourself:
5. 5
Poll Question #1
What are the biggest challenges your organization faces from an
information security perspective?
Increasing complexity of IT / infrastructure1
Lack of cybersecurity skills / resources2
Compliance with privacy laws / regulations3
Keeping up with internal / external threats4
Day-to-day hotspots take too much time5
6. 6
Traditional PKI vs Modern PKI
PRODUCT MARKETING MGR
RYAN SANDERS
Web Servers
Wi-Fi / VPN
Email / Documents
THEN
Traditional PKI
CI/CD Tools
Containers
Orchestration
ADC / CDN
Service Mesh
IoT Devices
Code Signing Mobile / MDM
NOW
Modern PKI
Cloud
DevOps
Mobile
IoT
DISRUPTION
88,750 Keys & Certificates
8 Internal/External CAs
Shorter Lifespans
Few Certificates
Spreadsheets / Scripts
Static Approach
8. 8
The CI/CD Pipeline
CODE COMMIT BUILD TEST RELEASE DELIVER PRODUCTION
CONTINUOUS
DELIVERY
CONTINUOUS
DEPLOYMENT
AUTOMATION
Developer pushes new
code and automatically
triggers server build
CI server starts the build
process and automated tests
against the build
Build artifacts are stored and
binaries are delivered to a
runtime environment
Build is deployed to
production (on-premise,
cloud, multi-cloud)
CONTINUOUS
INTEGRATION
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
9. 9
So Many Tools…
SCM/VCS
CI
BUILD TESTING DEPLOYMENT
IAAS/PAAS
ORCHESTRATION
BI/MONITORING
PROVISIONING
ARTIFACT MGT.
DATABASE MGT.
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
10. 1 0
Where X.509 Certificates Fit Into CI/CD
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
CODE COMMIT BUILD TEST RELEASE DELIVER PRODUCTION
Sign Build
Sign Containers
Sign Binaries
Sign Images
Web Servers
Load Balancers
Containers
Orchestration
Service Mesh
Secret Vaults
CI Tools
Build Automation
Repositories
Databases
11. 1 1
The Modern PKI & Application Stack
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
Cloud CA / Vault Services
Embedded / Built-In Tools
Free CertsOpenSSL Vault
“DIY” PKIRequest Public CAs
Physical Infrastructure
Secrets
VMs VMsVMs
Cluster 1 Cluster 2
CDN / ADC
Clusters
Orchestration
Ingress/Service Mesh
ICA
ICA
ICA
ICA
ICA
12. What’s Working / What’s Not
MANAGING KEYS & CERTS IN DEVOPS ENVIRONMENTS
1 2
13. 1 3
Developers can use any CA – for example, Let’s
Encrypt – or even generate certificates
themselves using popular utilities such as
OpenSSL…but there is little else in terms of
policy enforcement and PKI governance.
GARTNER
“The Resurgence of PKI in Certificate Management, the IoT and DevOps”
Erik Wahlstrom, Paul Rabinovich, October 2018
PRODUCT MARKETING MGR
RYAN SANDERS
14. 1 4
Security & DevOps Challenges
InfoSec TeamsDev + Ops Teams
Avoid time-consuming, manual request processes
Use unauthorized or “DIY” CAs
Use certificates from built-in DevOps / Cloud tools
Issue non-compliant or self-signed certificates
Fail to properly track certificates and expirations
Limited visibility of certificates issued
Unable to enforce consistent enterprise policy
Lack control over CA/PKI infrastructure
No accountability when something goes wrong
Constantly chasing down non-compliant certificates
DevOps needs fast, easy access to certs.
InfoSec needs visibility and policy.
PRODUCT MARKETING MGR
RYAN SANDERS
15. 1 5
Risk #1 • Outages & Breaches
2017
EQUIFAX
One expired certificate on network
monitoring device left Equifax
blind to the attack for 76 days.
MICROSOFT TEAMS
An expired authentication cert
stopped users from logging into
Teams for nearly three hours.
02/ERICSSON
Ericsson faces a £100 million bill
after millions of mobile users in
Japan / U.K. were impacted.
OCULUS RIFT
Users found out their VR headsets
were not working due to an
expired certificate.
LINKEDIN (AGAIN)
For the second time, LinkedIn
users experienced interruptions
caused by an expired cert.
LINKEDIN
For roughly two hours, LinkedIn
was down across most regions
due to an expired certificate.
FIREFOX
U.S. GOVERNMENT
2018 2019 2020
DOWNTIME
A certificate expires – Gartner
estimates network downtime
costs $300,000 per hour.
DISRUPTION
Services are disrupted – the
IT helpdesk/customer service
are inundated with calls.
RESPONSE
PKI/infosec take hours or
days to identify an expired
certificate as the root cause.
What happens
when an outage
strikes?
REMEDIATION
Teams must locate and
replace every instance of
the expired certificate.
CYBERSECURITY SME
CHRIS PAUL
16. 1 6
Risk #2 • Crypto-Incidents
CYBERSECURITY SME
CHRIS PAUL
17. 1 7
Risk #3 • Code Signing Attacks
CYBERSECURITY SME
CHRIS PAUL
2010
STUXNET
2015 2019
DUQU
2011 2012 2013 2014 2016 2017 2018
BIT9
MALAYSIAN GOV’T
ADOBE
OPERA
SONY
DUQU 2.0
D-LINK
SYNful KNOCK
SUCKFLY APT
D-LINK (AGAIN)
ASUS
APT41
Key Theft
Attackers find and steal
private keys to sell on the
dark web or sign malware.
Signing Breach
They infiltrate the code
signing process itself, despite
secure key storage.
Internal Misuse
Developers accidentally
publish private keys into
publicly accessible locations..
How is code signing
compromised?
18. 1 8
Code Signing Use Case
MULTINATIONAL TECH COMPANY
⊲ Development teams in US East, West, and Israel
⊲ Multiple build server solutions – TFS, Jenkins, etc.
⊲ Multiple dev languages – .NET, C++, Java, iOS
⊲ More than 100+ different products to be signed
⊲ Certs deployed to build servers, managed manually
⊲ Signing process manual and “effort greedy”
PRODUCT MARKETING MGR
RYAN SANDERS
19. 1 9
Poll Question #2
What would you say is your primary concern regarding the use of
keys and X.509 certificates in DevOps?
Manual, time-consuming processes1
Lack of visibility / unknown certificates2
No of control over issuance and usage3
Lack of accountability and ownership4
Insecure code signing / private keys5
20. How to Support DevSecOps
DEPLOY X.509 CERTIFICATE AUTOMATION IN CI/CD
2 0
21. 2 1
The API economy forces organizations to
monitor not only their own certificates, but also
certificates issued and used by partners and
services that the organizations rely on.
GARTNER
“The Resurgence of PKI in Certificate Management, the IoT and DevOps”
Erik Wahlstrom, Paul Rabinovich, October 2018
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
22. 2 2
Getting it Right • Ideal State
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
Visibility Control Automation
Know where certificates are issued from
and all the locations they are installed
Be able to respond to audit requests
Understand how certificates are being
used and for which applications
Continuously monitor issuance and
usage for abnormalities
Ensure that certificates are issued from
a trusted, enterprise-sanctioned PKI
Enforce consistent role-based access
and issuance policies
Assign certificates to application groups
or owners for clear accountability
Keep private keys and code signing
certificates locked down
Support multiple CA tools and vendors
Integrate with built-in issuers such as
Kubernetes, Istio, HashiCorp Vault
Provide self-service access to
certificates for developers
Automate certificate renewals and
provisioning
InfoSec controls the backend PKI.
Integrated with native tools and workflows.
23. 2 3
Certificate Lifecycle Management (CLM)
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
PUBLIC CAs
PRIVATE CAs
SERVERS
ADC
CLOUD
EXISTING CERTIFICATE
PROCESSES
Direct CA
Integration
Inventory &
Automation
KEYFACTOR
COMMAND
Certificate
Stores
CAs
Direct Integration
No Middleware. Inventory, monitor
and renew certificates in place.
Crypto-Agility
Certificates can quickly be re-issued or
renewed from a different CA/template.
No Re-Engineering
No need to re-engineer workflows or
re-issue certs through our platform.
Scalability
The platform is tested and proven to in
environments of 500M+ certificates.
Private Key Storage
No need to store private keys in our
platform – per-template basis.
Extensibility
Modular design enables maximum
extensibility across infrastructure.
No Middleware
24. 2 4
Secure Code Signing Operations
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
STEP 1
Developer submits code to be signed
via user interface, API, or CSP / KSP.
STEP 3
Keyfactor Code Assure signs code
without keys ever leaving the HSM..
STEP 4
InfoSec and PKI teams can audit
code signing activity throughout..
STEP 2
Signing request is allowed or denied
based on policies set by the admins.
WORKSTATION
SIGNING SERVER
BUILD SERVER
SIGNING TOOL
SIGNING TOOL
SIGNING TOOL
CODE
CODE
CODE
DEVELOPERS
USER INTERFACE
API
CSP / KSP
DEVELOPERS
DEVELOPERS
ADMIN PORTAL
POLICY ENGINE
ADMINS
PHYSICAL OR CLOUD HSM
1 2
Audit Logs
3
4
26. Thank You
2 6
CYBERSECURITY SME, INFINITE RANGES
CHRIS PAUL
VP, SOLUTIONS ENGINEERING, KEYFACTOR
ANTHONY RICCI
PRODUCT MANAGER, KEYFACTOR
RYAN SANDERS
cpaul@infiniteranges.com
anthony.ricci@keyfactor.com
ryan.sanders@keyfactor.com