Improving organizational security by paying attention to the needs of the different business units that need to interact with security systems.
This talk was given at DevOpsDays Pittsburgh 2015.
This document discusses integrating security into modern development workflows. It begins by introducing the presenter and stating what topics will and will not be covered. Examples are then provided of how different user personas such as developers, operations staff, security teams, and business users can have their workflows negatively impacted when secrets are not properly managed. The talk suggests creating a cross-functional security UX team and provides recommendations to avoid issues like credential rotation schemes that require redeploys or cloud-specific solutions.
The 5 Stages of Secrets Management Grief, And How to Prevail Bryan Sterling
The document discusses the 5 stages of secrets management grief: denial, anger, bargaining, depression, and acceptance. It then provides examples of approaches organizations can take to securely manage secrets when using configuration management tools like Puppet, including storing secrets in source control versus alternative approaches. It emphasizes the importance of involving information security teams and considering both "masterful" and "masterless" options. The document recommends resources for further learning on tools that can help, like Conjur and Summon, and calls readers to evaluate their own organization's secrets management approach.
This document discusses how DevOps practices can sometimes break traditional security and compliance practices, and proposes an approach called SecDevOps 2.0 to better integrate the two. It outlines how SecDevOps 2.0 would define policies, identities, and networks in a way that supports continuous delivery while maintaining security and compliance. Key elements include defining security policies in code, using machine identities at scale for access control, and implementing new tools like secrets as a service and software-defined firewalls. The overall goal is to make security controls more transparent and integrated with automation.
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
The document discusses the concept of DevSecOps, which involves taking a holistic approach to shift security left in the software development process. It involves collaboration between developers, operations, and security teams. DevSecOps aims to build security and compliance into software development from the beginning through processes and tools. The document provides examples of how DevSecOps operates and is organized, the skills required, challenges to adoption, and emphasizes the importance of experimentation. It argues that with everyone participating in DevSecOps, safer software can be developed sooner.
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...Puppet
The document discusses securing secrets for Puppet infrastructure without slowing down automation. It acknowledges that many organizations manually copy secrets or store them insecurely due to time pressures. However, exploits are increasingly targeting insecure secrets. The document proposes using the open source CyberArk Conjur tool to authenticate and authorize machine identities to retrieve secrets in a secure workflow. It provides an example of updating Puppet manifests to use Conjur for dynamic secrets retrieval without overhauling existing code. Overall, the document advocates aligning security and velocity through identity-based secrets management to reduce risks and costs from security incidents.
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...Franklin Mosley
Security pros have written countless jokes and comics maligning developers' exultant disregard for security and lauding their own long-suffering devotion to repairing reckless dev teams' vulnerable code. Yet, this narrative -- which does nothing to improve application security -- has gone on long enough. This session will help you change the conversation and the trend. You'll learn how to speak developers' language, learn about the real pressures they face in a continuous delivery environment, and discover how to get Dev, Ops, and Security teams aligned and focused on a singular goal.
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
This document discusses DevSecOps in government technology. It uses the analogy of water to represent software and discusses how software runs underneath technology like water runs underneath cities and infrastructure. It promotes adopting a DevSecOps culture that treats code like water by never taking its security for granted. It outlines strategies for securing the human aspect through changing behaviors and culture. The overall message is that a DevSecOps approach requires passion, empathy, and bringing together developers, security engineers, and managers to define secure processes and metrics through a shared understanding.
This document discusses integrating security into modern development workflows. It begins by introducing the presenter and stating what topics will and will not be covered. Examples are then provided of how different user personas such as developers, operations staff, security teams, and business users can have their workflows negatively impacted when secrets are not properly managed. The talk suggests creating a cross-functional security UX team and provides recommendations to avoid issues like credential rotation schemes that require redeploys or cloud-specific solutions.
The 5 Stages of Secrets Management Grief, And How to Prevail Bryan Sterling
The document discusses the 5 stages of secrets management grief: denial, anger, bargaining, depression, and acceptance. It then provides examples of approaches organizations can take to securely manage secrets when using configuration management tools like Puppet, including storing secrets in source control versus alternative approaches. It emphasizes the importance of involving information security teams and considering both "masterful" and "masterless" options. The document recommends resources for further learning on tools that can help, like Conjur and Summon, and calls readers to evaluate their own organization's secrets management approach.
This document discusses how DevOps practices can sometimes break traditional security and compliance practices, and proposes an approach called SecDevOps 2.0 to better integrate the two. It outlines how SecDevOps 2.0 would define policies, identities, and networks in a way that supports continuous delivery while maintaining security and compliance. Key elements include defining security policies in code, using machine identities at scale for access control, and implementing new tools like secrets as a service and software-defined firewalls. The overall goal is to make security controls more transparent and integrated with automation.
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
The document discusses the concept of DevSecOps, which involves taking a holistic approach to shift security left in the software development process. It involves collaboration between developers, operations, and security teams. DevSecOps aims to build security and compliance into software development from the beginning through processes and tools. The document provides examples of how DevSecOps operates and is organized, the skills required, challenges to adoption, and emphasizes the importance of experimentation. It argues that with everyone participating in DevSecOps, safer software can be developed sooner.
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...Puppet
The document discusses securing secrets for Puppet infrastructure without slowing down automation. It acknowledges that many organizations manually copy secrets or store them insecurely due to time pressures. However, exploits are increasingly targeting insecure secrets. The document proposes using the open source CyberArk Conjur tool to authenticate and authorize machine identities to retrieve secrets in a secure workflow. It provides an example of updating Puppet manifests to use Conjur for dynamic secrets retrieval without overhauling existing code. Overall, the document advocates aligning security and velocity through identity-based secrets management to reduce risks and costs from security incidents.
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...Franklin Mosley
Security pros have written countless jokes and comics maligning developers' exultant disregard for security and lauding their own long-suffering devotion to repairing reckless dev teams' vulnerable code. Yet, this narrative -- which does nothing to improve application security -- has gone on long enough. This session will help you change the conversation and the trend. You'll learn how to speak developers' language, learn about the real pressures they face in a continuous delivery environment, and discover how to get Dev, Ops, and Security teams aligned and focused on a singular goal.
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
This document discusses DevSecOps in government technology. It uses the analogy of water to represent software and discusses how software runs underneath technology like water runs underneath cities and infrastructure. It promotes adopting a DevSecOps culture that treats code like water by never taking its security for granted. It outlines strategies for securing the human aspect through changing behaviors and culture. The overall message is that a DevSecOps approach requires passion, empathy, and bringing together developers, security engineers, and managers to define secure processes and metrics through a shared understanding.
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon
This document discusses integrating crowdsourced security testing into agile software development lifecycles. It argues that traditional penetration testing approaches are obsolete and that crowdsourced security assessments provide a more flexible and continuous approach. The document outlines how a crowdsourced security model could work, with on-demand assessments, full remediation assistance, and staged integration of bug bounty programs. This would help organizations gradually improve their security maturity and risk posture in an agile manner.
Securing the container DevOps pipeline by William HenryDevSecCon
This document discusses securing the container DevOps pipeline. It begins by explaining why the term "DevSecOps" emerged, as integrating security into DevOps practices at scale became important. It then outlines the modern DevOps CI/CD process using containers and APIs. The rest of the document details how to secure different aspects of the container lifecycle, such as the container host, content, registries, builds, deployments, orchestration, networking, storage, APIs, and federated clusters. It argues for taking a lifecycle approach to container security and integrating practices like role-based access controls, network isolation, secure storage, and API management across the container platform.
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon
Pishu Mahtani discusses adversarial modeling as a technique for driving secure application development. Adversarial modeling involves thinking like malicious attackers to understand how applications could be compromised. It recommends identifying assets, threats, and developing misuse cases to analyze how attackers may interact with systems. The presentation provides an example of applying these concepts to an electronic procurement application, identifying actors, workflows, vulnerabilities, and potential misuse cases for different attacker types. The goal is to help developers adopt an adversarial mindset early in the development process to build more robust defenses against real-world threats.
Hacker Games & DevSecOps presentation from Tallinnec 27.3. 2018 meetup. How to make DevSecOps more fun by playing hacker games? What can you learn from Hack The Box?
This document discusses web and cloud security challenges. It begins with an introduction of the speaker and their background in security research. Various web attacks like SQL injection, cross-site scripting, and remote code execution are explained. Cloud security threats from misconfigured applications and infrastructure are also examined, including real-world examples. Best practices for hardening systems and securing data in the cloud are provided. Resources for further learning about web and cloud security are listed at the end.
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
The document discusses building an application vulnerability toolchain for SecDevOps. It advocates leveraging existing security tools like SAST and DAST scanners through automation to reuse human effort. The author describes their process of identifying how to test applications based on factors like the stack and platform. They also discuss instrumenting and testing REST APIs, building custom automation, correlating data from multiple scans and tools in a NoSQL database, and using tools like Docker, Selenium and OWASP ZAP through their APIs.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
This document discusses building application security teams. It begins by introducing the author and their background in application security. It then discusses creating an environment where security enables business goals rather than hinders them. It suggests embedding security into culture by focusing on quality, testing, and engineering. It discusses the importance of application security policies being customized and delivered effectively. It emphasizes the need for application security activities like threat modeling and code reviews to avoid relying on "security pixie dust". It argues that even non-software companies should view themselves as software companies due to their reliance on code. Finally, it discusses building application security teams internally by training and educating developers rather than exclusively hiring specialists.
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
This document summarizes two real world cases where companies implemented security automation to help address challenges of securing applications in agile development environments. The first case involved an insurance company transitioning to DevOps and agility, where integrated automated testing helped provide security visibility and training. The second case involved a retailer with an established agile shop where a process-driven security workflow was created to integrate testing into their DevOps pipeline on a weekly basis. Both cases aimed to balance rapid development needs with continuous security.
This document provides information about security champions and their role in an application security (AppSec) team. It explains that security champions are developers who help bridge the gap between security and development teams by focusing on application security activities like threat modeling, code reviews, and security testing. They spend 20% of their time on these security responsibilities. The benefits of being a security champion include career advancement opportunities through learning more about application security. Security champions receive training and support from a central AppSec team. They also participate in weekly meetings and hackathons to improve security skills and find issues in applications.
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
Fraser and Nick debate the relationship between DevOps and security. Nick argues security is too complex for DevOps approaches, while Fraser argues DevOps and security ultimately have the same goals of reducing risk and increasing value. They propose defining a "risk budget" to measure and manage risk like an "error budget", allowing more frequent deployments if risk is reduced through practices like testing and security engagement. Ultimately they agree DevOps and security need cooperation rather than separation, with security helping scale out practices while DevOps takes security responsibilities.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
Day by day, technology introduces new changes affecting several aspects of everyone's life, from private individuals to industry.
In such ever changing world, cutting edge research on application security is one of the topics that requires attention
in order to keep up with this.
Minded Security, since the beginning of its mission, has been focusing on application security research in order to
professionally support analysis and mitigation of old and new threats for our customers.
This talk will go through some of the research performed by Minded Security improving the quality of security and privacy of our customers.
This document provides an introduction and agenda for a Puppet Enterprise presentation. It begins with introductions of the speakers and then discusses how Puppet Enterprise can help companies automate their infrastructure and applications to deliver software simply and at scale. It presents a live demo of how Puppet Enterprise works by defining configurations, simulating changes, and enforcing policies. Finally, it suggests next steps for audiences to learn more including contacting sales, downloading a free trial, and exploring self-paced trainings.
Stephen Sadowski - Securely automating infrastructure in the cloudDevSecCon
This document summarizes Stephen Sadowski's presentation on securely automating infrastructure in the cloud. It discusses the tools and processes they used, including Terraform for infrastructure as code, Chef for configuration management, GitLab for source control and access management, Jenkins for continuous integration/delivery, ELK for logging, Sensu for monitoring, and PagerDuty for alerting. It emphasizes treating infrastructure like code, minimum necessary access, and ensuring security is built into processes from the beginning through techniques like encryption, access control lists, and compliance testing.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations.
The “Sec” of DevSecOps introduces changes into the following:
• Engineering
• Operations
• Data Science
• Compliance
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
El documento describe la importancia de tener una estrategia clara para los emprendimientos sociales, ya que esta establece una dirección y guía a largo plazo. También discute cómo la cultura organizacional es fundamental para comprender el desempeño de cualquier organización y cómo se manifiesta en los patrones de conducta y relaciones. Gestionar los patrones culturales positivos puede fortalecer el desempeño de la organización.
Este documento presenta la Ley de Vivienda de México. Establece la política nacional de vivienda y sus objetivos de garantizar el derecho a una vivienda digna para todas las familias. Describe los programas y planes de vivienda a nivel federal, estatal y municipal. También define términos clave como vivienda social, mejoramiento de vivienda y producción de vivienda, e incluye lineamientos para promover el acceso a vivienda para personas en pobreza.
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon
This document discusses integrating crowdsourced security testing into agile software development lifecycles. It argues that traditional penetration testing approaches are obsolete and that crowdsourced security assessments provide a more flexible and continuous approach. The document outlines how a crowdsourced security model could work, with on-demand assessments, full remediation assistance, and staged integration of bug bounty programs. This would help organizations gradually improve their security maturity and risk posture in an agile manner.
Securing the container DevOps pipeline by William HenryDevSecCon
This document discusses securing the container DevOps pipeline. It begins by explaining why the term "DevSecOps" emerged, as integrating security into DevOps practices at scale became important. It then outlines the modern DevOps CI/CD process using containers and APIs. The rest of the document details how to secure different aspects of the container lifecycle, such as the container host, content, registries, builds, deployments, orchestration, networking, storage, APIs, and federated clusters. It argues for taking a lifecycle approach to container security and integrating practices like role-based access controls, network isolation, secure storage, and API management across the container platform.
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon
Pishu Mahtani discusses adversarial modeling as a technique for driving secure application development. Adversarial modeling involves thinking like malicious attackers to understand how applications could be compromised. It recommends identifying assets, threats, and developing misuse cases to analyze how attackers may interact with systems. The presentation provides an example of applying these concepts to an electronic procurement application, identifying actors, workflows, vulnerabilities, and potential misuse cases for different attacker types. The goal is to help developers adopt an adversarial mindset early in the development process to build more robust defenses against real-world threats.
Hacker Games & DevSecOps presentation from Tallinnec 27.3. 2018 meetup. How to make DevSecOps more fun by playing hacker games? What can you learn from Hack The Box?
This document discusses web and cloud security challenges. It begins with an introduction of the speaker and their background in security research. Various web attacks like SQL injection, cross-site scripting, and remote code execution are explained. Cloud security threats from misconfigured applications and infrastructure are also examined, including real-world examples. Best practices for hardening systems and securing data in the cloud are provided. Resources for further learning about web and cloud security are listed at the end.
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
The document discusses building an application vulnerability toolchain for SecDevOps. It advocates leveraging existing security tools like SAST and DAST scanners through automation to reuse human effort. The author describes their process of identifying how to test applications based on factors like the stack and platform. They also discuss instrumenting and testing REST APIs, building custom automation, correlating data from multiple scans and tools in a NoSQL database, and using tools like Docker, Selenium and OWASP ZAP through their APIs.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
This document discusses building application security teams. It begins by introducing the author and their background in application security. It then discusses creating an environment where security enables business goals rather than hinders them. It suggests embedding security into culture by focusing on quality, testing, and engineering. It discusses the importance of application security policies being customized and delivered effectively. It emphasizes the need for application security activities like threat modeling and code reviews to avoid relying on "security pixie dust". It argues that even non-software companies should view themselves as software companies due to their reliance on code. Finally, it discusses building application security teams internally by training and educating developers rather than exclusively hiring specialists.
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
This document summarizes two real world cases where companies implemented security automation to help address challenges of securing applications in agile development environments. The first case involved an insurance company transitioning to DevOps and agility, where integrated automated testing helped provide security visibility and training. The second case involved a retailer with an established agile shop where a process-driven security workflow was created to integrate testing into their DevOps pipeline on a weekly basis. Both cases aimed to balance rapid development needs with continuous security.
This document provides information about security champions and their role in an application security (AppSec) team. It explains that security champions are developers who help bridge the gap between security and development teams by focusing on application security activities like threat modeling, code reviews, and security testing. They spend 20% of their time on these security responsibilities. The benefits of being a security champion include career advancement opportunities through learning more about application security. Security champions receive training and support from a central AppSec team. They also participate in weekly meetings and hackathons to improve security skills and find issues in applications.
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
Fraser and Nick debate the relationship between DevOps and security. Nick argues security is too complex for DevOps approaches, while Fraser argues DevOps and security ultimately have the same goals of reducing risk and increasing value. They propose defining a "risk budget" to measure and manage risk like an "error budget", allowing more frequent deployments if risk is reduced through practices like testing and security engagement. Ultimately they agree DevOps and security need cooperation rather than separation, with security helping scale out practices while DevOps takes security responsibilities.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
Day by day, technology introduces new changes affecting several aspects of everyone's life, from private individuals to industry.
In such ever changing world, cutting edge research on application security is one of the topics that requires attention
in order to keep up with this.
Minded Security, since the beginning of its mission, has been focusing on application security research in order to
professionally support analysis and mitigation of old and new threats for our customers.
This talk will go through some of the research performed by Minded Security improving the quality of security and privacy of our customers.
This document provides an introduction and agenda for a Puppet Enterprise presentation. It begins with introductions of the speakers and then discusses how Puppet Enterprise can help companies automate their infrastructure and applications to deliver software simply and at scale. It presents a live demo of how Puppet Enterprise works by defining configurations, simulating changes, and enforcing policies. Finally, it suggests next steps for audiences to learn more including contacting sales, downloading a free trial, and exploring self-paced trainings.
Stephen Sadowski - Securely automating infrastructure in the cloudDevSecCon
This document summarizes Stephen Sadowski's presentation on securely automating infrastructure in the cloud. It discusses the tools and processes they used, including Terraform for infrastructure as code, Chef for configuration management, GitLab for source control and access management, Jenkins for continuous integration/delivery, ELK for logging, Sensu for monitoring, and PagerDuty for alerting. It emphasizes treating infrastructure like code, minimum necessary access, and ensuring security is built into processes from the beginning through techniques like encryption, access control lists, and compliance testing.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations.
The “Sec” of DevSecOps introduces changes into the following:
• Engineering
• Operations
• Data Science
• Compliance
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
El documento describe la importancia de tener una estrategia clara para los emprendimientos sociales, ya que esta establece una dirección y guía a largo plazo. También discute cómo la cultura organizacional es fundamental para comprender el desempeño de cualquier organización y cómo se manifiesta en los patrones de conducta y relaciones. Gestionar los patrones culturales positivos puede fortalecer el desempeño de la organización.
Este documento presenta la Ley de Vivienda de México. Establece la política nacional de vivienda y sus objetivos de garantizar el derecho a una vivienda digna para todas las familias. Describe los programas y planes de vivienda a nivel federal, estatal y municipal. También define términos clave como vivienda social, mejoramiento de vivienda y producción de vivienda, e incluye lineamientos para promover el acceso a vivienda para personas en pobreza.
El documento habla sobre errores en la página web del Instituto de Control Vehicular que mostraron algunas placas como irregulares cuando no lo estaban. Esto orilló a 11 conductores a ir al Ministerio Público para aclarar su situación. Funcionarios reconocieron que fue un error humano al capturar datos. También se menciona que el gobierno de Nuevo León gastó más de 270 millones de pesos en comunicación durante el periodo de veda electoral y un funcionario lo justificó diciendo que eran pagos atrasados por campañas del
Apartments cleaning company in Jeddah by Saharalalameya.comdakshseo5
The document discusses several cleaning and pest control services provided by Saharalalameya Company in Jeddah, including apartment cleaning, furniture moving, water tank cleaning, and pest extermination. The company aims to offer its customers old and new the best deals and innovative solutions. It ensures furniture and customer items are well-packed and protected during transportation to prevent loss or damage.
AeroPersonnel is an aviation personnel agency based in Montreal that provides recruitment and flight services worldwide. It specializes in sourcing pilots and technicians for commercial airlines and corporate fleets. AeroPersonnel offers ferry flights and test flights for aircraft, managed by a team of highly experienced airline pilots. Flight crews are sourced globally. Pricing is customized for each mission and based on daily pilot rates, expenses, and project management fees. Customers can request proposals for aircraft flight services on the AeroPersonnel website.
El documento presenta información sobre dos estudiantes de primer año de marketing en el Tecnológico Sudamericano en el año lectivo 2009-2010. El profesor a cargo de la materia Fundamentos de Marketing es el Ing. Carlos Piña. Además, incluye fotos de algunos productos.
CII - Godrej GBC is organizing the 8th Edition of Green Cementech 2012 on 24 & 25 May 2012 at Hyderabad International Convention Centre (HICC), Hyderabad
Proyecto Facebook 09: Dimensión Convergencia Cultural.
Cátedra Procesamiento de Datos, Titular: Alejandro Piscitelli
Carrera de Cs. de la Comunicación. Universidad de Buenos Aires.
http://www.proyectofacebook.com.ar/
Health Education with individual, Family and CommunityRaksha Yadav
The document discusses different approaches to health education, including individual, group, and community approaches. It defines health education according to the WHO as any combination of learning experiences designed to help individuals and communities improve their health. The individual approach involves personal contact through home visits, interviews, and letters to understand attitudes, clear doubts, and identify barriers. The group approach educates groups of 20-25 members through discussion to help them think about, discuss, decide on, and follow up decisions. Community health education aims to create awareness, help communities understand health problems and needs, find alternative solutions, implement them, and provide feedback.
Alteraciones en el desarrollo de las piezas dentariasYoy Rangel
El documento describe varias patologías bucales, incluyendo anomalías en el número, estructura y desarrollo de los dientes. Se mencionan defectos como anodoncia, hiperdoncia, fusiones dentales y anomalías en el tamaño de las coronas. También se describen trastornos genéticos que afectan la formación del esmalte y dentina como amelogénesis imperfecta y dentinogénesis imperfecta.
El documento describe las características del virus de la inmunodeficiencia humana (VIH). Explica que es un lentivirus que causa el síndrome de inmunodeficiencia adquirida (sida) y que fue descubierto en 1983. También describe las formas de transmisión del VIH, los síntomas iniciales de la infección, los tratamientos disponibles y las lesiones orales asociadas al virus.
"Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented ""Enterprise Cloud Security via DevSecOps"" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we've learned quite a bit more about running sensitive workloads in AWS.
We've evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit and AWS to learn about second-year lessons and see how DevSecOps is evolving. We've built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps."
This document discusses DevSecOps, including what it is, why it is needed, and how to implement it. DevSecOps aims to integrate security tools and a security-focused culture into the development lifecycle. It allows security to keep pace with rapid development. The document outlines how to incorporate security checks at various stages of the development pipeline from pre-commit hooks to monitoring in production. It provides examples of tools that can be used and discusses cultural and process aspects of DevSecOps implementation.
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeSteve Mercier
Slides from my talk at ConFoo Montreal, February 2016. A presentation on how to apply configuration management (CM) principles for your various environments, to control changes made to them. You apply CM on your code, why not on your environments content? This presentation will present the infrastructure as code principles using Chef and/or Ansible. Topics discussed include Continuous Integration, Continuous Delivery/Deployment principles, Infrastructure As Code and DevOps.
System Security on Cloud
The document discusses system security when using cloud computing. It begins by describing the speaker's current big data system of over 10,000 users across 4 countries with over 1 billion user profiles and data ingested daily. It then discusses how infrastructure has changed from buying hardware to infrastructure as a service. Security has also changed, with cybercrime flourishing using organized groups. The rest of the document provides best practices for cloud security, such as understanding shared responsibilities and knowing your adversaries. It also promotes the services of Alert Logic for protecting cloud workloads and applications.
Serverless security - how to protect what you don't see?Sqreen
Protecting serverless is a new topic. This presentation aims at showing what new security challenges it brings, and how CISO and security teams should approach it.
The serverless space evolves fast and there is no convergence on best practices yet. The switch to a serverless architecture involves several changes, for instance developers doing much more ops with serverless, deploying 20 times more services than previously...
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Omar Benbouazza | Bugbounty Programs | Codemotion Madrid 2018 Codemotion
What happens when a security researcher finds a hole in your code? Do have a clear policy to submit this kind of findings? Most not. Responsible Disclosure is something every company should manage, and Bug Bounties Programs help to improve the security as well as be in contact with the hacker community. During the talk we will see how a Responsible Disclosure Program or a BugBounty Program works, and how the company should focus and not forget about other mitigations and counter mesures related to security. Also we will dig a bit in how a security report must be performed in a good way.
Find out more presentations at https://madrid2018.codemotionworld.com/speakers/
Building serverless apps with Go & SAMLeon Stigter
This document discusses building serverless applications with Go and the Serverless Application Model (SAM). It begins with confidentiality and disclaimer sections. It then provides an introduction to Project Flogo, an open source serverless framework for building event-driven applications. Project Flogo uses Go and allows developers to define app logic as flows that connect triggers and actions. The document discusses how Flogo provides both a visual UI and Go API for application development and describes ways to get started using Flogo's CLI, Docker images, or Go library.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
The document provides guidance on implementing simple yet effective security defenses to thwart cyber attacks. It recommends building security programs with key components like policies, baselines, risk acceptance models and checklists for application security reviews. Specific defenses include user awareness training, least privileged access, patching, network segmentation, input validation, logging and encryption. The document argues that with the right foundations, organizations do not need large budgets for security and can prevent common hacking techniques.
James Black has over 15 years of experience architecting and developing mobile and enterprise applications. He is looking for a company focused on integrating cloud, analytics, visualization, IoT and mobile. His background in cybersecurity research will help ensure data security as new opportunities are explored. He has created several Android applications and integrated a mobile app into a financial institution connecting to 15 systems. Personal projects include publishing Android apps and prototyping STEM-related mobile games in Unity3D.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
How To Implement DevSecOps In Your Existing DevOps WorkflowEnov8
Prioritizing DevOps without considering security can be dangerous. So how can security be implemented within a DevOps team? Adapt to DevSecOps and see how it assists you in developing your implementation technique. This blog will provide a comprehensive understanding of the DevSecOps methodology.
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
Di Indonesia, 19,4% perusahaan sudah mulai menggunakan layanan cloud publik. Stapi sering kali saat perusahan sudah mengadopsi cloud, mereka baru menyadari betapa rumitnya penerapan cloud. Akibatnya, banyak perusahaan yang stuck dalam operasional aplikasi yang baru ini.
Hadirlah DevOps yang memberi layanan lebih cepat dan mendorong inovasi sekaligus meningkatkan produktivitas, komunikasi, dan keterlibatan karyawan. Tapi hadirnya layanan yang lebih cepat membuat risiko dalam penerapan aplikasi meningkat sebesar 53% upaya pencurian data menyasar aplikasi itu sendiri. Oleh karena itu, sangat penting bagi perusahaan untuk mengubah mindset dari menerapkan keamanan untuk kepatuhan ke metode yang lebih proaktif dengan memanfaatkan prinsip-prinsip DevOps dalam tool dan proses keamanan mereka.
Hmm jadi penasaran bagaimana sih memaksimalkan peran keamanan dalam penerapan Devops supaya berjalan dengan lacar? Hal ini akan kita bahas bersama 2 orang pembicara yang expert dibidangnya, yaitu Rei Munisati (Head of IT Security & Risk Compliance, Home Credit Indonesia) dan Taro Lay (Co-Founder Kalama Cyber Security) pada Tech Talk 2021 Live dengan tema "Peran IT Security dalam Penerapan DevOps."
[Confoo Montreal 2020] From Grief to Growth: The 7 Stages of Observability - ...Ambassador Labs
In this case-study talk, we will share Brent’s journey through the adoption of modern observability practices as he operated an architecture of distributed services. Facing difficulties using application logs as the primary tool to debug performance and reliability issues? Learn how to improve your company toolkit and engineering habits using existing monitoring tools with the addition of distributed tracing.
https://confoo.ca/en/yul2020/session/from-grief-to-growth-the-7-stages-of-observability
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Amsterdam, May 2018
Even DevOps purists are now embracing the DevSecOps term as they’ve recognized how siloed security often remains. Security still gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. Distributed development teams and rapid iterative releases require a commitment to security approaches that are continuous, adaptive, and heavily automated.
In this session, Red Hat Technology Evangelist Gordon Haff will discuss successful practices for using a rich ecosystem of open source and other software to bake security into the development and deployment pipeline to both iterate quickly and minimize business risk. He’ll discuss how container platforms and other cloud-native tooling can serve as the foundation for DevSecOps. Finally, he’ll look at good practices for integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning.
An extremely motivated and proficient individual with overall 4 years of experience in Build/ Release with DevOps & Development, AWS CSA, MCSE(Azure) and JIRA Administrator in IT industry.
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Preparing Non - Technical Founders for Engaging a Tech AgencyISH Technologies
Preparing non-technical founders before engaging a tech agency is crucial for the success of their projects. It starts with clearly defining their vision and goals, conducting thorough market research, and gaining a basic understanding of relevant technologies. Setting realistic expectations and preparing a detailed project brief are essential steps. Founders should select a tech agency with a proven track record and establish clear communication channels. Additionally, addressing legal and contractual considerations and planning for post-launch support are vital to ensure a smooth and successful collaboration. This preparation empowers non-technical founders to effectively communicate their needs and work seamlessly with their chosen tech agency.Visit our site to get more details about this. Contact us today www.ishtechnologies.com.au
A neural network is a machine learning program, or model, that makes decisions in a manner similar to the human brain, by using processes that mimic the way biological neurons work together to identify phenomena, weigh options and arrive at conclusions.
Consistent toolbox talks are critical for maintaining workplace safety, as they provide regular opportunities to address specific hazards and reinforce safe practices.
These brief, focused sessions ensure that safety is a continual conversation rather than a one-time event, which helps keep safety protocols fresh in employees' minds. Studies have shown that shorter, more frequent training sessions are more effective for retention and behavior change compared to longer, infrequent sessions.
Engaging workers regularly, toolbox talks promote a culture of safety, empower employees to voice concerns, and ultimately reduce the likelihood of accidents and injuries on site.
The traditional method of conducting safety talks with paper documents and lengthy meetings is not only time-consuming but also less effective. Manual tracking of attendance and compliance is prone to errors and inconsistencies, leading to gaps in safety communication and potential non-compliance with OSHA regulations. Switching to a digital solution like Safelyio offers significant advantages.
Safelyio automates the delivery and documentation of safety talks, ensuring consistency and accessibility. The microlearning approach breaks down complex safety protocols into manageable, bite-sized pieces, making it easier for employees to absorb and retain information.
This method minimizes disruptions to work schedules, eliminates the hassle of paperwork, and ensures that all safety communications are tracked and recorded accurately. Ultimately, using a digital platform like Safelyio enhances engagement, compliance, and overall safety performance on site. https://safelyio.com/
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...The Third Creative Media
"Navigating Invideo: A Comprehensive Guide" is an essential resource for anyone looking to master Invideo, an AI-powered video creation tool. This guide provides step-by-step instructions, helpful tips, and comparisons with other AI video creators. Whether you're a beginner or an experienced video editor, you'll find valuable insights to enhance your video projects and bring your creative ideas to life.
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLESanfaltahir1010
Image: Include an image that represents the concept of precision, such as a AI helix or a futuristic healthcare
setting.
Objective: Provide a foundational understanding of precision medicine and its departure from traditional
approaches
Role of theory: Discuss how genomics, the study of an organism's complete set of AI ,
plays a crucial role in precision medicine.
Customizing treatment plans: Highlight how genetic information is used to customize
treatment plans based on an individual's genetic makeup.
Examples: Provide real-world examples of successful application of AI such as genetic
therapies or targeted treatments.
Importance of molecular diagnostics: Explain the role of molecular diagnostics in identifying
molecular and genetic markers associated with diseases.
Biomarker testing: Showcase how biomarker testing aids in creating personalized treatment plans.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Real-world case study: Present a detailed case study showcasing the success of precision
medicine in a specific medical scenario.
Patient's journey: Discuss the patient's journey, treatment plan, and outcomes.
Impact: Emphasize the transformative effect of precision medicine on the individual's
health.
Objective: Ground the presentation in a real-world example, highlighting the practical
application and success of precision medicine.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions for handling and analyzing vast
datasets.
Visuals: Include graphics representing data management challenges and technological solutions.
Objective: Acknowledge the data-related challenges in precision medicine and highlight innovative solutions.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
Project Management: The Role of Project Dashboards.pdfKarya Keeper
Project management is a crucial aspect of any organization, ensuring that projects are completed efficiently and effectively. One of the key tools used in project management is the project dashboard, which provides a comprehensive view of project progress and performance. In this article, we will explore the role of project dashboards in project management, highlighting their key features and benefits.
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
The Rising Future of CPaaS in the Middle East 2024Yara Milbes
Explore "The Rising Future of CPaaS in the Middle East in 2024" with this comprehensive PPT presentation. Discover how Communication Platforms as a Service (CPaaS) is transforming communication across various sectors in the Middle East.
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
2. I am Dustin Collins
Organizer of the Boston DevOps meetup
Developer Advocate at Conjur
3. THIS TALK IS NOT ABOUT
● patching exploits
● network security
● container breakout
● insider threats
● cloud
● encryption
● intrusion analysis
● security tooling
EXPECTATIONS
THIS TALK IS ABOUT
● integrating security into
modern workflows
● managing conflicts of
interest
7. EXAMPLES, PLEASE
⊡ Needs to use a new API to fetch
geodata
⊡ Downloads the secret token
⊡ gitignores it for development, keeping
it out of source control
⊡ App now breaks in production
DEVELOPER
8. EXAMPLES, PLEASE
⊡ Needs to roll out containers for
internal PaaS
⊡ Bakes secrets into Docker images
⊡ Password rotation now requires a
redeploy of application
OPERATIONS
9. EXAMPLES, PLEASE
⊡ Needs to keep an inventory of
running services
⊡ Rolls out a tool to do it through an
internal web dashboard
⊡ With no API available, is now a
bottleneck to launching new services
SECURITY
10. EXAMPLES, PLEASE
⊡ Signs a contract with a vendor for
identity management solution
⊡ Only works on AWS
⊡ Dev workflow is full of workarounds
⊡ Ops is constrained to one platform
⊡ Security isn’t happy with built-in
reporting
BUSINESS USER
12. “Addressing the individual needs of the distinct
User Personas, and paying special attention
to the points at which their needs intersect is
the key to driving adoption, usage, and
ultimately delivering a successful product
experience.
Dan Warner, Director of UX @ Conjur
13. App Developer (engineer)
Primarily responsible for feature work. Lives in a Continuous Integration
workflow. Supports lots of fun tools locally, but has disdain for imposed
“dependencies.”
Skills: Typical Python development stack, Vagrant, Homebrew...
Equipment: Command Line. IDE. OSX. Laptop with multiple virtualized dev
environments.
Quotes:
“Trying to figure out how to integrate with your system is not a great use of my
time.”
“It works on my laptop.”
Stories:
● As an app developer, I want to write and test features without thinking
about security, so that I can continuously deliver.
● As an app developer, I want the code I write to work in prod the same
way it works in dev and test, so that I don’t have to spend cycles
troubleshooting with QA.
14. OPS Guy (sysadmin, DevOps *, IT Admin, * of
Operations)
Primarily responsible for architecting and maintaining IT infrastructure including
CI pipeline, SOX (and other audit) compliant data environments, controlling
automation costs.
Skills: A working knowledge of many diverse technologies — Ruby, ELK stack,
Chef, Docker, Stackdriver, Bash Scripting, AWS, Jenkins, Nagios, vagrant...
Equipment: Command Line. OSX. Laptop with multiple virtualized dev
environments. Homespun Ops Dashboard. The UI’s of various tools like Jenkins
and Kibana.
Quotes:
“The people in the meeting are going to be suits. Rather than show them some
command line interface that they don’t understand, I would like to run it through a nice
web interface.”
“Which of the users on the product team have accessed this secret? When was the last
time someone on the product team accessed this secret?”
Stories:
● As an ops guy I want to see who has accessed a particular secret (or
server, host, etc.), so that I can report to the responsible parties.
● As an ops guy, I want easy queryability (like Facebook search), so that I
can find what I want quickly and do some level of discovery.
● As a (less technical) IT Admin I want to be able to spin up a secure
15. Security User (CISO, InfoSec, * of IT Security)
Primarily responsible for data security, DLP, incident response, audit and
compliance.
Skills: A high level understanding of the potential risks posed by new
technologies.
Equipment: Reports. Dashboards. PowerPoint. Google Docs. Email. Mobile
alerts. SIEM.
Quotes:
XX REDACTED XX
Stories:
● As a VP of IT Security I want a blueprint for launching a secure server in
a non-secure location, so that my team can leverage the public cloud.
● As CISO I want to choose tools that integrate with existing systems and
make my team happy, so that my choices don’t slow my team down or
demotivate them.
16. Business User (CIO, CTO, VP IT, Project Manager)
Primarily responsible for aligning IT Strategy with the Business Goals,
driving efficiency, building and motivating the team, making decisions about
where to invest IT dollars, SOX (and other audit) compliant data
environments, controlling cost.
Skills: High level understanding of many, diverse technologies.
Equipment: Reports. Dashboards. PowerPoint. Google Docs. Email.
Quotes:
“Chef. Docker. Puppet. Amazon. On-prem… we use all of the above.”
“I know we are doing DevOps. I’m just not 100% sure what that means.”
“My top concern is SOX compliance.”
Stories:
● As CTO I want to see who had access to a secure DB server and
when, so that I can comply with my SOX strategy.
● As CTO I want real-time, self-service reporting and SIEM integration,
so that I know this data is part of our complete security picture and
nothing is falling through the cracks.
● As VP of IT I want a blueprint for launching a secure server in a non-
secure location, so that my team can leverage the public cloud.
● As VP of IT I want to choose tools that integrate with existing systems
and make my team happy, so that my choices don’t slow my team
17. ⊡ Create and maintain user personas
⊡ Conduct user interviews
⊡ Share data with stakeholders
⊡ Mediate post-mortems for security issues
⊡ Raise the visibility of how security works
CROSS-FUNCTIONAL SECURITY UX TEAM
SUGGESTION
18. THINGS TO AVOID
● Developer workflows that depend on gitignoring credentials
● Credential rotation schemes that require redeploys
● More than one way to access credentials that depends on the
environment
● Cloud-specific solutions
● Security tools without programmable APIs
● Shoehorning security into collaborative tools - it limits their
effectiveness (Chef, Jenkins, etcd, Docker)
● Not checking your security policy into source control (plain text is
better than nothing)
19. THANKS!
Any questions?
You can find me at
@dustinmm80
dustinrcollins@gmail.com
dustinrcollins.com
Presentation template by SlidesCarnival
Editor's Notes
It’s helpful to set expectations for a security talk since there is so much to cover.
Security’s traditional role
Security work is high-risk, low-reward. People don’t like doing it.
The Donner Party - In the 1840s a group of people set out to secure their DevOps workflows.
Halfway there, they were caught in a blizzard of unclear objectives and miscommunication.
They ended up eating each other to survive.