SlideShare a Scribd company logo

Secure Application Development

Download as PPTX, PDF
Radu Vunvulea
Radu Vunvulea

This session aims to identify the tools that help us build secure applications and environments for Azure during the development journey. The focus is on the developers and the tools we can use to ensure that our code is secure and aligned with all the available best practices and recommendations. It’s a hands-on session, limited to 10 slides and a lot of demos.

1 of 21
@RADUVUNVULEA SECURE APPLICATION DEVELOPMENT
@RADUVUNVULEA SECURE THINKING INSIDE AZURE
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 250% increase of cyber-attacks in EU
H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 273% increase of large-scale breaches in 2020
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 47% of individuals fall for phishing scams while working at home
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L Phishing attacks increased by 350%
INCREASES IN CLOUD WORKLOADS PER REGION INCREASES IN CLOUD WORKLOADS BY INDUSTRY H T T P S : / / W W W . P A L O A L T O N E T W O R K S . C O M / R E S O U R C E S / I N F O G R A P H I C S / U N I T 4 2 - C O V I D - 1 9 - A M P L I F I E S - C L O U D - S E C U R I T Y - C H A L L E N G E S
COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L February to May 2020 more than 500.000 people globally were affected by breaches where personal data of video conferencing users was stolen and sold on the dark web.
FINAL THOUGHTS
THANK YOU @RaduVunvulea
Azure RBAC Azure role-based access control User Group Service Principal Managed Identity Security Principal Role Operation type (R/W/C/D) Scope Management Group Subscription Resource Group Resource Role assignment Assign a security principal Assign a scope Assign a role Development Group Contributor Dev and Playground Resource Group
Secrets scanning Protectingyourcode,yoursecrets,youridentity SCAN COMMITS BEFORE A PUSH (1)Placegit-secretssomewhereinthePATHtobeeasilyaccessiblebygit (2)./install.ps1|Commandtoinstallgit-secretsonaWindowsmachine (3)cd/path/RaduVRepo/IoTHome|Navigatetotherepothatyouwanttoprotect.You needtodothisactionforeachrepositorythatyouwanttosecure (4)gitsecretsinstall|Installthetool (5)gitsecrets-register-azure|RegistertheAzureplugin (6)gitsecrets-register-aws|RegistertheAWSplugin (7)gitsecrets-register-gcp|RegistertheGCPplugin
Secrets scanning Protectingyourcode,yoursecrets,youridentity
The total no. of secrets used by a single-owner H T T P S : / / S P E C T R A L O P S . I O /
Secret Scanning Tools for Dev(Sec)Ops Protectingyoursecrets,dataandyourclouds gitLeaks gitLeaks is an open-source static analysis command-line tool released under the MIT license. The gitLeaks tool is used to detect hard-coded secrets like passwords, API keys, and tokens in local and GitHub repositories (private and public). SpectralOps Spectral offers one of the most comprehensive secret scanning solutions, integrating into every facet of the build process Git-Secrets Git-Secrets is an open-source command-line tool used to scan developer commits and “–no-ff” merges to prevent secrets from accidentally entering Git repositories. Whispers Whispers is an open-source static code analysis tool designed to search for hardcoded credentials and dangerous functions. GitHub Secret scanning GitHub makes available its own integrated secret scanning solution, capable of detecting popular API Key and Token structures Gittyleaks Gittyleaks is a straightforward Git secrets scanner command line tool capable of scanning and cloning repositories. Scan Scan is a comprehensive open-source security audit tool. Git-all-secrets Git-all-secrets is an open-source secret scanner aggregation project. This tool currently relies on two open-source secret scanning projects: truffleHog and repo-supervisor Detect-secrets Detect-secrets is an actively maintained open-source project designed with the enterprise client in mind. H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /
Secret Scanning Tools for Dev(Sec)Ops Protectingyoursecrets,dataandyourclouds gitLeaks Open source | free of use | Cloning, Audit and Integration capability No UI | Limited integration options | Goof for niche development projects SpectralOps Intuitive UI | Easy to manage | Strong ML mechanism that reduce the false positive rates Complex | Not easy to use for small projects | Build to be used to large codebase with a high no. of people Git-Secrets Easy integration with CI/CD pipeline | Capable to force secrets to not show in the commit (Secret Providers) Simple algorithms | Based on regular expressions like formula | Not maintained anymore | Not suitable for corporate environment Whispers Works out of the box | Wide range of secrets formats | Easy to extend to support new formats Focus on text file | Is not able to do deep scans without integration with other solutions | Rules based on regs,Ascii and Base64 GitHub Secret scanning Easy to integrate in GitHub | UI and nice visualization for scanning, integration and configuration | Strong support for a high number of popular services Main target is string structures (keys, tokens) | Does not covers password, emails, URLs Gittyleaks Simple to use and configure | Easy to integrate in small projects and add the secrets scanning concept Fixed rules | Limited on the formats that can be detected | Not suitable for non-education purposes Scan Open source | Well integration with Azure, GitHub, GitLab, Team City and so on | The most powerful free tool 4 DSO Setup is complex | Limited user interface | Hard to process the results Git-all-secrets Integration Hub | Does not rely only on a single algorithm Default configuration is basic | Looks like a MVP and less as a ready for production solution Detect-secrets High no. of plugins (including Azure, AWS) Pre-commit hook is basic and does not covers all base secrets | Output split across multiple lines H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /

Recommended

COVID-19 are a cloud security catalyst
COVID-19 are a cloud security catalystCOVID-19 are a cloud security catalyst
COVID-19 are a cloud security catalyst
Radu Vunvulea
 
Phone page hotspot app
Phone page hotspot appPhone page hotspot app
Phone page hotspot app
Nandkishor Dhekane
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
Splunk
 
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
James Wickett
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk
 
A Day in the Life of a GDPR Breach
A Day in the Life of a GDPR BreachA Day in the Life of a GDPR Breach
A Day in the Life of a GDPR Breach
Splunk
 
Phone page pc connect app
Phone page pc connect appPhone page pc connect app
Phone page pc connect app
Nandkishor Dhekane
 
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk
 

Recommended

COVID-19 are a cloud security catalyst
COVID-19 are a cloud security catalystCOVID-19 are a cloud security catalyst
COVID-19 are a cloud security catalyst
Radu Vunvulea
 
Phone page hotspot app
Phone page hotspot appPhone page hotspot app
Phone page hotspot app
Nandkishor Dhekane
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
Splunk
 
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
Be Mean to Your Code with Gauntlt and the Rugged Way // Velocity EU 2013 Work...
James Wickett
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk
 
A Day in the Life of a GDPR Breach
A Day in the Life of a GDPR BreachA Day in the Life of a GDPR Breach
A Day in the Life of a GDPR Breach
Splunk
 
Phone page pc connect app
Phone page pc connect appPhone page pc connect app
Phone page pc connect app
Nandkishor Dhekane
 
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk
 
Secure Application Development
Secure Application DevelopmentSecure Application Development
Secure Application Development
Radu Vunvulea
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
Radu Vunvulea
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptx
Radu Vunvulea
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
 
The Red Hat Way
The Red Hat WayThe Red Hat Way
The Red Hat Way
Software Guru
 
Flutter Development –Connect Infosoft
Flutter Development –Connect InfosoftFlutter Development –Connect Infosoft
Flutter Development –Connect Infosoft
Connect Infosoft Technologies Private Limited
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
Sylvain Martinez
 
Internet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and FutureInternet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and Future
Losant
 
Cybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital TransformationCybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital Transformation
Alex G. Lee, Ph.D. Esq. CLP
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Azure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevAzure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/Dev
Hostway|HOSTING
 
R u hacked
R u hackedR u hacked
R u hacked
Sumedt Jitpukdebodin
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security
apidays
 
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
SaraPia5
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDER
IRJET Journal
 
Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton
Hostway|HOSTING
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
DevOps.com
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 

More Related Content

Similar to Secure Application Development

Secure Application Development
Secure Application DevelopmentSecure Application Development
Secure Application Development
Radu Vunvulea
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
Radu Vunvulea
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptx
Radu Vunvulea
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
 
The Red Hat Way
The Red Hat WayThe Red Hat Way
The Red Hat Way
Software Guru
 
Flutter Development –Connect Infosoft
Flutter Development –Connect InfosoftFlutter Development –Connect Infosoft
Flutter Development –Connect Infosoft
Connect Infosoft Technologies Private Limited
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
Sylvain Martinez
 
Internet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and FutureInternet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and Future
Losant
 
Cybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital TransformationCybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital Transformation
Alex G. Lee, Ph.D. Esq. CLP
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Azure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevAzure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/Dev
Hostway|HOSTING
 
R u hacked
R u hackedR u hacked
R u hacked
Sumedt Jitpukdebodin
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security
apidays
 
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
SaraPia5
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDER
IRJET Journal
 
Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton
Hostway|HOSTING
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
DevOps.com
 

Similar to Secure Application Development (20)

Secure Application Development
Secure Application DevelopmentSecure Application Development
Secure Application Development
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptx
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
 
The Red Hat Way
The Red Hat WayThe Red Hat Way
The Red Hat Way
 
Flutter Development –Connect Infosoft
Flutter Development –Connect InfosoftFlutter Development –Connect Infosoft
Flutter Development –Connect Infosoft
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
 
Internet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and FutureInternet of Things (IoT) Past, Present, and Future
Internet of Things (IoT) Past, Present, and Future
 
Cybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital TransformationCybersecurity and Privacy in ESG Digital Transformation
Cybersecurity and Privacy in ESG Digital Transformation
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Azure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevAzure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/Dev
 
R u hacked
R u hackedR u hacked
R u hacked
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security2022 apidays LIVE Helsinki & North_Future proofing API Security
2022 apidays LIVE Helsinki & North_Future proofing API Security
 
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDER
 
Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton Introducing the Unified Cloud - Sean Bruton
Introducing the Unified Cloud - Sean Bruton
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
 

Recently uploaded

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
maazsz111
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 

Recently uploaded (20)

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 

Secure Application Development

  • 3. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
  • 4. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 250% increase of cyber-attacks in EU
  • 5. H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 273% increase of large-scale breaches in 2020
  • 6. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L 47% of individuals fall for phishing scams while working at home
  • 7. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L Phishing attacks increased by 350%
  • 8. INCREASES IN CLOUD WORKLOADS PER REGION INCREASES IN CLOUD WORKLOADS BY INDUSTRY H T T P S : / / W W W . P A L O A L T O N E T W O R K S . C O M / R E S O U R C E S / I N F O G R A P H I C S / U N I T 4 2 - C O V I D - 1 9 - A M P L I F I E S - C L O U D - S E C U R I T Y - C H A L L E N G E S
  • 9. COVID-19 SECURITY IMPACT H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L February to May 2020 more than 500.000 people globally were affected by breaches where personal data of video conferencing users was stolen and sold on the dark web.
  • 10.
  • 12.
  • 14.
  • 15. Azure RBAC Azure role-based access control User Group Service Principal Managed Identity Security Principal Role Operation type (R/W/C/D) Scope Management Group Subscription Resource Group Resource Role assignment Assign a security principal Assign a scope Assign a role Development Group Contributor Dev and Playground Resource Group
  • 16. Secrets scanning Protectingyourcode,yoursecrets,youridentity SCAN COMMITS BEFORE A PUSH (1)Placegit-secretssomewhereinthePATHtobeeasilyaccessiblebygit (2)./install.ps1|Commandtoinstallgit-secretsonaWindowsmachine (3)cd/path/RaduVRepo/IoTHome|Navigatetotherepothatyouwanttoprotect.You needtodothisactionforeachrepositorythatyouwanttosecure (4)gitsecretsinstall|Installthetool (5)gitsecrets-register-azure|RegistertheAzureplugin (6)gitsecrets-register-aws|RegistertheAWSplugin (7)gitsecrets-register-gcp|RegistertheGCPplugin
  • 18.
  • 19. The total no. of secrets used by a single-owner H T T P S : / / S P E C T R A L O P S . I O /
  • 20. Secret Scanning Tools for Dev(Sec)Ops Protectingyoursecrets,dataandyourclouds gitLeaks gitLeaks is an open-source static analysis command-line tool released under the MIT license. The gitLeaks tool is used to detect hard-coded secrets like passwords, API keys, and tokens in local and GitHub repositories (private and public). SpectralOps Spectral offers one of the most comprehensive secret scanning solutions, integrating into every facet of the build process Git-Secrets Git-Secrets is an open-source command-line tool used to scan developer commits and “–no-ff” merges to prevent secrets from accidentally entering Git repositories. Whispers Whispers is an open-source static code analysis tool designed to search for hardcoded credentials and dangerous functions. GitHub Secret scanning GitHub makes available its own integrated secret scanning solution, capable of detecting popular API Key and Token structures Gittyleaks Gittyleaks is a straightforward Git secrets scanner command line tool capable of scanning and cloning repositories. Scan Scan is a comprehensive open-source security audit tool. Git-all-secrets Git-all-secrets is an open-source secret scanner aggregation project. This tool currently relies on two open-source secret scanning projects: truffleHog and repo-supervisor Detect-secrets Detect-secrets is an actively maintained open-source project designed with the enterprise client in mind. H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /
  • 21. Secret Scanning Tools for Dev(Sec)Ops Protectingyoursecrets,dataandyourclouds gitLeaks Open source | free of use | Cloning, Audit and Integration capability No UI | Limited integration options | Goof for niche development projects SpectralOps Intuitive UI | Easy to manage | Strong ML mechanism that reduce the false positive rates Complex | Not easy to use for small projects | Build to be used to large codebase with a high no. of people Git-Secrets Easy integration with CI/CD pipeline | Capable to force secrets to not show in the commit (Secret Providers) Simple algorithms | Based on regular expressions like formula | Not maintained anymore | Not suitable for corporate environment Whispers Works out of the box | Wide range of secrets formats | Easy to extend to support new formats Focus on text file | Is not able to do deep scans without integration with other solutions | Rules based on regs,Ascii and Base64 GitHub Secret scanning Easy to integrate in GitHub | UI and nice visualization for scanning, integration and configuration | Strong support for a high number of popular services Main target is string structures (keys, tokens) | Does not covers password, emails, URLs Gittyleaks Simple to use and configure | Easy to integrate in small projects and add the secrets scanning concept Fixed rules | Limited on the formats that can be detected | Not suitable for non-education purposes Scan Open source | Well integration with Azure, GitHub, GitLab, Team City and so on | The most powerful free tool 4 DSO Setup is complex | Limited user interface | Hard to process the results Git-all-secrets Integration Hub | Does not rely only on a single algorithm Default configuration is basic | Looks like a MVP and less as a ready for production solution Detect-secrets High no. of plugins (including Azure, AWS) Pre-commit hook is basic and does not covers all base secrets | Output split across multiple lines H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /

Editor's Notes

  1. <Key point>: Cloud Adoption Framework—modular phases of adoption. As your organization evolves, the Cloud Adoption Framework adapts to your business needs. Each module in the diagram is an iterative phase that advances your business through the complete lifecycle of cloud adoption. Customers can choose the phase best-suited to their degree of cloud adoption maturity. The Cloud Adoption Framework offers a guiding methodology to cloud adoption, with specific approaches to overcoming common blockers to cloud adoption in each module, such as “Define Strategy,” “Plan,”, etc. The Cloud Adoption Framework offers the enterprise a modular framework of how to incrementally onboard to the cloud. Cloud adoption shifts how companies obtain, make use of, and lock down their technology resources. And—this kind of modular framework flips the model of how enterprises operate: Transitions organizations to need-based consumption of technology resources Change from cap-ex (capital expenditure) to op-ex (operating expenditure) model Cloud model assumes security, governance, cost-optimization, and hybrid cloud by default Develop a future-ready workforce—developing and deploying cloud skill readiness organization-wide As an organization progress through the Cloud Adoption Framework, what are the main goals of each methodology of “Define Strategy,” “Plan,” you can focus efforts on? <Transition>: Now that we have taken look at the phases and modular approach, lets look at about some common business blockers that the Cloud Adoption Framework can help you resolve.
  2. https://spectralops.io/blog/top-9-git-secret-scanning-tools/