Olle Segerdahl, F-Secure
Pasi Saarinen, F-Secure
A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems[1]. Today, most seem to believe that these attacks are too impractical for real world use. Microsoft has played down the threat of memory remanence attacks against BitLocker using words such as "they are not possible using published techniques"[2].
We will show techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available laptops and tablets. These techniques allow bypassing of security controls such as password protected BIOS configuration, UEFI-based Secure Boot and the TCG Platform Reset Attack Mitigation by directly manipulating the firmware storage device (EFI SPI flash chip).
[1] https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf
[2] https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure
Zhuo Ma, Tencent
USB is one of the most common interface supported on modern computer. Modern OSes offer tons of USB drivers to support frequently used USB device classes. For other 3rd party USB device, Microsoft provide automatic driver downloading and installation via Windows AutoUpdate Service. In this talk, we consider this as a novel attacking surface exposed by Windows.
We are trying to assess the vulnerability in those USB drivers provided via Windows AutoUpdate Service, which can be automatic installed and run after device plugged in. Obviously, these drivers are all designed for real USB device, which have to talk to device during running.
So, the biggest obstacle for assessing these drivers is we can not prepare real USB devices for all of these drivers. To overcome this, We developed a system to emulate these USB device, further, we are trying to fuzz these drivers against our emulated USB device. By using this system, we can fuzz device drivers without the real USB device. In further, we can also precisely fuzz every stage of driver loading. We can feed any custom data to the drivers to trigger vulnerabilities. Also, this system supports IO Control Code fuzz as well. And all in all, all of this progress can be done automatically.
We tested about 6000 drivers, yielded hundreds of crash by fuzzing. IO Control Fuzz also gave a reasonable result. We are going to divide our talk into three parts: the first part is about how we get the list of automatic installed USB drivers, and how to analyze these drivers in automatic ways; the second part is about the fuzzing system we designed, including the architecture of system, ways to emulating devices, key points for designing; the last part will show some vulnerabilities we found by this system.
Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protectio...EmbeddedFest
Доповідь представить рішення з безпеки під назвою FIVE від компанії Samsung. Метою FIVE є моніторинг цілісності процесів Android та детектування зловмисних спроб модифікації оригінальних додатків та системних компонентів.
Ми поговоримо про можливі сценарії атак, спрямованих на цілісність додатків, зануримось у процес встановлення Java-додатків та розкажемо про проблеми, пов'язані з підрахунком та подальшою перевіркою цілісності нативних та Java програм. Наостанок ми покажемо, як саме FIVE захищає цілісність Android-додатків на телефонах Samsung.
How do you continue to ship 50 times a day, when you're constantly hiring more engineers? How can you continue, when every day you write more tests that need to be run on every commit? This talk will cover how to scale up Continuous Integration and Continuous Deployment infrastracture, for teams as small as a handful of engineers and as large as hundreds of engineers.
Evolving Your Security Mindset w/ Bankim TejaniDevSecOps Days
From DevSecOps Days at RSA Conference SF 2018
Abstract
What is DevSecOps? It is not one thing, but multiple journeys integrally embedded together - DevOps, Security, Agile*, Cloud, Containers, CI/CD, and many more. So aligning to DevSecOps IS daunting, and IS many changes all at once - a scary journey with so many unknowns.
How can security approaches & paradigms scale to match the velocity of software development & cloud-based operations? the adaptability & flexibility of agile and containerization? the automation of CI/CD and API-driven configuration? How will updating your security mindset to integrate with DevOps help your business win?
Evolving your security mindset will help you embrace and succeed with DevSecOps
About Bankim Tejani
Bankim Tejani an an innovative security leader who has spent over 20 years developing software, conducting security research, assessing applications’ security, training developers and security professionals, and consulting to improve security within the SDLC. He has worked witth various sectors including financial services, insurance, test & measurement, government, startups, cloud technologies, software security, and more.
Bankim is presently building security in at Under Armour Connected Fitness, while also an active member of Austin’s OWASP Chapter and conference organizer for LASCON (Lonestar Application Security Conference).
Olle Segerdahl, F-Secure
Pasi Saarinen, F-Secure
A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems[1]. Today, most seem to believe that these attacks are too impractical for real world use. Microsoft has played down the threat of memory remanence attacks against BitLocker using words such as "they are not possible using published techniques"[2].
We will show techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available laptops and tablets. These techniques allow bypassing of security controls such as password protected BIOS configuration, UEFI-based Secure Boot and the TCG Platform Reset Attack Mitigation by directly manipulating the firmware storage device (EFI SPI flash chip).
[1] https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf
[2] https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure
Zhuo Ma, Tencent
USB is one of the most common interface supported on modern computer. Modern OSes offer tons of USB drivers to support frequently used USB device classes. For other 3rd party USB device, Microsoft provide automatic driver downloading and installation via Windows AutoUpdate Service. In this talk, we consider this as a novel attacking surface exposed by Windows.
We are trying to assess the vulnerability in those USB drivers provided via Windows AutoUpdate Service, which can be automatic installed and run after device plugged in. Obviously, these drivers are all designed for real USB device, which have to talk to device during running.
So, the biggest obstacle for assessing these drivers is we can not prepare real USB devices for all of these drivers. To overcome this, We developed a system to emulate these USB device, further, we are trying to fuzz these drivers against our emulated USB device. By using this system, we can fuzz device drivers without the real USB device. In further, we can also precisely fuzz every stage of driver loading. We can feed any custom data to the drivers to trigger vulnerabilities. Also, this system supports IO Control Code fuzz as well. And all in all, all of this progress can be done automatically.
We tested about 6000 drivers, yielded hundreds of crash by fuzzing. IO Control Fuzz also gave a reasonable result. We are going to divide our talk into three parts: the first part is about how we get the list of automatic installed USB drivers, and how to analyze these drivers in automatic ways; the second part is about the fuzzing system we designed, including the architecture of system, ways to emulating devices, key points for designing; the last part will show some vulnerabilities we found by this system.
Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protectio...EmbeddedFest
Доповідь представить рішення з безпеки під назвою FIVE від компанії Samsung. Метою FIVE є моніторинг цілісності процесів Android та детектування зловмисних спроб модифікації оригінальних додатків та системних компонентів.
Ми поговоримо про можливі сценарії атак, спрямованих на цілісність додатків, зануримось у процес встановлення Java-додатків та розкажемо про проблеми, пов'язані з підрахунком та подальшою перевіркою цілісності нативних та Java програм. Наостанок ми покажемо, як саме FIVE захищає цілісність Android-додатків на телефонах Samsung.
How do you continue to ship 50 times a day, when you're constantly hiring more engineers? How can you continue, when every day you write more tests that need to be run on every commit? This talk will cover how to scale up Continuous Integration and Continuous Deployment infrastracture, for teams as small as a handful of engineers and as large as hundreds of engineers.
Evolving Your Security Mindset w/ Bankim TejaniDevSecOps Days
From DevSecOps Days at RSA Conference SF 2018
Abstract
What is DevSecOps? It is not one thing, but multiple journeys integrally embedded together - DevOps, Security, Agile*, Cloud, Containers, CI/CD, and many more. So aligning to DevSecOps IS daunting, and IS many changes all at once - a scary journey with so many unknowns.
How can security approaches & paradigms scale to match the velocity of software development & cloud-based operations? the adaptability & flexibility of agile and containerization? the automation of CI/CD and API-driven configuration? How will updating your security mindset to integrate with DevOps help your business win?
Evolving your security mindset will help you embrace and succeed with DevSecOps
About Bankim Tejani
Bankim Tejani an an innovative security leader who has spent over 20 years developing software, conducting security research, assessing applications’ security, training developers and security professionals, and consulting to improve security within the SDLC. He has worked witth various sectors including financial services, insurance, test & measurement, government, startups, cloud technologies, software security, and more.
Bankim is presently building security in at Under Armour Connected Fitness, while also an active member of Austin’s OWASP Chapter and conference organizer for LASCON (Lonestar Application Security Conference).
STIG Compliance and Remediation with AnsibleAnsible
Secure your environment with the Ansible STIG Role for RHEL 6.
Learn how to:
Get started with Ansible Core
Install the the STIG Role
Remediate and validate STIG findings
Use Ansible Tower to fully automate STIG compliance
Smart Platform Infrastructure with AWSJames Huston
Learn from some of our insights and create a smart infrastructure that let's your team sleep at night!
Presented @DevOpsDays_CLT Feb 2017 by James Huston @hustonjs
Squeeze Maximum Performance from your Hosting PlatformSiteGround.com
The presentation covers useful insights and benchmark tests on how the performance (and security) of PHP/MySQL based applications can be significantly improved through different tweaks done at server administration level (Linux/Apache). It also examines several different types of hosting platforms: dedicated, virtual/cloud and shared, and how they can influence the CMS application speed and security.
A presentation delivered by SiteGround CEO at CMS Expo - Chicago, May 8-10 2012.
Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early. In this post, Vedamanikandan explains continuous integration.
Installation of IBM Connections is very time consuming and lot of the work is repetitive and exactly the same on all deployments. In this session you will see how you can automate the installation of prerequisites, the installation of IBM Connections itself and finally how you can automate post install tasks. Come and see how the silence of the installers help you save a lot of your time.
Christoph Stöttner & Klaus Bild
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...Cloud Native Day Tel Aviv
Running Highly Available Large Scale Systems is a lot of work. For the past 2.5 years, we've been running 100% serverless on a full production environment, serving customers worldwide. No VMs, no containers, no Kubernetes. Just code.
In this session I will present why we decided to go fully serverless at Torii, how it helped us move faster than our competitors, where did serverless computing worked best and where there's more work to be done.
This presentation shows what problems you can have when running the JVM in "god mode". But you can run a JVM in sandboxed mode with the Security Manager.
It's just a matter of creating the right policy file.
Yes, it's hard to do.
Will you take the blue pill or the red pill?
Cloud infrastructures - Slide Set 6 - BOSH | anyninesanynines GmbH
The basic training Cloud Foundry BOSH describes the features and architecture of BOSH and ends with a practical example in the form of a demonstration of a BOSH release. This contains the BOSH components such as Bosh Director, Bosh Health Monitor, Bosh Worker, Bosh Agent and the Bosh Stemcell. The concepts Bosh Release, Bosh Job and Bosh Deployment are separated from each other.
Automated System Compliance From the Inside OutOnyxPoint Inc
Policy compliance for systems has been a hot topic for 2017. The Puppet ecosystem provides an excellent set of tools for both automating the initial security and compliance foundation of your systems and, more importantly, ensuring that they stay compliant over time. This talk will pull from the experience that we have gained while developing the SIMP Project and provide both guidelines, and examples, for keeping your systems in compliance with both public and internal policies. This presentation will cover:
* Translating policy from source to intent
* Mapping class and defined type parameters to policy
* Detecting parameter deviation from policy
* Enforcing framework-level compliance from Hiera
* Compliance evaluation during test
* Compliance evaluation after deployment
* Correlation and reporting
The audience should leave with an understanding of how they can both implement a compliant infrastructure as well as working with their internal security personnel to ensure that the compliance status of their infrastructure is well understood and enforced.
STIG Compliance and Remediation with AnsibleAnsible
Secure your environment with the Ansible STIG Role for RHEL 6.
Learn how to:
Get started with Ansible Core
Install the the STIG Role
Remediate and validate STIG findings
Use Ansible Tower to fully automate STIG compliance
Smart Platform Infrastructure with AWSJames Huston
Learn from some of our insights and create a smart infrastructure that let's your team sleep at night!
Presented @DevOpsDays_CLT Feb 2017 by James Huston @hustonjs
Squeeze Maximum Performance from your Hosting PlatformSiteGround.com
The presentation covers useful insights and benchmark tests on how the performance (and security) of PHP/MySQL based applications can be significantly improved through different tweaks done at server administration level (Linux/Apache). It also examines several different types of hosting platforms: dedicated, virtual/cloud and shared, and how they can influence the CMS application speed and security.
A presentation delivered by SiteGround CEO at CMS Expo - Chicago, May 8-10 2012.
Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early. In this post, Vedamanikandan explains continuous integration.
Installation of IBM Connections is very time consuming and lot of the work is repetitive and exactly the same on all deployments. In this session you will see how you can automate the installation of prerequisites, the installation of IBM Connections itself and finally how you can automate post install tasks. Come and see how the silence of the installers help you save a lot of your time.
Christoph Stöttner & Klaus Bild
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...Cloud Native Day Tel Aviv
Running Highly Available Large Scale Systems is a lot of work. For the past 2.5 years, we've been running 100% serverless on a full production environment, serving customers worldwide. No VMs, no containers, no Kubernetes. Just code.
In this session I will present why we decided to go fully serverless at Torii, how it helped us move faster than our competitors, where did serverless computing worked best and where there's more work to be done.
This presentation shows what problems you can have when running the JVM in "god mode". But you can run a JVM in sandboxed mode with the Security Manager.
It's just a matter of creating the right policy file.
Yes, it's hard to do.
Will you take the blue pill or the red pill?
Cloud infrastructures - Slide Set 6 - BOSH | anyninesanynines GmbH
The basic training Cloud Foundry BOSH describes the features and architecture of BOSH and ends with a practical example in the form of a demonstration of a BOSH release. This contains the BOSH components such as Bosh Director, Bosh Health Monitor, Bosh Worker, Bosh Agent and the Bosh Stemcell. The concepts Bosh Release, Bosh Job and Bosh Deployment are separated from each other.
Automated System Compliance From the Inside OutOnyxPoint Inc
Policy compliance for systems has been a hot topic for 2017. The Puppet ecosystem provides an excellent set of tools for both automating the initial security and compliance foundation of your systems and, more importantly, ensuring that they stay compliant over time. This talk will pull from the experience that we have gained while developing the SIMP Project and provide both guidelines, and examples, for keeping your systems in compliance with both public and internal policies. This presentation will cover:
* Translating policy from source to intent
* Mapping class and defined type parameters to policy
* Detecting parameter deviation from policy
* Enforcing framework-level compliance from Hiera
* Compliance evaluation during test
* Compliance evaluation after deployment
* Correlation and reporting
The audience should leave with an understanding of how they can both implement a compliant infrastructure as well as working with their internal security personnel to ensure that the compliance status of their infrastructure is well understood and enforced.
Automating it management with Puppet + ServiceNowPuppet
As the leading IT Service Management and IT Operations Management platform in the marketplace, ServiceNow is used by many organizations to address everything from self service IT requests to Change, Incident and Problem Management. The strength of the platform is in the workflows and processes that are built around the shared data model, represented in the CMDB. This provides the ‘single source of truth’ for the organization.
Puppet Enterprise is a leading automation platform focused on the IT Configuration Management and Compliance space. Puppet Enterprise has a unique perspective on the state of systems being managed, constantly being updated and kept accurate as part of the regular Puppet operation. Puppet Enterprise is the automation engine ensuring that the environment stays consistent and in compliance.
In this webinar, we will explore how to maximize the value of both solutions, with Puppet Enterprise automating the actions required to drive a change, and ServiceNow governing the process around that change, from definition to approval. We will introduce and demonstrate several published integration points between the two solutions, in the areas of Self-Service Infrastructure, Enriched Change Management and Automated Incident Registration.
Simplified Patch Management with Puppet - Oct. 2020Puppet
Does your company struggle with patching systems? If so, you’re not alone — most organizations have attempted to solve this issue by cobbling together multiple tools, processes, and different teams, which can make an already complicated issue worse.
Puppet helps keep hosts healthy, secure and compliant by replacing time-consuming and error prone patching processes with Puppet’s automated patching solution.
Join this webinar to learn how to do the following with Puppet:
Eliminate manual patching processes with pre-built patching automation for Windows and Linux systems.
Gain visibility into patching status across your estate regardless of OS with new patching solution from the PE console.
Ensure your systems are compliant and patched in a healthy state
How Puppet Enterprise makes patch management easy across your Windows and Linux operating systems.
Presented by: Margaret Lee, Product Manager, Puppet, and Ajay Sridhar, Sr. Sales Engineer, Puppet.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
A State retirement services provider contacted me a year ago. They had to solve a major problem.
They are a Windows shop. Being a Government organization they must harden every application server. They were doing it by hand.
They were plagued with outages. They could not meet demand. Administrators spent long nights keeping the machines going.
They had a lot to worry about. People relied on this organization to pay their bills and receive their benefits.
If a server went down, or demand increased, customers suffered.
It took almost a full day to stand up a new application server. Even then; the server would be plagued by the problems manual work creates.
Further they couldn’t pass an audit. They often found security holes on review.
I was referred to them, and told them “I have exactly what you are looking for.” Were we able to help them? Let’s return to this in a little bit.
Use Puppet to meet STIG hardening requirements.
On the Puppet forge you’ll find the secure_windows module. It hardens Windows Server 2016 to STIG standards.
Assign this class to your new WIN 2016 nodes and Puppet will ensure that they are hardened. Without doing anything further; you now have a safe environment.
I can’t think of any platform that makes it this easy. Best of all, if you are already using Puppet, no further purchase is necessary.
At 12:17 the Puppet agent runs again and we find that the password maximum age changed from to 90 days. Of course Puppet put it back. But that’s not all you're getting.
If the we relied on the domain controller to make the change it would be put back. However, we would never know that this change occurred. Further, we now have an approximate time the change occurred. Now we can launch an investigation and find the culprit.
Now in our case it turns out that the culprit was a well-meaning sysadmin who was instructed to bump up the password expiration time. He is shown how to do it using Hiera.
A single line will turn off enforcement of this requirement.
```secure_windows::stig::v73317::enforced: false``
Not only is turning off simple. We get several other advantages. We can view our exceptions in Hiera at any time. We can show auditors what is turned off. Finally we can show auditors who turned off the enforcement, and when it occurred.
Let’s say you’re tasked with finding out what changes need to be made in your organization to bring it up to the STIG requirements.
Puppet has a unique ability to tell you ‘what’ changes it will be making; without making them.
What do I mean? Puppet can be run in a no operation mode. This means we can run our module against a Windows server and see what changes it will make. Without actually making them.
secure_windows comes with a bolt plan that will allow you to show changes that ‘will’ be made if the module is applied. This report was run against a new server.
You can see it details the resource, STIG number and message on what will change. You now have a handy report you can bring to your management to show the change.
Now let’s take a different example. You are at a new company. The day has arrived. It’s now time to move to the cloud. The question get’s asked. How do we move our custom security setup? It’ll take months. We will need weeks to manually review each domain controller and make sure it’s setup correctly.
Here’s where we can leverage Puppet once again to help us. The security configurations are recognized by Puppet and can be reverse engineered through the ```puppet resource``` command.
Let’s get a list of Audit Policies we want to move.
Now that you have a complete set of resources you can pick up and export these to a new cloud, or datacenter.
We have heard stories about companies spending years synching up their computers when creating an initial baseline. Now this work can be done in minutes, is auditable, and enforceable.
Now that you’ve created your baseline security. What else can you do? How about deploy an application server!
Puppet Forge has a module for that too:
This module will harden your IIS environment to CIS standards.
Who else hardens IIS. There probably is software out there that does that, but a quick Google search doesn’t provide any hits.
So how did this help our State Department?
Eight hours is a long time to stand up an application server. More than once their services went down because they didn’t scale.
They began using Puppet to deploy the IIS CIS module. Hardening went from hours to minutes. They now have a system that can be audited. They can scale in an emergency. And, they now have an accelerated path to the cloud.