Post-Equifax: How to Trust But Verify Your Software Supply Chain

•

0 likes•53 views

The document summarizes challenges with software supply chain security following the Equifax breach. It notes that Equifax was breached through a vulnerability in the Apache Struts application that was not patched for over 5 months. Most modern applications consist of assembled third-party components, but only a small percentage of known vulnerabilities in open source components are quickly fixed. It then discusses the need to establish trusted software supply chains through technology and processes to verify the integrity and provenance of components. Ultimately, companies are responsible and potentially liable for securing their systems and data, even if vulnerabilities are introduced through third-party components.

Post-Equifax
How to Trust But Verify Your
Software Supply Chain

Today’s Panel
Derek E. Weeks
VP and DevOps Advocate
Sonatype
@weekstweets
David Blevins
CEO
Tomitribe
@dblevins
Colin Wynd
VP Common Services
Federal Reserve Bank NY
@colinwynd

5 Month Opportunity to Take Corrective Action
Large Scale Exploit
March 10
Equifax applications
breached through
Struts2 vulnerability
AprMar May Jun Jul Aug Sept
March 7
Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
July 29
Breach is discovered
by Equifax.
Sept 7
A new RCE vulnerability
is announced and fixed.
CVE-2017-9805
Probing Hack
Crisis Management

TIME TO RESPOND BEFORE EXPLOITSource: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
AverageDaystoExploit
Average
45
15
2017

Say Hello to Your Software Supply
Chain…
@weekstweets

80% to 90% of
modern apps
consist of
assembled
components.

233 days
MeanTTR
119 days
MedianTTR
122,802
components with
known vulnerabilities
19,445
15.8% fixed the
vulnerability
TIME TO REPAIR OSS COMPONENTS
@weekstweets

Trusted Partially Trusted Untrusted
Reliably sourced
without any digital
risk accessing
Some attributes of
trust but no
confirmation
No demonstrable
proof of trust
Level of trust
Burdentoverifyandlevelofrisk
Source: Gartner, May 2017
HOW CAN TECHNOLOGY AND PROCESS HELP?

Ultimately responsible.
Ultimately liable?

Unsafe at Any Speed: The Designed-In Dangers
of the American Automobile.
Ralph Nadar
1965
Photo Credit: www.automobilemag.com

Businesses decide where and how to invest in
cybersecurity based on a cost-benefit assessment
but they are ultimately liable for the security of
their data and systems.
U.K.’s National Cyber Security Strategy
2016 - 2021

In the software engineering world, change is the only constant. And in the course of the last decades, the frequency of that change has exploded. What Agile has brought to software teams, DevOps is now bringing to the entire organization. And the results speak for themselves. The DevOps high-performers are killing it. Insane deploy frequencies of features, high reliability of applications, and high productivity of cross-functional teams have amplified the speed at which ideas become a reality. In parallel, Application Security was doing its own thing and to a large part remained oblivious to all the impressive improvements that were happening in software engineering. Because breaking an application doesn’t need any knowledge of how it was created in the first place. This talk will cover anti-patterns that are preventing application security from being adopted by development teams, such as: * Issues Overload * Acronym Overuse * Sales team Wall

Open Data Science Conference 2015

CrowdFlower

Using security to drive chaos engineering - April 2018

Dinis Cruz

What we learned from three years sciencing the crap out of devops

Nicole Forsgren

Three years, 20,000 DevOps professionals, and some science... What did we find? Well, the headline is that IT *does* matter if you do it right. With a mix of technology, processes, and a great culture, IT contributes to organizations' profitability, productivity, and market share. We also found that using continuous delivery and lean management practices not only makes IT better -- giving you throughput and stability without tradeoffs -- but it also makes your work feel better -- making your organizational culture better and decreasing burnout. Jez and Nicole will share these findings as well as tips and tricks to help make your own DevOps transformation awesome.

AWS Summit Berlin 2013 - Keynote - 6wunderkinder

AWS Germany

O'Reilly Security New York - Predicting Exploitability Final

Michael Roytman

Security is all about reacting. It’s time to make some predictions. Michael Roytman explains how Kenna Security used the AWS Machine Learning platform to train a binary classifier for vulnerabilities, allowing the company to predict whether or not a vulnerability will become exploitable. Michael offers an overview of the process. Kenna enriches the data with more specific, nondefinitional-level data. 500 million live vulnerabilities and their associated close rates inform the epidemiological data, as well as “in the wild” threat data from AlienVault’s OTX and SecureWorks’s CTU, Reversing Labs, and ISC SANS. The company uses 70% of the national vulnerability database as its training dataset and generates over 20,000 predictions on the remainder of the vulnerabilities. It then measures specificity and sensitivity, positive predictive value, and false positive and false negative rates before arriving at an optimal decision cutoff for the problem.

Context Is King: The Developer Perspective on the Usage of Static Analysis Tools

Sebastiano Panichella

It’s our second all-Equifax “Open Source Insight,” as the Equifax breach unfortunately still leads the cybersecurity and open source security news cycle this week. As the Equifax breach has shown, open source security risks are a daunting reality. But that breach should never have happened — a known, fixable open source vulnerability not being remediated. Open source software — such as Apache Struts — comprises 80 to 90 percent of the code in modern applications, yet most organizations lack any visibility into the open source they are using. In response, Black Duck, the global leader in automated solutions for securing and managing open source software, announced this week the availability of a free-use tool that enables organizations to determine if they are at risk from the Apache Struts vulnerability that was exploited in the recent, high-profile Equifax breach.

The Intersection Between Open Source and Cybersecurity

Black Duck by Synopsys

We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.

Dependency check

David Karlsen

Symantec intelligence report august 2015

Symantec

August was a big month for zero-day vulnerabilities, in which a total of 11 were reported. This is by far the largest number disclosed in a given month to-date. Six of these zero-day vulnerabilities impact industrial control systems, devices used in industrial sectors and critical infrastructures, across five vendors. The vulnerabilities cover a wide range of possible attacks, including remote code execution and denial of service attacks. Two further zero-day vulnerabilities were discovered in the Apple OS X operating system. When used in tandem, these two vulnerabilities can cause memory corruption in the OS X kernel and gain the attacker escalated privileges on the compromised computer. These vulnerabilities come on the heels of a new OS X threat called OSX.Sudoprint. This threat exploits a local privilege escalation vulnerability in the OS X operating system, which was patched by Apple at the beginning of August. This threat comprised over 77 percent of the OS X threats we saw on OS X endpoints this month.

2021-10-14 The Critical Role of Security in DevOps.pdf

Savinder Puri

State of the Software Supply Chain Report 2017

Matthew Howard

2019 04-18 -DevSecOps-software supply chain

Cameron Townshend

DevOps Days Columbus - Derek Weeks - 2019

Sonatype

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

DevSecCon

Mitun Zavery Senior Engineer at Sonatype Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities. This new form of assault, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. In this session, Mitun will explain how both security and developers must work together to stop this trend. Or, risk losing the entire open source ecosystem. Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry Define what the future of open source looks like in today’s new normal Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them

Findings Revealed: 2015 State of the Software Supply Chain

Sonatype

Gain new insights on how to deliver higher quality software even faster -- with less unplanned, unscheduled rework. If you are using open source components as part of development you may be unknowingly sabotaging your efforts by introducing known vulnerabilities – shockingly there are 24 vulnerabilities in the average application. Hear the results of an extensive analysis of open source usage across 106,000 development organizations. We’ll be drawing analogies between modern software development and traditional manufacturing supply chains, focusing on proven steps to improve speed, efficiency and quality. Watch the on-demand recording.

[OWASP Poland Day] Application frameworks' vulnerabilities

OWASP

Patch Management Best Practices 2019

Ivanti

Patching is a hot topic in security breach after security breach. Patch management is likely the most well established security control out there, so why do so many companies struggle to achieve a good patch management strategy? Join us as we discuss the pitfalls of patching, the complications that still plague us, and best practices to help you fine tune your process—with a dash of just plain common sense thrown in. We will also look at ways Ivanti can help you get a handle on patch management using our latest security innovation, Patch Intelligence.

The unprecedented state of web insecurity

Vincent Kwon

Modernizing on IBM Z Made Easier With Open Source Software

DevOps.com

In the past decade, IDC has seen IBM Z evolve first from a siloed platform to what they call a "connected" platform, and then to a "transformative" platform. This transition has been driven by IBM, by the IBM Z software vendors, like Rocket Software, and by businesses themselves. IDC research shows that businesses that choose to modernize IBM Z achieve higher satisfaction than re-platformers and many are using open source software (OSS) in their modernization initiatives. Employing OSS makes it possible to crack the platform open and enable it to connect to the rest of the datacenter and the outside world. Join IDC guest speaker, Al Gillen and Peter Fandel as they take a deeper look at the value proposition associated with using commercially supported OSS in mission-critical environments, like IBM Z. In this webinar we’ll discuss: How OSS can neutralize the disparity between seasoned IBM Z and emerging developers The modernization initiatives that involve OSS What to consider before bringing OSS to IBM Z How Rocket Software is delivering commercially supported OSS to IBM Z

Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...

DevOps.com

With the growing adoption of Kubernetes, organizations want to take advantage of containerized Microsoft SQL Server 2019 to optimize transactional performance and accelerate time-to-insights from their business-critical data. However, as enterprises embrace hybrid cloud strategy, they need to consider several aspects based on the performance, cost and data protection requirements for running enterprise-grade SQL Server databases. In this webinar, we will compare and contrast various cloud-native platforms for SQL Server that would help CIOs, DevOps engineers, database administrators and applications architects to determine the most suitable platform that fits their business needs. Join us as we explore some exciting results from a recent performance benchmark study conducted by McKnight Consulting Group, an independent consulting firm, to compare the performance of Microsoft SQL Server 2019 on the best possible configurations of the following Kubernetes platforms: Diamanti Enterprise Kubernetes Platform Amazon Web Services Elastic Kubernetes Service (AWS EKS) Azure Kubernetes Service (AKS) Topics will include: Platform considerations and requirements for running Microsoft SQL Server 2019 Performance comparison and analysis of running SQL Server on various platform Best practices for running containerized SQL Server databases in Kubernetes environment

Developers are increasingly adopting a microservices approach for their apps in order to gain rapid iteration capabilities required for delivering new services faster. However, delivering the App still requires multiple steps such as allocation of virtual IPs, provisioning the front load balancer, configuring firewall rules, configuring a public domain, and DDOS. At present, each of these steps requires coordination across multiple teams with multiple iterations per team. The time efficiencies gained by adopting microservices and cloud-native technologies is negated due to the time taken to deliver the App. In this session, Pranav Dharwadkar, VP of products at Volterra, and Jakub Pavlik, director of engineering, will help you understand these challenges and introduce a distributed proxy architecture that can alleviate the challenges across different cloud environments. This webinar will include a live demo using a distributed proxy architecture to advertise an App publicly and privately. In this webinar, you will learn: The steps required to deliver an App using the current approaches How a distributed proxy architecture can be used to deliver the app publicly and privately The operational benefits of a distributed proxy architecture for delivering new services

Securing medical apps in the age of covid final

DevOps.com

The COVID-19 pandemic has drastically altered the connected healthcare landscape, accelerating the usage of telemedicine and other remote healthcare delivery systems by as much as 11,000% for some populations. How has this unprecedented push affected healthcare and medical device application security? The security team at Intertrust recently analyzed 100 Android and iOS medical apps to find out. In this webinar, we'll discuss: Medical application and device threat trends The top mHealth security vulnerabilities uncovered in our analysis Strategies to keep your mHealth apps safe Future advances in digital healthcare and how your security can evolve with it

How to Build a Healthy On-Call Culture

DevOps.com

Raise your hand if you enjoy being buried in alerts or woken up at 2 a.m. — yeah … thought so. Ever-rising customer expectations around high availability and performance put massive pressure on the teams who develop and support SaaS products. And teams are literally losing sleep over it. Until outages and other incidents are a thing of the past, organizations need to invest in a way of dealing with them that won’t lead to burn-out. In this session, you’ll learn how to combine the latest tooling with DevOps practices in the pursuit of a sustainable incident response workflow. It’s all about transparency, actionable alerts, resilience and learning from each incident.

The Evolving Role of the Developer in 2021

DevOps.com

The role of the developer continues to change as they sit on the front line of application and even cloud infrastructure security. Today, developers are focused on innovating fast and improving security, but how do high-performing teams accomplish this? They commit code frequently, release often and update dependencies regularly (608x faster than others). In this webinar, we'll discuss the key traits of high-performing teams and how that impacts the role of the developer. Key Takeaways: Choose the best third party dependencies Determine the lowest effort upgrades between open source versions Solve for issues in both direct and transitive dependencies with a single-click Block and quarantine suspicious open source components

Service Mesh: Two Big Words But Do You Need It?

DevOps.com

Today, one of the big concepts buzzing in the app development world is service mesh. A service mesh is a configurable infrastructure layer for microservices application that makes communication flexible, reliable and fast. Let’s take a step back, though, and answer this question: Do you need a service mesh? Join this webinar to learn: What a service mesh is; when and why you need it — or when and why you may not App modernization journey and traffic management approaches for microservices-based apps How to make an informed decision based on cost and complexity before adopting service mesh Learn about NGINX Service Mesh in a live demo, and how it provides the best service mesh option for container-based L7 traffic management

Secure Data Sharing in OpenShift Environments

DevOps.com

Red Hat OpenShift is enabling quicker adoption of DevOps practices. Containers are an essential component of DevOps and the OpenShift Kubernetes Container Platform is integral for orchestration within these environments. Data security is now challenged to keep pace with the size and scope of container usage. The migration from legacy in-house deployments to hybrid-cloud installations has created new attack surfaces as data is shared more freely in Kubernetes deployments. Protecting data at rest and in motions is a necessity. Learn how you can keep data protected and securely share data in OpenShift environments with real-time data protection solutions.

How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...

DevOps.com

Managing access permissions in the public cloud can be a very complex process. In fact, by 2023, 75% of cloud security failures will result from the inadequate management of identities, access and privileges, according to Gartner. Join us as Guy Flechter, CISO of AppsFlyer, presents a real-world case of how his company works to enforce least-privilege and to govern identities in their cloud. This webinar will also provide an overview of how to govern access and achieve least privilege by analyzing the access permissions and activity in your public cloud environment. With thousands of human and machine identities, roles, policies and entitlements, this webinar will give you the tools to examine the access open to people and services in your public cloud, and determine whether that access is necessary. In this workshop, you will learn about: The risks of IAM misconfiguration and excessive entitlements in cloud environments The challenges in identifying and mitigating Identity and access risks for both human and machine identities How to automate cloud identity governance and entitlement management with Ermetic

Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...

DevOps.com

Open-source machine learning can be transformative, but without the proper tools in place, enterprises struggle to balance the IT security and governance requirements with the need to deliver these powerpoint tools into the hands of their developers and modelers. How can organizations get the latest technology from the open-source brain trust, while ensuring enterprise-grade management and security? In this webinar, we will discuss how Anaconda Team Edition, available on RedHat Marketplace, enables IT departments to mirror a curated set of packages into their organization in a safe and governed way. Join Michael Grant, VP of services at Anaconda, to discuss: How IT organizations are using Anaconda Team Edition to curate, govern and secure Python and R packages Tips for how development and data science teams can get the most out of Team Edition, from uploading your own packages to building custom channels for groups or projects How to distribute conda environments to desktops, servers and clusters: GUI-based installers for desktop users “Conda packs” for automated delivery to remote servers and distributed computing clusters Conda-enabled Docker containers for application deployment

More from DevOps.com (20)

Modernizing on IBM Z Made Easier With Open Source Software

Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...

Next Generation Vulnerability Assessment Using Datadog and Snyk

Vulnerability Discovery in the Cloud

2021 Open Source Governance: Top Ten Trends and Predictions

A New Year’s Ransomware Resolution

Getting Started with Runtime Security on Azure Kubernetes Service (AKS)

Don't Panic! Effective Incident Response

Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture

Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport

Monitoring Serverless Applications with Datadog

Deliver your App Anywhere … Publicly or Privately

Securing medical apps in the age of covid final

How to Build a Healthy On-Call Culture

The Evolving Role of the Developer in 2021

Service Mesh: Two Big Words But Do You Need It?

Secure Data Sharing in OpenShift Environments

How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...

Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...

Recently uploaded

Orion Context Broker introduction 20240604

Fermin Galan

Launch Your Streaming Platforms in Minutes

Roshan Dwivedi

The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown: Pros of Speedy Streaming Platform Launch Services: No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge. Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker. All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations. Things to Consider: Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions. Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option. Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options). Examples of Services for Launching Streaming Platforms: Muvi [muvi com] Uscreen [usencreen tv] Alternatives to Consider: Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited. Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform. Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.

Vitthal Shirke Microservices Resume Montevideo

Vitthal Shirke

Lecture 1 Introduction to games development

abdulrafaychaudhry

Enhancing Research Orchestration Capabilities at ORNL.pdf

Globus

Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.

In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...

Juraj Vysvader

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

Google

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite 👉👉 Click Here To Get More Info 👇👇 https://sumonreview.com/ai-pilot-review/ AI Pilot Review: Key Features ✅Deploy AI expert bots in Any Niche With Just A Click ✅With one keyword, generate complete funnels, websites, landing pages, and more. ✅More than 85 AI features are included in the AI pilot. ✅No setup or configuration; use your voice (like Siri) to do whatever you want. ✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It… ✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again. ✅ZERO Limits On Features Or Usages ✅Use Our AI-powered Traffic To Get Hundreds Of Customers ✅No Complicated Setup: Get Up And Running In 2 Minutes ✅99.99% Up-Time Guaranteed ✅30 Days Money-Back Guarantee ✅ZERO Upfront Cost See My Other Reviews Article: (1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review (2) SocioWave Review: https://sumonreview.com/sociowave-review (3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review (4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review

OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam

takuyayamamoto1800

APIs for Browser Automation (MoT Meetup 2024)

Boni García

BoxLang: Review our Visionary Licenses of 2024

Ortus Solutions, Corp

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Top 7 Unique WhatsApp API Benefits | Saudi Arabia

Yara Milbes

Discover the transformative power of the WhatsApp API in our latest SlideShare presentation, "Top 7 Unique WhatsApp API Benefits." In today's fast-paced digital era, effective communication is crucial for both personal and professional success. Whether you're a small business looking to enhance customer interactions or an individual seeking seamless communication with loved ones, the WhatsApp API offers robust capabilities that can significantly elevate your experience. In this presentation, we delve into the top 7 distinctive benefits of the WhatsApp API, provided by the leading WhatsApp API service provider in Saudi Arabia. Learn how to streamline customer support, automate notifications, leverage rich media messaging, run scalable marketing campaigns, integrate secure payments, synchronize with CRM systems, and ensure enhanced security and privacy.

Vitthal Shirke Java Microservices Resume.pdf

Vitthal Shirke

May Marketo Masterclass, London MUG May 22 2024.pdf

Adele Miller

Enterprise Software Development with No Code Solutions.pptx

QuickwayInfoSystems3

In the ever-evolving landscape of technology, enterprise software development is undergoing a significant transformation. Traditional coding methods are being challenged by innovative no-code solutions, which promise to streamline and democratize the software development process. This shift is particularly impactful for enterprises, which require robust, scalable, and efficient software to manage their operations. In this article, we will explore the various facets of enterprise software development with no-code solutions, examining their benefits, challenges, and the future potential they hold.

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.

Introduction to Pygame (Lecture 7 Python Game Development)

abdulrafaychaudhry

A Sighting of filterA in Typelevel Rite of Passage

Philip Schwarz

Globus Compute wth IRI Workflows - GlobusWorld 2024

Globus

As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.

Cracking the code review at SpringIO 2024

Paco van Beckhoven

Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production. Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process? In this session we will cover: - The Art of Effective Code Reviews - Streamlining the Review Process - Elevating Reviews with Automated Tools By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces

Recently uploaded (20)

Orion Context Broker introduction 20240604

Launch Your Streaming Platforms in Minutes

Vitthal Shirke Microservices Resume Montevideo

Lecture 1 Introduction to games development

Enhancing Research Orchestration Capabilities at ORNL.pdf

In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam

APIs for Browser Automation (MoT Meetup 2024)

BoxLang: Review our Visionary Licenses of 2024

Essentials of Automations: The Art of Triggers and Actions in FME

Top 7 Unique WhatsApp API Benefits | Saudi Arabia

Vitthal Shirke Java Microservices Resume.pdf

May Marketo Masterclass, London MUG May 22 2024.pdf

Enterprise Software Development with No Code Solutions.pptx

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Introduction to Pygame (Lecture 7 Python Game Development)

A Sighting of filterA in Typelevel Rite of Passage

Globus Compute wth IRI Workflows - GlobusWorld 2024

Cracking the code review at SpringIO 2024

Post-Equifax: How to Trust But Verify Your Software Supply Chain

1. Post-Equifax How to Trust But Verify Your Software Supply Chain

2. Today’s Panel Derek E. Weeks VP and DevOps Advocate Sonatype @weekstweets David Blevins CEO Tomitribe @dblevins Colin Wynd VP Common Services Federal Reserve Bank NY @colinwynd

3. Post Equifax: The New Normal

4. 5 Month Opportunity to Take Corrective Action Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Sept 7 A new RCE vulnerability is announced and fixed. CVE-2017-9805 Probing Hack Crisis Management

5. TIME TO RESPOND BEFORE EXPLOITSource: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 AverageDaystoExploit Average 45 15 2017

6. Software Supply Chains

7. Say Hello to Your Software Supply Chain… @weekstweets

8. 59 52 @sonatype

9. 80% to 90% of modern apps consist of assembled components.

10. Not All Parts Are Created Equal

11. 233 days MeanTTR 119 days MedianTTR 122,802 components with known vulnerabilities 19,445 15.8% fixed the vulnerability TIME TO REPAIR OSS COMPONENTS @weekstweets

12. @weekstweets @weekstweets

13. Trusted Partially Trusted Untrusted Reliably sourced without any digital risk accessing Some attributes of trust but no confirmation No demonstrable proof of trust Level of trust Burdentoverifyandlevelofrisk Source: Gartner, May 2017 HOW CAN TECHNOLOGY AND PROCESS HELP?

14. Ultimately responsible. Ultimately liable?

15. Unsafe at Any Speed: The Designed-In Dangers of the American Automobile. Ralph Nadar 1965 Photo Credit: www.automobilemag.com

16. TRUSTED SOFTWARE SUPPLY CHAINS

17. Businesses decide where and how to invest in cybersecurity based on a cost-benefit assessment but they are ultimately liable for the security of their data and systems. U.K.’s National Cyber Security Strategy 2016 - 2021

18. Thank You.

Post-Equifax: How to Trust But Verify Your Software Supply Chain

Recommended

Recommended

More Related Content

Similar to Post-Equifax: How to Trust But Verify Your Software Supply Chain

Similar to Post-Equifax: How to Trust But Verify Your Software Supply Chain (20)

More from DevOps.com

More from DevOps.com (20)

Recently uploaded

Recently uploaded (20)

Post-Equifax: How to Trust But Verify Your Software Supply Chain