Building enterprise software is difficult. Building secure enterprise software is even harder. In a modern, agile, software company, there are dozens of factors that could easily fight against a goal of building secure software. This talk will explore the pitfalls and achievements of attempting to reach "near-zero" security flaws in software products at a fast growing startup.
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
This document discusses how to take an agile approach to security project management and testing. It defines agile as an iterative approach where requirements and solutions evolve through collaboration. The key aspects of agile security project management covered are:
- Using agile techniques like planning poker, timeboxing, and MoSCoW prioritization to plan and manage security testing projects.
- Integrating security testing into the agile software development lifecycle through techniques like defining security acceptance criteria, implementing "evil user stories", and pairing programmers with security experts.
- Managing vulnerabilities found during testing through techniques like blocking work items in a kanban board until vulnerabilities are retested and resolved.
The document provides examples and tips
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Codemotion
Delivering small and fast means we are more frequently introducing new vulnerabilities. We're facing new threats that come from cloud computing and the internet of things.Traditional cycles of pentests and code reviews are not keeping up. DevSecOps focuses on integrating security in our processes and teams. Automate first and fail fast will help build security in, and will also support the growth of awareness in the teams. Kim will show the practical lessons learned from her journey. Get an overview of the current continuous security landscape and the practical insights and pitfalls.
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
Delivering small and fast means we are more frequently introducing new vulnerabilities. We're facing new threats that come from cloud computing and the internet of things.Traditional cycles of pentests and code reviews are not keeping up. DevSecOps focuses on integrating security in our processes and teams. Automate first and fail fast will help build security in, and will also support the growth of awareness in the teams. Kim will show the practical lessons learned from her journey. Get an overview of the current continuous security landscape and the practical insights and pitfalls.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
The document discusses the concept of "continuous security" as an alternative to the "security sandwich" approach of defining security requirements up front, writing code, and then testing for security issues at the end. It advocates embedding security validation across the entire software development lifecycle through techniques like threat modeling, design reviews, secure coding practices, vulnerability testing of prototypes and new features, logging of security events in production, and non-regression security testing of updates. This continuous approach helps identify and fix security issues earlier when costs are lower. It also helps developers continuously learn and apply lessons to other parts of the project. A combination of manual and automated testing techniques at different stages is recommended.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
Managing incidents in a DevOps environment is a near insurmountable task. With shared responsibilities and on-call rotations, anyone might be called into a system firefight at any time. Accepting failure and the problems created with complex system is a core tenet of DevOps thinking, and helping your team respond to incidents more effectively is key.
Matthew Boeckman has served on the frontlines of DevOps incident management for 19 years. He’s seen it all and is an expert on building teams and workflows to support effective alerting, clear communication, and rapid recovery.
Abstract:
Cybercrime in its various forms is expected to cost the world more than US$6 trillion per year by 2021. There are nearly 1 Million Viruses and Malware created daily. With the increased usage of open source and third-party components, it becomes challenging to ensure these externally developed components do not introduce security vulnerabilities into the final product. While adoption of Agile practices leads to continuous software release but security checks get pushed towards the end of the release cycle. This more often than not leads to uncomfortable situations. Many times it leads to delays also. With higher code velocity comes the challenge of making sure every change is secure.
Security can no longer remain an after-thought, it has to be integrated at every stage of the software delivery life-cycle (design for security, secure coding, security testing, penetration testing in staging, and security monitoring in production). These controls can be tightly integrated in DevOps pipeline and become operational much like monitoring tools. Engineering teams have to continuously test for security at Development, QA and Staging phases. This session will explore how to integrate the ecosystem of technologies to build security checks in all phases of software development like Architecture, Design and Implementation in order to create a true DevSecOps practice.
Key Takeaways:
1. What is the impact of Lean and Agile practices on Security verification?
2. How does adoption of Opensource and third party software increase the challenges of keeping our products secure?
3. How can you perform Security testing continuously in different phases of Agile software development?
4. How can adoption of DevSecOps practices lead to a culture of Continuous Security testing?
5. How to integrate tools and technologies to perform security checks in all phases of software development?
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
This document discusses how to take an agile approach to security project management and testing. It defines agile as an iterative approach where requirements and solutions evolve through collaboration. The key aspects of agile security project management covered are:
- Using agile techniques like planning poker, timeboxing, and MoSCoW prioritization to plan and manage security testing projects.
- Integrating security testing into the agile software development lifecycle through techniques like defining security acceptance criteria, implementing "evil user stories", and pairing programmers with security experts.
- Managing vulnerabilities found during testing through techniques like blocking work items in a kanban board until vulnerabilities are retested and resolved.
The document provides examples and tips
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Codemotion
Delivering small and fast means we are more frequently introducing new vulnerabilities. We're facing new threats that come from cloud computing and the internet of things.Traditional cycles of pentests and code reviews are not keeping up. DevSecOps focuses on integrating security in our processes and teams. Automate first and fail fast will help build security in, and will also support the growth of awareness in the teams. Kim will show the practical lessons learned from her journey. Get an overview of the current continuous security landscape and the practical insights and pitfalls.
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
Delivering small and fast means we are more frequently introducing new vulnerabilities. We're facing new threats that come from cloud computing and the internet of things.Traditional cycles of pentests and code reviews are not keeping up. DevSecOps focuses on integrating security in our processes and teams. Automate first and fail fast will help build security in, and will also support the growth of awareness in the teams. Kim will show the practical lessons learned from her journey. Get an overview of the current continuous security landscape and the practical insights and pitfalls.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
The document discusses the concept of "continuous security" as an alternative to the "security sandwich" approach of defining security requirements up front, writing code, and then testing for security issues at the end. It advocates embedding security validation across the entire software development lifecycle through techniques like threat modeling, design reviews, secure coding practices, vulnerability testing of prototypes and new features, logging of security events in production, and non-regression security testing of updates. This continuous approach helps identify and fix security issues earlier when costs are lower. It also helps developers continuously learn and apply lessons to other parts of the project. A combination of manual and automated testing techniques at different stages is recommended.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
Managing incidents in a DevOps environment is a near insurmountable task. With shared responsibilities and on-call rotations, anyone might be called into a system firefight at any time. Accepting failure and the problems created with complex system is a core tenet of DevOps thinking, and helping your team respond to incidents more effectively is key.
Matthew Boeckman has served on the frontlines of DevOps incident management for 19 years. He’s seen it all and is an expert on building teams and workflows to support effective alerting, clear communication, and rapid recovery.
Abstract:
Cybercrime in its various forms is expected to cost the world more than US$6 trillion per year by 2021. There are nearly 1 Million Viruses and Malware created daily. With the increased usage of open source and third-party components, it becomes challenging to ensure these externally developed components do not introduce security vulnerabilities into the final product. While adoption of Agile practices leads to continuous software release but security checks get pushed towards the end of the release cycle. This more often than not leads to uncomfortable situations. Many times it leads to delays also. With higher code velocity comes the challenge of making sure every change is secure.
Security can no longer remain an after-thought, it has to be integrated at every stage of the software delivery life-cycle (design for security, secure coding, security testing, penetration testing in staging, and security monitoring in production). These controls can be tightly integrated in DevOps pipeline and become operational much like monitoring tools. Engineering teams have to continuously test for security at Development, QA and Staging phases. This session will explore how to integrate the ecosystem of technologies to build security checks in all phases of software development like Architecture, Design and Implementation in order to create a true DevSecOps practice.
Key Takeaways:
1. What is the impact of Lean and Agile practices on Security verification?
2. How does adoption of Opensource and third party software increase the challenges of keeping our products secure?
3. How can you perform Security testing continuously in different phases of Agile software development?
4. How can adoption of DevSecOps practices lead to a culture of Continuous Security testing?
5. How to integrate tools and technologies to perform security checks in all phases of software development?
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
This document discusses Agile software development and Scrum, an Agile framework. It provides an overview of Scrum roles like the Product Owner and ScrumMaster, the Scrum process involving sprints, daily stand-ups, sprint reviews and retrospectives. The goal of Scrum is to deliver working software frequently through short iterative cycles, collaboration and responding to change. Many large companies have adopted Scrum for its benefits of faster delivery, increased quality and transparency.
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Agile Testing for Embedded and IoT Software DevelopmentTechWell
Much of the success of agile adoptions is due to the automated testing approach used in agile projects. Because many of these techniques were pioneered in the development of web applications, it can be difficult to see how these techniques can be leveraged for a project where software is being built for an embedded or Internet of Things (IoT) application. Thomas Stiehm describes ways to leverage agile testing techniques for embedded systems. Whether you are building a medical device, embedded controller, or IoT device, learn how to leverage these testing practices to create fully automated tests that fit into a DevOps build pipeline and help your team create higher-quality, more reliable software. Test automation, the best way to maintain and execute a comprehensive suite of regression tests, allows you to maintain control of your testing process while increasing test coverage. Join Thomas to see how you can take control of your test process by stepping up your test automation to the next level.
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
This document outlines an approach for integrating security into the software development lifecycle (SDLC) using DevSecOps principles. It discusses how security can shift left by being incorporated into various phases of product development and delivery, including product management, design, development, deployment, defect management, and monitoring. It provides examples of how to integrate security practices and tools at each stage. The goal is to establish security as a critical product feature rather than an afterthought, and foster collaboration between security and development teams through a DevSecOps model and maturity criteria.
O futuro das empresas passa pelas constantes transformações digitais e, para isso, é fundamental manter aplicações que atendam às exigências dos clientes e, sobretudo, seguras. Nesse cenário, nasceu o conceito de DevSecOps, descrevendo um conjunto de práticas para integração entre as equipes de desenvolvimento de software. Nesta palestra, entenderemos mais sobre conceitos e como aplicar DevSecOps na prática. Provocaremos discussões “saudáveis” sobre o modelo tradicional de desenvolvimento e este modelo ágil que está trazendo uma grande mudança de paradigma na construção de aplicações.
Meetup - DevSecOps: Colocando segurança na esteira
Material apresentado no 12º Meetup do Scrum-Aplicado - 18/09/2019 às 19hrs.
O futuro das empresas passa pelas constantes transformações digitais e, para isso,
é fundamental manter aplicações que atendam às exigências dos clientes e, sobretudo, seguras.
Nesse cenário, nasceu o conceito de DevSecOps, descrevendo um conjunto de práticas
para integração entre as equipes de desenvolvimento de software.
Nesta palestra, entenderemos mais sobre conceitos e como aplicar DevSecOps na prática.
Provocaremos discussões “saudáveis” sobre o modelo tradicional de desenvolvimento
e este modelo ágil que está trazendo uma grande mudança de paradigma na construção de aplicações.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
This talk was presented at NoVA UX event on August 21, 2019. One year ago Jim Lane joined Virtru, a data protection and privacy organization in Washington DC, to build out UX as a discipline in a seven-year-old security company. In his talk Jim outlines establishing a charter, hiring a team, establishing user-centered product development process, choosing tools for scale and speed, and design strategy.
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
Talk about application security in an agile world. How can security be integrated into agile and how can DevSecOps be leveraged to achieve security at scale at speed.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
Shift Left Security - The What, Why and HowDevOps.com
This document discusses shift-left security, which involves moving security practices earlier into the software development lifecycle to proactively address risks rather than reactively. It notes that only 20% of organizations consistently integrate security early in DevOps processes. Shift-left security is important because traditional security teams cannot keep up with development speeds. The document outlines how to implement shift-left security through automating security practices, using control gates, and learning from production environments. It argues containers help shift security left through their minimal, declarative, and predictable nature which simplifies security requirements and policy automation.
Software Engineering is a profession that a lot of people call themselves without applying the principles and best practices that differentiate them from a Developer. This presentation is about differences between a Developer and a Software Engineer and why it is crucial.
Better Software East 2016: Evolving Automated to ContinuousParasoft
Evolving from Automated to Continuous Testing
Testing issues can be a significant barrier to taking full advantage of agile approaches to software development and the emerging DevOps movement. To leverage these development and delivery strategies to their fullest, you need to evolve beyond automated testing to continuous testing.
Arthur Hicken discusses the testing and development processes and technology that enable continuous testing. He shares insights on how to close the gap between business expectations and development activities by encapsulating clearly defining development policies for software releases.
Arthur describes how to prevent defects in code and prioritize defect remediation before a release candidate goes live. Explore ways to realistic test environments and simulations—critical features of the dev/test infrastructure—that enable continuous testing.
Learn how to create a feedback loop that exposes defect patterns while highlighting opportunities to improve application design. Take back a comprehensive to do list for processes and infrastructure that must be in place for your organization to implement continuous testing and accelerate the SDLC.
Women in Innovation - Risk Register: What Could Possibly Go WrongKTN
The aim of this workshop is to provide tools and insights on how to address the inherent risks of any project and how to address this to your application. We will deep dive into the Risk Register:
- What is it and why do I need one?
- Format and approaches of different Risk Registers
- What risks should be included and where to get this information
- How to use a Risk Register as an on-going reporting tool
Imagine you’re a shepherd overseeing a huge flock of sheep. How do you keep track of all those little fluff-balls to make sure they’re all accounted for? Such is the plight of an asset manager… who normally resorts to spreadsheets to track his flock of hardware and software. It’s easy to misplace assets when you’re maintaining and manually updating a spreadsheet.
Scott Middleton gave a presentation on how new technology is impacting product management. He discussed several emerging technologies like crowd sourcing, computer vision, chat/voice assistants, and product analytics tools. He noted some technologies like A/B testing may be "dead" and new tools allow for more narrow and automatic actions. Roadmap tools can now identify relationships.
Phil Laufenberg then spoke about navigating the hype around new technologies. He recommended using Gartner's Hype Cycle to explore emerging technologies. He also emphasized focusing on customer value and business benefits over just implementing new technologies. A framework of innovating, designing, and implementing based on customer desirability, commercial viability, and technical feasibility can help decrease
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
This document discusses Agile software development and Scrum, an Agile framework. It provides an overview of Scrum roles like the Product Owner and ScrumMaster, the Scrum process involving sprints, daily stand-ups, sprint reviews and retrospectives. The goal of Scrum is to deliver working software frequently through short iterative cycles, collaboration and responding to change. Many large companies have adopted Scrum for its benefits of faster delivery, increased quality and transparency.
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Agile Testing for Embedded and IoT Software DevelopmentTechWell
Much of the success of agile adoptions is due to the automated testing approach used in agile projects. Because many of these techniques were pioneered in the development of web applications, it can be difficult to see how these techniques can be leveraged for a project where software is being built for an embedded or Internet of Things (IoT) application. Thomas Stiehm describes ways to leverage agile testing techniques for embedded systems. Whether you are building a medical device, embedded controller, or IoT device, learn how to leverage these testing practices to create fully automated tests that fit into a DevOps build pipeline and help your team create higher-quality, more reliable software. Test automation, the best way to maintain and execute a comprehensive suite of regression tests, allows you to maintain control of your testing process while increasing test coverage. Join Thomas to see how you can take control of your test process by stepping up your test automation to the next level.
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
This document outlines an approach for integrating security into the software development lifecycle (SDLC) using DevSecOps principles. It discusses how security can shift left by being incorporated into various phases of product development and delivery, including product management, design, development, deployment, defect management, and monitoring. It provides examples of how to integrate security practices and tools at each stage. The goal is to establish security as a critical product feature rather than an afterthought, and foster collaboration between security and development teams through a DevSecOps model and maturity criteria.
O futuro das empresas passa pelas constantes transformações digitais e, para isso, é fundamental manter aplicações que atendam às exigências dos clientes e, sobretudo, seguras. Nesse cenário, nasceu o conceito de DevSecOps, descrevendo um conjunto de práticas para integração entre as equipes de desenvolvimento de software. Nesta palestra, entenderemos mais sobre conceitos e como aplicar DevSecOps na prática. Provocaremos discussões “saudáveis” sobre o modelo tradicional de desenvolvimento e este modelo ágil que está trazendo uma grande mudança de paradigma na construção de aplicações.
Meetup - DevSecOps: Colocando segurança na esteira
Material apresentado no 12º Meetup do Scrum-Aplicado - 18/09/2019 às 19hrs.
O futuro das empresas passa pelas constantes transformações digitais e, para isso,
é fundamental manter aplicações que atendam às exigências dos clientes e, sobretudo, seguras.
Nesse cenário, nasceu o conceito de DevSecOps, descrevendo um conjunto de práticas
para integração entre as equipes de desenvolvimento de software.
Nesta palestra, entenderemos mais sobre conceitos e como aplicar DevSecOps na prática.
Provocaremos discussões “saudáveis” sobre o modelo tradicional de desenvolvimento
e este modelo ágil que está trazendo uma grande mudança de paradigma na construção de aplicações.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
This talk was presented at NoVA UX event on August 21, 2019. One year ago Jim Lane joined Virtru, a data protection and privacy organization in Washington DC, to build out UX as a discipline in a seven-year-old security company. In his talk Jim outlines establishing a charter, hiring a team, establishing user-centered product development process, choosing tools for scale and speed, and design strategy.
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
Talk about application security in an agile world. How can security be integrated into agile and how can DevSecOps be leveraged to achieve security at scale at speed.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
Shift Left Security - The What, Why and HowDevOps.com
This document discusses shift-left security, which involves moving security practices earlier into the software development lifecycle to proactively address risks rather than reactively. It notes that only 20% of organizations consistently integrate security early in DevOps processes. Shift-left security is important because traditional security teams cannot keep up with development speeds. The document outlines how to implement shift-left security through automating security practices, using control gates, and learning from production environments. It argues containers help shift security left through their minimal, declarative, and predictable nature which simplifies security requirements and policy automation.
Software Engineering is a profession that a lot of people call themselves without applying the principles and best practices that differentiate them from a Developer. This presentation is about differences between a Developer and a Software Engineer and why it is crucial.
Better Software East 2016: Evolving Automated to ContinuousParasoft
Evolving from Automated to Continuous Testing
Testing issues can be a significant barrier to taking full advantage of agile approaches to software development and the emerging DevOps movement. To leverage these development and delivery strategies to their fullest, you need to evolve beyond automated testing to continuous testing.
Arthur Hicken discusses the testing and development processes and technology that enable continuous testing. He shares insights on how to close the gap between business expectations and development activities by encapsulating clearly defining development policies for software releases.
Arthur describes how to prevent defects in code and prioritize defect remediation before a release candidate goes live. Explore ways to realistic test environments and simulations—critical features of the dev/test infrastructure—that enable continuous testing.
Learn how to create a feedback loop that exposes defect patterns while highlighting opportunities to improve application design. Take back a comprehensive to do list for processes and infrastructure that must be in place for your organization to implement continuous testing and accelerate the SDLC.
Women in Innovation - Risk Register: What Could Possibly Go WrongKTN
The aim of this workshop is to provide tools and insights on how to address the inherent risks of any project and how to address this to your application. We will deep dive into the Risk Register:
- What is it and why do I need one?
- Format and approaches of different Risk Registers
- What risks should be included and where to get this information
- How to use a Risk Register as an on-going reporting tool
Imagine you’re a shepherd overseeing a huge flock of sheep. How do you keep track of all those little fluff-balls to make sure they’re all accounted for? Such is the plight of an asset manager… who normally resorts to spreadsheets to track his flock of hardware and software. It’s easy to misplace assets when you’re maintaining and manually updating a spreadsheet.
Scott Middleton gave a presentation on how new technology is impacting product management. He discussed several emerging technologies like crowd sourcing, computer vision, chat/voice assistants, and product analytics tools. He noted some technologies like A/B testing may be "dead" and new tools allow for more narrow and automatic actions. Roadmap tools can now identify relationships.
Phil Laufenberg then spoke about navigating the hype around new technologies. He recommended using Gartner's Hype Cycle to explore emerging technologies. He also emphasized focusing on customer value and business benefits over just implementing new technologies. A framework of innovating, designing, and implementing based on customer desirability, commercial viability, and technical feasibility can help decrease
We aim to improve product and software security with our new threat modeling playbook. We consider threat modeling as a foundational activity to improve your software assurance. We are convinced that a good threat modeling practice will measurably decrease security issues of delivered products.
As strong believers in open source, active OWASP collaborators and to increase our impact beyond our Toreon customers, we donate this threat modeling playbook to the community.
We hope you will use this playbook to improve your threat modeling practice. We also encourage you to provide feedback to our OWASP threat modeling community in order to make this playbook even better in our next release.
Building application security with 0 money downDefCamp
Muhammad Mudassar Yamin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptxInflectra
The pressure to deliver faster to the market has never been more insistent and pervasive than today’s business environment. The Agile world of iterative and incremental delivery has enabled great advances in terms of delivery speed; however, the lack of an integrated risk framework is creating challenges in terms of matching speed with quality. On the one hand, the standards-setting organizations such as the Project Management Institute (PMI) have updated their book of knowledge (PMBOK v7) to move away from highly prescriptive processes to lean thinking. On the other hand, Agile standards themselves have started to emerge, recognizing the need for some prescriptive guidelines on coming up with release and iteration goals. Struggling in between this continuum are the innovative technology projects that wonder how “creativity can be timeboxed” to deliver value!
While the impact of leadership to form the team and the organizational culture to embrace continuous learning are unquestionable, it is important to realize that the areas of strategy, leadership, and culture are not substitutes for the lack of risk-based project thinking. When delivering IT applications that are contain inherent conceptual, technical, and compliance risks, a more systematic approach is needed. In this presentation, you will hear about the emerging space of IT initiatives that are impacted by such risks and the need to adopt risk-based frameworks in application lifecycle management. You will also see practical examples of how risk-based lifecycle management can be done in real-time.
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?Leonard Lee
neXt Curve presentation on the topics of Meltdown & Spectre and their implications on IoT security, and what enterprises and consumers need to do to protect themselves from the risk of these CPU-level security threats.
Agile Hardware Product Development (NextGen NPD plus - MRO shop example) inc...Richard Platt
This is the Master draft of a presentation that I gave to the Project Management Institute (pmi.org), on Next Generation New Product Development with an MRO Shop performance increase as a result of applying this methodology to shop operations, However the methodology in and of itself was intended for New Product Development teams, but the methodology was equally relevant and applicable for Mfg and Process operations, particularly when you are dealing with heterogeneous flows within the process itself, which current methods of NPD, are not able to address, and thus why in many cases they are not as effective an approach to getting the said process to move even faster, more efficiently and effectively. Have a look for yourself, try it out, let me know what you think.
Richard Platt
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Capgemini
Under pressure to deploy more applications and releases, organizations need industrial application protection and security testing processes for huge software portfolios.
Find out how a flexible service from testing and security leaders Capgemini and Sogeti can improve the security of your applications, test them on demand, and get results in days.
Powered by HPE Fortify on Demand and hosted in a private infrastructure in Europe, it requires no license, hardware, special expertise, or investment.
Presented at Discover London 2015.
Many projects implicitly use some kind of risk-based approach for prioritizing testing activities. However, critical testing decisions should be based on a product risk assessment process using key business drivers as its foundation. For agile projects, this assessment should be both thorough and lightweight. Erik van Veenendaal discusses PRISMA (PRoduct RISk MAnagement), a highly practical method for performing systematic product risk assessments. Learn how to employ PRISMA techniques in agile projects using Risk Poker. Carry out risk identification and analysis, see how to use the outcome to select the best test approach, and learn how to transform the result into an agile one-page sprint test plan. Erik shares practical experiences and results achieved by employing product risk assessments. Learn how to optimize your test effort by including product risk assessment in your agile testing practices.
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'Splunk
Travis Perkins has a complex hybrid IT infrastructure and is in midst of migrating to the cloud. This session will outline the pitfalls from their initial infrastructure-heavy ‘legacy SOC’ approach with a legacy SIEM and the success they gained when they moved to a cloud-based, data-driven ‘lean SOC’.
This presentation covers key aspects of Dual Track Agile and provides real-world examples and case studies. It also gives some background on the Discovery and Framing framework and is meant for practitioners who have been using Lean-Agile methodology for at least a year.
While the slides do not describe UCD (User-Centered Design), Pair Programming, TDD (Test Driven Development), or DDD (Domain Driven Development), these concepts are assumed in the approach. That's how VMware Pivotal builds great products.
The approach described here is only ideal for Lean-Agile methodology.
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...Interset
This document discusses detecting insider threats through anomaly detection using machine learning. It explains that rules-based approaches are brittle and don't scale well, while machine learning can analyze vast amounts of data to detect subtle anomalies in user behavior that may indicate insider risk. The document provides examples of how machine learning can be applied to network flow data and other sources to group entities for comparison, detect anomalies, and generate a risk score for entities. It also gives a case study where machine learning detected engineers stealing intellectual property that went undetected by other tools for over a year.
This document provides a playbook for information security (infosec) professionals to build a business case and get budget approval from executive leadership (C-suite) for security initiatives. It outlines a 7-step process: 1) conduct a business impact analysis, 2) perform a security audit, 3) run security scans, 4) develop a remediation plan, 5) present findings and recommendations to the C-suite, 6) continue reporting and be prepared for future opportunities, and 7) implement approved security products and services. The goal is to understand business risks, identify technical vulnerabilities, prioritize remediations, and educate leadership on security needs using business terms and metrics. Ongoing communication, transparency and demonstrating progress are
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
.italo operates an Essential Service by connecting more than 100 million people annually across Italy with its super fast and secure railway. And CISO Enrico Maresca has been on a whirlwind journey of his own.
Formerly a Cyber Security Engineer, Enrico started at .italo as an IT Security Manager. One year later, he was promoted to CISO and tasked with building out – and significantly increasing the maturity level – of the SOC. The result was a huge step forward for .italo.
So how did he successfully achieve this ambitious ask? Join Enrico as he reveals the key insights and lessons learned in his SOC journey, including:
Top challenges faced in improving security posture
Key KPIs implemented in order to measure success
Strategies and approaches applied in the SOC
How MITRE ATT&CK and Splunk Enterprise Security were utilised
Next steps in their maturity journey ahead
VR Training: Tech Disruptor or Pet Rock?Jim Piechocki
This document contains a tutorial presentation on virtual reality (VR) and augmented reality (AR) technologies. The presentation covers topics such as situational awareness in VR, examples of VR applications for training, instructional design principles for VR learning, and best practices for crafting effective VR scenarios and characters. The overall goal of the presentation is to help attendees understand the advantages of VR/AR for immersive learning and how to implement successful VR learning experiences.
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
As the need for facility equipment and asset data grows, serious cybersecurity risk are revealed, including inadequate security architecture, lack of process and controls the use of contractors and vendors. We need to be able to to identify risks and develop mitigation strategy. This presentation will provide insights, answers and tips. It will identify the value of IT/OT integration in solving facilities cybersecurity threats.
Similar to Realizing Near-Zero Security Flaws in Your Software (20)
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
SMS API Integration in Saudi Arabia| Best SMS API ServiceYara Milbes
Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
What is Master Data Management by PiLog Groupaymanquadri279
PiLog Group's Master Data Record Manager (MDRM) is a sophisticated enterprise solution designed to ensure data accuracy, consistency, and governance across various business functions. MDRM integrates advanced data management technologies to cleanse, classify, and standardize master data, thereby enhancing data quality and operational efficiency.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.