This document discusses software supply chain security and vulnerabilities. It references the Equifax data breach in 2017 that was caused by a vulnerability in the Apache Struts software. The document notes that 80-90% of modern applications and operations consist of assembled components, but not all parts are created equal from a security standpoint. It provides statistics showing that 11.1% of Java components downloaded annually have known vulnerabilities and that 80% of organizations analyzed show poor cyber hygiene. The key takeaway is that businesses are ultimately responsible for the security of their data and systems, so emphasizing security for the entire software supply chain is important.
On April 16, 2018, a full day of DevSecOps was featured. This is the deck that was used for rotation as an introduction as people were entering and again during breaks.
Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
How to automate your DevSecOps successfullyManuel Pistner
Service based apps using open source components and containers for continuous deployment in DevOp teams need to react fast and deploy often. With increasing complexity of software systems and the need for agility and flexibility the demand for security increases. These slides show an approach for DevSecOp automation and present the results of a survey about the current status of security automation in software development companies.
If you want to see the resulting concept which was developed during the study, please contact me on linked in.
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
On April 16, 2018, a full day of DevSecOps was featured. This is the deck that was used for rotation as an introduction as people were entering and again during breaks.
Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
How to automate your DevSecOps successfullyManuel Pistner
Service based apps using open source components and containers for continuous deployment in DevOp teams need to react fast and deploy often. With increasing complexity of software systems and the need for agility and flexibility the demand for security increases. These slides show an approach for DevSecOp automation and present the results of a survey about the current status of security automation in software development companies.
If you want to see the resulting concept which was developed during the study, please contact me on linked in.
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
*** DevSecOps: The Evolution of DevOps ***
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
Presentation by James Betteley who shares his experience of shaping DevOps and what he foresees will happen with DevSecOps.
Organizations today are utilizing DevOps to accelerate the software development and deployment pace with the goal of releasing better quality software more reliably. But as more high profile data breaches occur they help to awaken interest in how to integrate security into this practice without inhibiting the DevOps agility. Let's face it, attacks on web applications have become a menace, and the volume of data breaches caused by them is rapidly rising each year. Rogue actors are taking advantage of the weaknesses in our software and processes. How do we strike back against this? Enter a new hope: DevSecOps!
DevSecOps is the solution that is talked about, but not always understood. In this talk, we discuss:
* What is DevSecOps
* Changing the security mindset
* The Do's and Don'ts for success
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
Mandy Whaley, CISCO
Microservices create an explosion of internal and external APIs. These APIs need great docs. Many organizations end up with a jungle of wiki pages, swagger docs and api consoles, and maybe just a few secret documents trapped in chat room somewhere… Keeping docs updated and in sync with code can be a challenge.
We’ve been working on a project at Cisco DevNet to help solve this problem for engineering teams across Cisco. The goal is to create a forward looking developer and API doc publishing pipeline that:
Has a developer friendly editing flow
Accepts many API spec formats (Swagger, RAML, etc)
Supports long form documentation in markdown
Is CI/CD pipeline friendly so that code and docs stay in sync
Flexible enough to be used by a wide scope of teams and technologies
We have many interesting lessons learned about tooling and how to solve documentation challenges for internal and external facing APIs. We have found that solving this doc publishing flow is a key component of a building modern infrastructure. This is most definitely a culture + tech + ops + dev story, we look forward to sharing with the DevOps Days community.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Hacker Games & DevSecOps presentation from Tallinnec 27.3. 2018 meetup. How to make DevSecOps more fun by playing hacker games? What can you learn from Hack The Box?
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
Securing Modern Applications: The Data Behind DevSecOpsEficode
Ilkka Turunen, Global Director, Pre-sales Engineering, Sonatype
Hackers took three days to identify and exploit a known vulnerability in Equifax’s web applications. Ilkka Turunen shares new data that reveals why three days (at most) is the new normal for DevSecOps teams to move new business /security requirements from design into production.
Post-Equifax: How to Trust But Verify Your Software Supply ChainDeborah Schalm
We are bringing together IT leaders from TomiTribe and the Federal Reserve Bank of New York to discuss the importance of trusted software supply chains in the post-Equifax breach environment. Learn why Gartner believes establishing, managing and maintaining tiers of trust requires an integrated approach throughout your entire DevOps practice.
In this webinar, we will discuss how:
Leading DevOps teams responded in the wake of the Equifax Stuts2 breach
DevSecOps practices help us improve our defenses and mean time to remediate new vulnerabilities
Embed and quantify trust when using open source components and containers throughout the SDLC
All attendees will receive a copy of Gartner’s Managing Digital Trust in the Software Development Life Cycle. Register today!
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
*** DevSecOps: The Evolution of DevOps ***
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
Presentation by James Betteley who shares his experience of shaping DevOps and what he foresees will happen with DevSecOps.
Organizations today are utilizing DevOps to accelerate the software development and deployment pace with the goal of releasing better quality software more reliably. But as more high profile data breaches occur they help to awaken interest in how to integrate security into this practice without inhibiting the DevOps agility. Let's face it, attacks on web applications have become a menace, and the volume of data breaches caused by them is rapidly rising each year. Rogue actors are taking advantage of the weaknesses in our software and processes. How do we strike back against this? Enter a new hope: DevSecOps!
DevSecOps is the solution that is talked about, but not always understood. In this talk, we discuss:
* What is DevSecOps
* Changing the security mindset
* The Do's and Don'ts for success
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
Mandy Whaley, CISCO
Microservices create an explosion of internal and external APIs. These APIs need great docs. Many organizations end up with a jungle of wiki pages, swagger docs and api consoles, and maybe just a few secret documents trapped in chat room somewhere… Keeping docs updated and in sync with code can be a challenge.
We’ve been working on a project at Cisco DevNet to help solve this problem for engineering teams across Cisco. The goal is to create a forward looking developer and API doc publishing pipeline that:
Has a developer friendly editing flow
Accepts many API spec formats (Swagger, RAML, etc)
Supports long form documentation in markdown
Is CI/CD pipeline friendly so that code and docs stay in sync
Flexible enough to be used by a wide scope of teams and technologies
We have many interesting lessons learned about tooling and how to solve documentation challenges for internal and external facing APIs. We have found that solving this doc publishing flow is a key component of a building modern infrastructure. This is most definitely a culture + tech + ops + dev story, we look forward to sharing with the DevOps Days community.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Hacker Games & DevSecOps presentation from Tallinnec 27.3. 2018 meetup. How to make DevSecOps more fun by playing hacker games? What can you learn from Hack The Box?
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
Securing Modern Applications: The Data Behind DevSecOpsEficode
Ilkka Turunen, Global Director, Pre-sales Engineering, Sonatype
Hackers took three days to identify and exploit a known vulnerability in Equifax’s web applications. Ilkka Turunen shares new data that reveals why three days (at most) is the new normal for DevSecOps teams to move new business /security requirements from design into production.
Post-Equifax: How to Trust But Verify Your Software Supply ChainDeborah Schalm
We are bringing together IT leaders from TomiTribe and the Federal Reserve Bank of New York to discuss the importance of trusted software supply chains in the post-Equifax breach environment. Learn why Gartner believes establishing, managing and maintaining tiers of trust requires an integrated approach throughout your entire DevOps practice.
In this webinar, we will discuss how:
Leading DevOps teams responded in the wake of the Equifax Stuts2 breach
DevSecOps practices help us improve our defenses and mean time to remediate new vulnerabilities
Embed and quantify trust when using open source components and containers throughout the SDLC
All attendees will receive a copy of Gartner’s Managing Digital Trust in the Software Development Life Cycle. Register today!
Post-Equifax: How to Trust But Verify Your Software Supply Chain DevOps.com
We are bringing together IT leaders from TomiTribe and the Federal Reserve Bank of New York to discuss the importance of trusted software supply chains in the post-Equifax breach environment. Learn why Gartner believes establishing, managing and maintaining tiers of trust requires an integrated approach throughout your entire DevOps practice.
In this webinar, we will discuss how:
Leading DevOps teams responded in the wake of the Equifax Stuts2 breach
DevSecOps practices help us improve our defenses and mean time to remediate new vulnerabilities
Embed and quantify trust when using open source components and containers throughout the SDLC
All attendees will receive a copy of Gartner’s Managing Digital Trust in the Software Development Life Cycle. Register today!
On the health of the npm packaging ecosystemTom Mens
Presentation at DrupalCamp 2018 (Ghent) by Tom Mens (University of Mons) about lessons learned and guidelines based on a historical empirical analysis of the npm JavaScript packaging ecosystem, and the impact of technical problems in its package dependency network. This work is part of the SECOHealth and SECO-ASSIST research projects, co-financed by the FNRS-FRS.
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018Adhitya Hartowo
Presentation for DevOps Night talk in SCTV Tower in Jakarta on 19 September 2018. Sharing on how to bring security to DevOps environment on Development side.
Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018Larry Eichenbaum
Learn about how the Chef Automate platform helps enable security, audit, and compliance staff to become engaged in DevOps activities early on by performing infrastructure compliance validation as part of the initial development cycles.
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
Organizations continue to adopt container orchestration to drive efficiencies in their CI/CD pipelines. Given the current business climate with more employees working from home and consumers transacting more online, how can development and operations teams release at increasing velocity with protection baked in?
Connecting operations and security teams have not always been a smooth process: developers and operations staff are charged with site reliability, availability, and uptime while security staff is held responsible for securing an organization’s always-moving perimeter and valuable web layer assets. But the lines have started to blur between DevOps teams and security: you can’t guarantee uptime without baking effective application security tooling into your processes and infrastructure configurations.
A true next-generation, holistic web application and API protection platform does just that: operations teams can integrate security into their workflows and ensure new infrastructure and app code released to production is both effective and secure. Join application security experts Aneel Dadani and Orlando Barerra II from Signal Sciences to learn how your team can deploy at scale safely while gaining layer 7 visibility in production environments. Attendees will learn:
How to inspect web traffic in containers, at the API gateway, or the ingress
How DevOps teams can scale their application footprint to meet demand while securing your codebase in production
How development teams can gain visibility into how their apps and APIs are being used in production and what vulnerabilities may exist that they overlooked
Demo these application security concepts with Ansible, a simple yet powerful IT automation engine that companies use to accelerate DevOps initiatives, including baking application security into their infrastructure.
• 4.5 years of IT experience on Application/Production Support with Linux/Unix Windows Admin, Unix Shell Scripting, WebSphere, Tomcat Admin, Apache webserver, IIS, Business Analyst, Service Management.
• 4.5 years of IT experience on Application/Production Support with Linux/Unix Windows Admin, Unix Shell Scripting, WebSphere, Tomcat Admin, Apache webserver, IIS, Business Analyst, Service Management.
FOR THE FULL VIDEO, RECORDING & PRESENTATION:
https://typesafe.com/blog/going-reactive-in-java-with-typesafe-reactive-platform
--
In this presentation by Jamie Allen, we do a deep dive into the Typesafe Reactive Platform from the Java developer’s perspective, to learn how Typesafe supports the entire Reactive application development lifecycle.
Reactive application development is becoming mainstream and considered a mission-critical need for future growth. This new wave of business applications are message-driven, elastic, resilient and responsive by nature, designed to scale elastically and maintain responsiveness during even large failures. With the Typesafe Reactive Platform (RP), including Play Framework and Akka, Java developers can start to use tools designed for building distributed systems that deliver highly-responsive user experiences. Regardless of whether you code in Java or Scala, Typesafe RP provides a resilient and message-driven application stack that scales effortlessly on multicore and cloud computing architectures.
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
Similar to RSAC DevSecOpsDays 2018 - We are all Equifax (20)
30+ Nexus Integrations to Accelerate DevOpsSonatype
No single tool can deliver on the promise of DevOps. Instead it’s a collection of tools, easily integrated, tightly managed, and effectively automated. Learn how Nexus integrates with more DevOps tools you use everyday.
Starting and Scaling DevOps In the EnterpriseSonatype
Gary Gruver, Gruver Consulting
In my role, I get to meet lots of different companies, and I realized quickly that DevOps means different things to different people. They all want to do “DevOps” because of all the benefits they are hearing about, but they are not sure exactly what DevOps is, where to start, or how to drive improvements over time. They are hearing a lot of different great ideas about DevOps, but they struggle to get every-one to agree on a common definition and what changes they should make. It is like five blind men describing an elephant. In large orga-nizations, this lack of alignment on DevOps improvements impedes progress and leads to a lack of focus.
This session is intended to help structure and align those improvements by providing a framework that large organizations and their executives can use to understand the DevOps principles in the context of their current development processes and to gain alignment across the organization for success-ful implem
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
In today’s world, a company must be a “Learning Organization” in order to be successful and innovative. Learning from both failure and success, in order to implement small incremental improvements is critical. But until you implement and apply new information, you haven’t truly “learned” anything and you certainly haven’t improved.
According to the 2015 Monitoring Survey, most companies leverage metrics from monitoring and logging purely for performance analytics and trending. If high availability and reliability are important, they also leverage metrics to alert on fault and anomaly detection. Despite these “best practices”, the metrics are primarily only used as context to keep things “running” or return them back to “normal” if there’s a problem. Rarely is that data used as a method to identify areas of improvement once services have been restored. When an outage occurs to your system, you will absolutely repair and restore services as best you know how, but are you paying attention to the data from the recovery efforts? What were operators seeing during diagnosis and remediation? What were their actions? What was going on with everyone, including conversations? A step-by-step replay of exactly what took place during that outage.
This “old-view” perspective on the purpose of monitoring, logging, and alerting leaves the full value of metrics unrealized. It fails to address what’s important to the overall business objective and it lacks any hope of seeking out innovation or disruption of the status quo.
This talk will illustrate how to identify if your company is making the best use of metrics and ways to not only learn from failure, but to become a “Learning Company”.
DevOps and All the Continuouses w/ Helen BealSonatype
DevOps promises to make better software faster and more safely and many organizations begin by practicing Continuous Integration and moving on to Continuous Delivery and sometimes even extending as far as Continuous Deployment - but this is only the tip of the iceberg.
DevOps demands a fundamental shift in the way we work and requires all participants in an organization to live its principles. It’s much more than a tool chain.
When you are delivering software in an Agile manner in fortnightly sprints, are you still funding in an annual manner? Are you adhering to The Third Way? I.e. are you practicing Continuous Experimentation? Continuous Learning? How are you doing Continuous Testing? Are you including security in that? Have you have Continuous Improvement in your organization for years? When does Continuous Everything turn into Continuous Apathy?
A Small Association's Journey to DevOps w/ Edward RuizSonatype
Small and medium-size businesses are under the same pressure to innovate-at-speed as large corporations. They face these challenges with shoestring IT budgets and limited staff who are stretched thin and forced to wear multiple hats. These limits are particularly acute in the world of nonprofit associations. But with the right vision and culture, even small teams can successfully implement a DevOps philosophy and bust the barriers to high-speed IT innovation.
In this presentation, I will recount our small membership association’s transformative journey to DevOps and share the lessons we learned along the way. I will offer first-hand experiences and practical ideas on how to cultivate a collaborative team culture to realize faster deployment cycles while improving build quality and delighting customers with great software.
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
Operational data mining gives us a rich source of data for the third devops way - continual learning by experimentation. It also shows us just how damaging those 90 day password resets can be. This talk will look at what can go wrong, and the renewed fight to fix the problem at the root.
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
Lee Calcote, Solar Winds
Running a few containers? No problem. Running hundreds or thousands? Enter the container orchestrator. Let’s take a look at the characteristics of the four most popular container orchestrators and what makes them alike, yet unique.
Swarm
Nomad
Kubernetes
Mesos+Marathon
We’ll take a structured looked at these container orchestrators, contrasting them across these categories:
Genesis & Purpose
Support & Momentum
Host & Service Discovery
Scheduling
Modularity & Extensibility
Updates & Maintenance
Health Monitoring
Networking & Load-Balancing
High Availability & Scale
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
Justin Collins, Brakeman Security
It is not enough to have fast, automated code deployment. We also need some level of assurance the code being deployed is stable and secure. Static analysis tools that operate on source code can be an efficient and reliable method for ensuring properties about the code - such as meeting basic security requirements. Automated static analysis security tools help prevent vulnerabilities from ever reaching production, while avoiding slow, fallible manual code reviews.
This talk will cover the benefits of static analysis and strategies for integrating tools with the development workflow.
Automated Infrastructure Security: Monitoring using FOSSSonatype
Madhu Akula, Automation Ninja
We can see attacks happening in real time using a dashboard. By collecting logs from various sources we will monitor & analyse. Using data gleaned from the logs, we can apply defensive rules against the attackers. We will use AWS for managing and securing the infrastructure discussed in our talk.
For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market.
As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customise and deploy their very own FOSS based centralised visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
Erlend Oftedal, Blank
Immutable infrastructure and serverless architectures have very interesting security properties. This talk will give an introduction to immutable infrastructure and serverless architecture and try to highlight some of the properties of such architectures. Next we will look at the positive effects this can have on the security of our systems, but also highlight some of the negative aspects and potential problems.
At the conclusion of this sessions, we hope to have shed some light on the positive and negative security effects of such architectures.
Getting out of the Job Jungle with JenkinsSonatype
Damien Corabouef, Multipharma, Clear2Pay
Implementing a CI/CD solution based on Jenkins has become very easy. Dealing with multiple feature, staging and release branches? Not so much. Having to handle that for multiple teams and multiple projects becomes a real challenge. This presentation shows a solution to scale to several thousands of jobs, used by dozens of different development and test teams, 24 hours a day, 7 days a week, on a worldwide schedule.
I will talk about the challenges that we’ve met, and how we’ve put in place a scalable and on-demand solution, secure and simple to use.
This is a real-life, real-scale story of making CI/CD a day-to-day reality by allowing development and test teams to consider automation as a simple and customisable service.
Nathen Harvey, Chef
Automation at scale is the foundation of every successful high velocity organization.
Automation requires dynamic infrastructure that is managed as code. Modern infrastructure code means bringing the lessons from software development to your infrastructure. Automation is managed in version control systems, tests drive code development, code moves through a continuous pipeline from the workstation to the production environment. What will this look like in five years? We will see a continued improvement in the way teams work together toward common goals, build more operable applications, and embrace complexity while improving ease-of-use.
Continuous Everyone: Engaging People Across the Continuous PipelineSonatype
Jayne Groll, DevOps Institute
Culture is undoubtedly one of the most critical aspects of any DevOps initiative. While much emphasis is placed on the automation of the deployment pipeline, there is also a need for a “Continuous People Pipeline”. Continuous People Pipelines help individuals and teams recognize their contribution to the value stream, provide realistic approaches and milestones for ongoing communication and collaboration and can be the basis for shared accountabilities and meaningful metrics. Most importantly, people pipelines help increase trust, flow, feedback and connection across IT silos.
This session will provide insight on the value, creation and support of Continuous People Pipelines. It will help attendees understand some of the human dynamics of change that must be considered – cultural debt, adoption models, acceptance curves, collaboration, immersion and conflict management. At the end of this session, leaders will take away some innovative strategic and tactical ideas for overcoming silo constraints and creating a collaborative culture that excites, engages and unifies people towards common business goals.
Michiel Rook, make.io
It's a situation many of us are familiar with: a large legacy, monolithic application, limited or no tests, slow & manual release process, low velocity, no confidence... A lot of refactoring is required, but management keeps pushing for new features.
How to proceed? Using examples and lessons learned from a real-world case, I'll show you how to replace a legacy application with a modern service-oriented architecture and build a continuous integration and deployment pipeline to deliver value from the first sprint. On the way, we’ll take a look at the process, automated testing, monitoring, master/trunk based development and various (possibly controversial!) tips and best practices.
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...Sonatype
Daniël van Gils, Cloud 66
So you’ve already containerized the shit out of your code, broken down monoliths, microserviced the hell out of your app and have run some awesome workloads in your local, dev and test environments. It’s all looking good, but now what?
Running Docker commands is one thing, but maintaining containers in production is a whole other ballgame. So during this talk I’ll show you the REAL wild world of Docker in production. With the added benefit of talking to and observing how over 900 of our customers have been using Docker in production, I’ll be presenting some of these data points and sharing our observations on how to get it right.
My aim? I want to turn the conversation on its head and dispel some of the ‘silver bullet’ assumptions flying around by taking an inside-out approach to building with Docker. The idea is to provide you with a framework for how to get your code into containers, streamline the Docker build flow and avoid common pitfalls when moving from dev to live environments.
Because remember, Docker will NOT, and I repeat, will not solve your bad dev and ops behaviours. So don’t end up with a ‘hot mess’ (more on that later), and attend my talk to get container smart
I, For One, Welcome Our New Robot OverlordsSonatype
Mykel Alvis, Coviti Labs
Infrastructure-as-code is how we build deployments now. If your infrastructure cannot be automated using code, then you might want to reconsider your life choices. However, even if it can be described as code, the process by which that infra-code is delivered is often of low quality. Having your infrastructure describable with poorly managed source code is only a slight step up from not managing it at all.
Poor testing and bad release-management practices make many of the efforts of automation hard to replicate. The resulting codebases are often a mass of poorly organized scripting and binaries committed to source control, much of which has never been validated except by a set of Mk I eyeballs.
Cotiviti has taken what turns out to be a radical approach to this problem, although in retrospect it should not have been so radical. Our approach uses artifact repositories, formal release mechanisms, and enforced testing gatekeepers to ensure the quality of the generated result. Because the approach is well-regimented, it is trivially easy to automate. Because the automation applies tests automatically, it tends to produce very high-quality artifacts. Because the output was delivered through a formal release process, it is repeatable. Because everything in that artifact is code, it is reviewable and auditable. And when any of these are untrue, we have a solid path toward remediating that problem.
I have done bespoke deliveries by hand in the past. I’m never going back to my not-having-automation-ways again.
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...Sonatype
George Parris III, Capital One
In many companies, the cornerstone of their continuous integration and continuous deployment strategy is a few, well known pieces of automation software that are absolutely vital to the way companies are building software these days using agile methodologies. Many times though, someone with some infrastructure experience will just spin up a server and install the packages, building and iterating upon that same install for the following years that they're using it, which puts them in a shaky place every time they have to make changes to it.
On the Online Account Opening project at Capital One, we’ve strived to maintain our entire infrastructure as immutable as possible. In doing so, it was decided that we should apply that principle to our core CI/CD automation tools as well. By using Config As Code, Implementing a useful backup and testing strategy, and utilizing some AWS capabilities, we’re able to make that happen.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
15. 5 Month Opportunity to Take Corrective Action
Large Scale Exploit
March 10
Equifax applications
breached through
Struts2 vulnerability
AprMar May Jun Jul Aug Sept
March 7
Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
July 29
Breach is discovered
by Equifax.
Sept 7
A new RCE vulnerability
is announced and fixed.
CVE-2017-9805
Probing Hack
Crisis Management
16. 3 DAYS BEFORE EXPLOIT
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
AverageDaystoExploit
Average
45
15
2017
17. Struts vulnerability
announced
The
breach
Breach
discovered.
New Struts and
Spring vulnerabilities.
12 months since
Equifax breach.
0
20,000
40,000
60,000
80,000
100,000
120,000
Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17 Sep-17 Oct-17 Nov-17 Dec-17 Jan-18 Feb-18 Mar-18
Total
Breach
disclosed.
80% SHOW POOR CYBER HYGIENE
Number of vulnerable Struts component downloads per month
18. Source: Maven Central Repository, March 2018
VULNERABLE SPRING FRAMEWORK DOWNLOADS
CVE-2017-8046
25. Businesses decide where and how to invest in
cybersecurity based on a cost-benefit assessment
but they are ultimately liable for the security of
their data and systems.
U.K.’s National Cyber Security Strategy
2016 - 2021
26. “Emphasize performance of the entire system
and never pass a defect downstream.”
Gene Kim
The Phoenix Project
2013