Secure application deployment in the age of continuous delivery

•Download as PPTX, PDF•

0 likes•371 views

At the Apache CloudStack Collaboration Conference in Montreal, Tim Mackey (Senior Technical Evangelist at Black Duck Software) presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.

#whoami – Tim Mackey
• Current roles: Senior Technical Evangelist; Occasional coder
• Previously XenServer Community Manager
• Cool things I’ve done
• Designed laser communication systems
• Early designer of retail self-checkout machines
• Embedded special relativity algorithms into industrial control system
• Find me
• Twitter: @TimInTech
• SlideShare: slideshare.net/TimMackey
• LinkedIn: www.linkedin.com/in/mackeytim

Security reality
No solution is perfect.
Defense in depth
matters.

Attacks are big business
In 2015,
89% of data breaches had a
financial or espionage motive
Source: Verizon 2016 Data Breach Report

EASY ACCESS TO SOURCE CODE
Open source ubiquity makes it an easy target
OPEN SOURCE ISN’T
MORE OR LESS
SECURE THAN
CLOSED SOURCE –
ITS JUST EASIER TO
ACCESS
VULNERABILITIES ARE PUBLICIZED
EXPLOITS ARE PUBLISHED

Anatomy of a new attack
Potential Attack
Iterate
Test against platforms
Document
Don’t forget PR department
Deploy

DELIVERED CODE
OPEN SOURCE CODE
SUPPLY CHAIN CODE
LEGACY CODE
REUSED CODE/CONTAINERS
COMMERCIAL CODE
INTERNALLY DEVELOPED CODE
OUTSOURCED CODE
How open source enters a code base

CLOSED SOURCE COMMERCIAL
CODE
DEDICATED SECURITY RESEARCHERS
ALERTING AND NOTIFICATION INFRASTRUCTURE
REGULAR PATCH UPDATES
DEDICATED SUPPORT TEAM WITH SLA
OPEN SOURCE CODE
“COMMUNITY”-BASED CODE ANALYSIS
MONITOR NEWSFEEDS YOURSELF
NO STANDARD PATCHING MECHANISM
ULTIMATELY, YOU ARE RESPONSIBLE
Who is responsible for code and security?

TRUST BUILD FILES, MANIFESTS, PACKAGE MANAGERS,
FILE NAMES
EVIDENCE-BASED IDENTIFICATION OF OPEN SOURCE BY
SCANNING FILES IN CONTEXT
Without evidence, nothing else matters
Are packages complete? Determine package context

0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open Source Vulnerabilities Reported Per Year
BDS-exclusive nvd
Reference: Black Duck Software Knowledgebase, NVD
INCREASING NUMBER OF OSS VULNERABILITIES

Automated tools miss most open source vulnerabilities
Static & Dynamic Analysis
Only discover common vulnerabilities
3,000+ disclosed in 2014
Less than 1% found by automated tools
Undiscovered vulnerabilities are
too complex and nuanced
All possible security
vulnerabilities

What do these all have in common?
Heartbleed Shellshock GhostFreak Venom
Since:
Discovered:
2011
2014
1989
2014
1990’s
2015
2000
2015
2004
2015
Discovered by:
Component: OpenSSL
Riku, Antti,
Matti, Mehta
Bash
Chazelas
OpenSSL
Beurdouche
GNU C library
Qualys researchers
QEMU
Geffner

Integrating into tools and processes
DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION
BUG TRACKING
REMEDIATE AND TRACK
LICENSE COMPLIANCE AND
SECURITY VULNERABILITIES
FULL APP SEC VISIBILITY
VIA IBM APPSCAN
INTEGRATION
BUILD / CI SERVER
SCAN APPLICATIONS
WITH EACH BUILD VIA CI
INTEGRATION
DELIVERY PIPELINE
SCAN APPLICATIONS
AND CONTAINERS
BEFORE DELIVERY
CONTINUOUS
MONITORING OF
VULNERABILITIES

A solution should include these
components
Choose Open
Source
Proactively choose
secure, supported
open source
SELECT
Inventory
Open Source
Map Existing
Vulnerabilities
Maintain accurate list of
open source
components throughout
the SDL
Identify vulns during
development
VERIFY
Track New
Vulnerabilities
Alert new vulns in
production apps
MONITORREMEDIATE
Fix
Vulnerabilities
Tell developers
how to remediate

We need your help
Knowledge is power
• Know what’s running and why
• Define proactive vulnerability response process
• Don’t let technology hype cycle dictate security
Invest in defense in depth models
• Don’t rely on perimeter security to do heavy lifting
• Do look at hypervisor & container trends in security
• Make developers and ops teams part of the solution
• Do embed security into deployment process
Together we can build a more secure data center

Secure application deployment in the age of continuous delivery

Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/ How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools. What can development teams do to keep pace with rapidly-evolving application security threats? The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks. In this session, you will learn: - New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments. - Best practices for designing and incorporating an automated approach to application security into your existing development environment. - Future development and application security challenges organizations will face and what they can do to prepare.

Secure application deployment in Apache CloudStack

Tim Mackey

Open Source in Application Security

Black Duck by Synopsys

Open Source and Cyber Security: Open Source Software's Role in Government Cyb...

Great Wide Open

Secure application deployment in the age of continuous delivery

Tim Mackey

As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

This SlideShare will help you understand the shifting open source landscape and why open source security management is becoming more critical. You’ll also understand the high-level capabilities of the Black Duck Hub. You’ll also learn how, in just a few minutes, you can use your existing Protex Bill of Materials to uncover known open source security vulnerabilities lurking in your projects, how to monitor for newly discovered vulnerabilities, and how to take steps to remediate your open source vulnerability risk. Then you’ll be ready to get started by learning more about the integration in Black Duck Academy and using these tools on your own projects.

Open Source Security

Sander Temme

(In)security in Open Source

Shane Coughlan

Open Source has the potential to deliver faster development cycles and better security than traditional proprietary approaches to software. However, turning the potential of Open Source into reality can be difficult. Recent security issues like Heartbleed, Shellshock and the Panama Papers highlighted some of the challenges users of Open Source can face. This talk will explore how we can address them.

The 4 Levels of Open Source Risk Management

Black Duck by Synopsys

Managing Open Source in Application Security and Software Development Lifecycle

Black Duck by Synopsys

Presented September 15, 2016 by John Steven, CTO, Cigital; Mike Pittenger, VP Security Strategy, Black Duck Today, open source comprises a critical component of software code in the average application, yet most organizations lack the visibility into and control of the open source they’re using. A 2016 analysis of 200 commercial applications showed that 67% contained known open source vulnerabilities. Whether it’s a SaaS solution you deliver to millions of customers, or an internal application developed for employees, addressing the open source visibility and control challenges is vital to ensuring proper software security. Open source use is ubiquitous worldwide. It powers your mobile phone and your company’s most important cloud application. Securing mission critical applications must evolve to address open source as part of software security, complementing and extending the testing of in-house written code. In this webinar by Cigital and Black Duck security experts, you’ll learn: - The current state of application security management within the Software Development Lifecycle (SDLC) - New security considerations organizations face in testing applications that combine open source and in-house written software. - Steps you can take to automate and manage open source security as part of application development

Black Duck & IBM Present: Application Security in the Age of Open Source

Black Duck by Synopsys

Myths and Misperceptions of Open Source Security

Black Duck by Synopsys

Security in the age of open source - Myths and misperceptions

Tim Mackey

As delivered at Interop ITX 2017. The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.

Using hypervisor and container technology to increase datacenter security pos...

Tim Mackey

As presented at LinuxCon/ContainerCon 2016: Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications. Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment. Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.

Automating Open Source Security: A SANS Review of WhiteSource

WhiteSource

Software Security Assurance for DevOps

Black Duck by Synopsys

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

The How and Why of Container Vulnerability Management

Tim Mackey

As presented at OpenShift Commons Sept 8, 2016. Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform. In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

WhiteSource

Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...

Jerika Phelps

Continuous security: Bringing agility to the secure development lifecycle

Rogue Wave Software

Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.

The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...

WhiteSource

Secure Application Development in the Age of Continuous Delivery

Black Duck by Synopsys

As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Software Security Assurance for Devops

Jerika Phelps

veera.MBAveeramanikandan vinod

Eliana gonzalez

Gustavo Solórzano Méndez

Redes de computo

Valentina Velásquez Pérez

шампунь для роста волос

Ainur Arystanbekova

What's hot

FROM OPEN SOURCE COMPLIANCE TO SECURITY

Black Duck by Synopsys

Open Source Security

Sander Temme

(In)security in Open Source

Shane Coughlan

The 4 Levels of Open Source Risk Management

Black Duck by Synopsys

Managing Open Source in Application Security and Software Development Lifecycle

Black Duck by Synopsys

Black Duck & IBM Present: Application Security in the Age of Open Source

Black Duck by Synopsys

Myths and Misperceptions of Open Source Security

Black Duck by Synopsys

Security in the age of open source - Myths and misperceptions

Tim Mackey

Using hypervisor and container technology to increase datacenter security pos...

Tim Mackey

Automating Open Source Security: A SANS Review of WhiteSource

WhiteSource

Software Security Assurance for DevOps

Black Duck by Synopsys

The How and Why of Container Vulnerability Management

Tim Mackey

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

WhiteSource

Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...

Jerika Phelps

Continuous security: Bringing agility to the secure development lifecycle

Rogue Wave Software

The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...

WhiteSource

Secure Application Development in the Age of Continuous Delivery

Black Duck by Synopsys

Software Security Assurance for Devops

Jerika Phelps

What's hot (18)

FROM OPEN SOURCE COMPLIANCE TO SECURITY

Open Source Security

(In)security in Open Source

The 4 Levels of Open Source Risk Management

Managing Open Source in Application Security and Software Development Lifecycle

Black Duck & IBM Present: Application Security in the Age of Open Source

Myths and Misperceptions of Open Source Security

Security in the age of open source - Myths and misperceptions

Using hypervisor and container technology to increase datacenter security pos...

Automating Open Source Security: A SANS Review of WhiteSource

Software Security Assurance for DevOps

The How and Why of Container Vulnerability Management

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...

Continuous security: Bringing agility to the secure development lifecycle

The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...

Secure Application Development in the Age of Continuous Delivery

Software Security Assurance for Devops

Viewers also liked

veera.MBAveeramanikandan vinod

Eliana gonzalez

Gustavo Solórzano Méndez

Redes de computo

Valentina Velásquez Pérez

шампунь для роста волос

Ainur Arystanbekova

SANA FashionsJayant Kumar

LAUMEIER COMM PLANRebecca Deo

Hannah Benjamin CV copyHannah Benjamin

Are your aged care services inclusive of LGBTI clients?

Agility Communication and Connections

OSS has taken over the enterprise: The top five OSS trends of 2015

Rogue Wave Software

It’s everywhere. From your phone to the enterprise, open source software (OSS) is running far and wide. Gartner predicts that by 2016, 99 percent of Global 2000 enterprises will use open source in mission-critical software. While it’s free, easy to find, and pushes software to the market faster, it’s vital to understand how to use OSS safely. Join Richard Sherrard, director of product management at Rogue Wave, for a live webinar reviewing the top five OSS trends of 2015. From OSS discovery, to risk, and governance, we’ll take a deep dive into the trends we’ve noticed this year while providing you with some predictions for 2016. In this webinar you’ll learn how to: -Discover the OSS in your codebase to ensure that code is free of bugs, security vulnerabilities, and license conflicts -Implement controls on OSS usage at your organization -Create a multi-tier approach to OSS risk reduction with open source tools, static code analysis and dynamic analysis Watch the webinar recording now: https://www.brighttalk.com/webcast/12285/164531

катков а.и.

Анастасия Редковская

Давным-давно была война…

Анастасия Редковская

9 Ideeen om sneller te groeien op Instagram

Kirsten Jassies justK

Instagram marketing global affairs home decor

Kirsten Jassies justK

Walt Disney Biography (IGE125)

Shooger

My term paper was to write a biography about someone who's failed multiple times but despite the failures, continued to strive for their success and in my mind, I had Walt Disney. This assignment was for my Communication & Human Relations class (IGE125) Unfortunately, I do not cite sources in my documents and I’m awfully sorry about that. But most of my research was via the internet and I’m sure you’ll be able to find them online. If this was, in anyway useful to you, please leave a comment saying so! Thank you very much!

PCI and Vulnerability Assessments - What’s Missing

Black Duck by Synopsys

Securing Docker Containers

Black Duck by Synopsys

Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.

MassRoots

Edward Ye

Company presentation

Jessica Holcomb

Viewers also liked (18)

veera.MBA

Eliana gonzalez

Redes de computo

шампунь для роста волос

SANA Fashions

LAUMEIER COMM PLAN

Hannah Benjamin CV copy

Are your aged care services inclusive of LGBTI clients?

OSS has taken over the enterprise: The top five OSS trends of 2015

катков а.и.

Давным-давно была война…

9 Ideeen om sneller te groeien op Instagram

Instagram marketing global affairs home decor

Walt Disney Biography (IGE125)

PCI and Vulnerability Assessments - What’s Missing

Securing Docker Containers

MassRoots

Company presentation

Similar to Secure application deployment in the age of continuous delivery

Secure application deployment in the age of continuous delivery

Black Duck by Synopsys

As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Prevent Getting Hacked by Using a Network Vulnerability Scanner

GFI Software

Security O365 Using AI-based Advanced Threat Protection

Bitglass

Office 365 has garnered widespread adoption from enterprises due to its advantages such as ease of deployment, lower TCO, and high scalability. Additionally, it enables end-users to work and collaborate from anywhere and on any device. Although Office 365 enables IT to shift the burden for app and infrastructure to the cloud vendor, data security remains the responsibility of the enterprise. Given the limitations of native malware protection on Office 365, should the enterprise rely on Office 365 to protect their data from malware and ransomware? Join Bitglass and Cylance for a discussion on malware protection solutions for Office 365. We will cover the limitations of native Office 365 malware protection as well as the benefits of AI and machine learning based approaches. We will wrap up the session by discussing how CASBs, with Advanced Threat Protection (ATP) capabilities, are uniquely positioned to protect cloud apps and end-points from malware attacks and proliferation.

Realities of Security in the Cloud

Alert Logic

Journey to the Cloud: Securing Your AWS Applications - April 2015

Alert Logic

James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers: • The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS. • Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections) • Best practices for how to protect your environment from the latest threats

A question of trust - understanding Open Source risks

Tim Mackey

As presented at the Bay Area Cyber Security Meetup on January 25th, 2018. Open source development paradigms have become the norm for most software development. This is regardless of whether you're making the next great IoT device, a new container microservice, or desktop application. While open source components are often viewed as free, and definately help solve problems in a scalable way, using them in a secure manner requires an understanding of how open source development really works. In this sesssion, I covered how secure development practices with data center regulations can benefit from an understanding of open source development. Specifically, we looked at fork management, community engagement and patch management. We ended with an open source maturity model.

Realities of Security in the Cloud

Alert Logic

FireEye Use Cases — FireEye Solution Deployment Experience

Valery Yelanin

Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.

Scalar Decisions

Question of trust

ssuserd8f6cf1

Key Strategies to Address Rising Application Risk in Your EnterpriseLumension

FireEye - Breaches are inevitable, but the outcome is not

MarketingArrowECS_CZ

Empowering Application Security Protection in the World of DevOps

Black Duck by Synopsys

Solnet dev secops meetup

pbink

Continuous security testing - sharing responsibility

VodqaBLR

Software Security Assurance for DevOps

Black Duck by Synopsys

Security in the Age of Open Source

FINOS

Evan Klein, Blackduck Software: Security in the Age of Open Source. Open source has been embraced by enterprises in the private and public sector. Where software previously was built from scratch, today’s applications can be comprised of more than 80% open source. This session will look at the security implications of the unmanaged use of open source drawing on Black Duck’s empirical research on the use of open source in commercial software. The talk will provide attendees with: • Research results on the use of open source • The security implications of poorly managed open source policies • Why open source needs to be tested differently than custom code • Strategies for addressing these differences, and best practices to mitigate risk

Secure Application Development in the Age of Continuous Delivery

Tim Mackey

As delivered at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Lumension Security - Adjusting our defenses for 2012

Andris Soroka

CSO CXO Series Breakfast

CSO_Presentations

Similar to Secure application deployment in the age of continuous delivery (20)

Secure application deployment in the age of continuous delivery

Prevent Getting Hacked by Using a Network Vulnerability Scanner

Security O365 Using AI-based Advanced Threat Protection

Realities of Security in the Cloud

Journey to the Cloud: Securing Your AWS Applications - April 2015

A question of trust - understanding Open Source risks

Realities of Security in the Cloud

FireEye Use Cases — FireEye Solution Deployment Experience

Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.

Question of trust

Key Strategies to Address Rising Application Risk in Your Enterprise

FireEye - Breaches are inevitable, but the outcome is not

Empowering Application Security Protection in the World of DevOps

Solnet dev secops meetup

Continuous security testing - sharing responsibility

Software Security Assurance for DevOps

Security in the Age of Open Source

Secure Application Development in the Age of Continuous Delivery

Lumension Security - Adjusting our defenses for 2012

CSO CXO Series Breakfast

More from Black Duck by Synopsys

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...

Black Duck by Synopsys

Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included: A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises. For more information, please visit us at www.blackducksoftware.com

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...

Black Duck by Synopsys

Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub

Black Duck by Synopsys

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...

Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Black Duck by Synopsys

Open-Source- Sicherheits- und Risikoanalyse 2018

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

Black Duck by Synopsys

At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

Black Duck by Synopsys

Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - From Protex to Hub

Black Duck by Synopsys

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Black Duck by Synopsys

The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Black Duck by Synopsys

Open Source Rookies and Community

Black Duck by Synopsys

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Black Duck by Synopsys

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year. Open Source Insight is your weekly news resource for open source security and cybersecurity news!

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Black Duck by Synopsys

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans. Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Black Duck by Synopsys

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Black Duck by Synopsys

This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions. Read on for all the open source security and cybersecurity news you need to know this week.

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Black Duck by Synopsys

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk. Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Black Duck by Synopsys

This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.

More from Black Duck by Synopsys (20)

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Open-Source- Sicherheits- und Risikoanalyse 2018

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

FLIGHT Amsterdam Presentation - From Protex to Hub

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Open Source Rookies and Community

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Recently uploaded

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Full-RAG: A modern architecture for hyper-personalization

Zilliz

Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.

Mind map of terminologies used in context of Generative AI

Kumud Singh

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Alex Pruden

This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second). Paper: https://eprint.iacr.org/2023/1886

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

20 Comprehensive Checklist of Designing and Developing a Website

Pixlogix Infotech

Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Malak Abu Hammad

Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers: * What is Vector Search? * Importance and benefits of vector search * Practical use cases across various industries * Step-by-step implementation guide * Live demos with code snippets * Enhancing LLM capabilities with vector search * Best practices and optimization strategies Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications. #MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Zilliz

Communications Mining Series - Zero to Hero - Session 1

DianaGray10

This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered: • Communication Mining Overview • Why is it important? • How can it help today’s business and the benefits • Phases in Communication Mining • Demo on Platform overview • Q/A

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

Recently uploaded (20)

Monitoring Java Application Security with JDK Tools and JFR Events

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Pushing the limits of ePRTC: 100ns holdover for 100 days

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Full-RAG: A modern architecture for hyper-personalization

Mind map of terminologies used in context of Generative AI

20240607 QFM018 Elixir Reading List May 2024

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Securing your Kubernetes cluster_ a step-by-step guide to success !

20 Comprehensive Checklist of Designing and Developing a Website

Climate Impact of Software Testing at Nordic Testing Days

By Design, not by Accident - Agile Venture Bolzano 2024

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Microsoft - Power Platform_G.Aspiotis.pdf

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Communications Mining Series - Zero to Hero - Session 1

20240605 QFM017 Machine Intelligence Reading List May 2024

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Secure application deployment in the age of continuous delivery

1. Secure application deployment

2. #whoami – Tim Mackey • Current roles: Senior Technical Evangelist; Occasional coder • Previously XenServer Community Manager • Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system • Find me • Twitter: @TimInTech • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim

3. Security reality No solution is perfect. Defense in depth matters.

4. Attacks are big business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report

5. EASY ACCESS TO SOURCE CODE Open source ubiquity makes it an easy target OPEN SOURCE ISN’T MORE OR LESS SECURE THAN CLOSED SOURCE – ITS JUST EASIER TO ACCESS VULNERABILITIES ARE PUBLICIZED EXPLOITS ARE PUBLISHED

6. Anatomy of a new attack Potential Attack Iterate Test against platforms Document Don’t forget PR department Deploy

7. DELIVERED CODE OPEN SOURCE CODE SUPPLY CHAIN CODE LEGACY CODE REUSED CODE/CONTAINERS COMMERCIAL CODE INTERNALLY DEVELOPED CODE OUTSOURCED CODE How open source enters a code base

8. CLOSED SOURCE COMMERCIAL CODE DEDICATED SECURITY RESEARCHERS ALERTING AND NOTIFICATION INFRASTRUCTURE REGULAR PATCH UPDATES DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE “COMMUNITY”-BASED CODE ANALYSIS MONITOR NEWSFEEDS YOURSELF NO STANDARD PATCHING MECHANISM ULTIMATELY, YOU ARE RESPONSIBLE Who is responsible for code and security?

9. TRUST BUILD FILES, MANIFESTS, PACKAGE MANAGERS, FILE NAMES EVIDENCE-BASED IDENTIFICATION OF OPEN SOURCE BY SCANNING FILES IN CONTEXT Without evidence, nothing else matters Are packages complete? Determine package context

10. 0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software Knowledgebase, NVD INCREASING NUMBER OF OSS VULNERABILITIES

11. Automated tools miss most open source vulnerabilities Static & Dynamic Analysis Only discover common vulnerabilities 3,000+ disclosed in 2014 Less than 1% found by automated tools Undiscovered vulnerabilities are too complex and nuanced All possible security vulnerabilities

12. What do these all have in common? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner

13. Integrating into tools and processes DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES FULL APP SEC VISIBILITY VIA IBM APPSCAN INTEGRATION BUILD / CI SERVER SCAN APPLICATIONS WITH EACH BUILD VIA CI INTEGRATION DELIVERY PIPELINE SCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY CONTINUOUS MONITORING OF VULNERABILITIES

14. Misaligned security investment

15. A solution should include these components Choose Open Source Proactively choose secure, supported open source SELECT Inventory Open Source Map Existing Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulns during development VERIFY Track New Vulnerabilities Alert new vulns in production apps MONITORREMEDIATE Fix Vulnerabilities Tell developers how to remediate

16. We need your help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Do embed security into deployment process Together we can build a more secure data center

Editor's Notes

Image: http://morguefile.com/p/209940
http://www.istockphoto.com/photo/computer-crime-concept-gm516607038-89059287?st=9174601 http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
http://www.istockphoto.com/photo/person-in-hooded-sweater-using-a-laptop-on-wooden-table-gm464503138-58544934?st=cf78f31 http://www.istockphoto.com/photo/cloud-computing-gm518556682-90104967
http://www.istockphoto.com/photo/strength-in-unity-gm514713440-88219133?st=af7fa36

Secure application deployment in the age of continuous delivery

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (18)

Similar to Secure application deployment in the age of continuous delivery

Similar to Secure application deployment in the age of continuous delivery (20)

More from Black Duck by Synopsys

More from Black Duck by Synopsys (20)

Recently uploaded

Recently uploaded (20)

Secure application deployment in the age of continuous delivery

Editor's Notes