In the software engineering world, change is the only constant. And in the course of the last decades, the frequency of that change has exploded. What Agile has brought to software teams, DevOps is now bringing to the entire organization. And the results speak for themselves. The DevOps high-performers are killing it. Insane deploy frequencies of features, high reliability of applications, and high productivity of cross-functional teams have amplified the speed at which ideas become a reality.
In parallel, Application Security was doing its own thing and to a large part remained oblivious to all the impressive improvements that were happening in software engineering. Because breaking an application doesn’t need any knowledge of how it was created in the first place.
This talk will cover anti-patterns that are preventing application security from being adopted by development teams, such as:
* Issues Overload
* Acronym Overuse
* Sales team Wall
Five Reasons to Look Beyond Math-based Next-Gen AntivirusSarah Vanier
The document discusses 5 reasons why "math-based" next-generation antivirus products that rely solely on prevention and predictive analysis are insufficient for comprehensive endpoint protection. First, they only address 50-60% of malware and cannot prevent non-file based attacks. Second, malware behavior is difficult to truly predict. Third, with millions of new variants weekly, a 99.9% detection rate is not adequate. Fourth, these products require significant time and resources to train their AI models. Fifth, their management is strictly cloud-based without an on-premise option. A better approach combines prevention, detection, and automated response across all attack vectors on the endpoint.
See a live demo and get answers to all your questions about Elastic Endpoint Security. It will be the only endpoint protection product to fully combine prevention, detection, and response into a single autonomous agent.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/security-starts-at-the-endpoint
Elastic Security: Enterprise Protection Built on the Elastic StackElasticsearch
Elastic Security provides global data threat prevention, collection, detection, and response. Learn how to outpace the adversaries with multi-layered technology, see live demos, and get answers to all your questions.
Using security to drive chaos engineering - April 2018Dinis Cruz
Presentation I delivered at ISSA UK "Application Security - London Chapter Meeting" https://www.eventbrite.co.uk/e/application-security-london-chapter-meeting-tickets-42284085839
Cybersecurity: How to Use What We Already Knowjxyz
Slides from my PSR keynote on how to secure software by bridging the gap between research and practice.
Video: https://t.co/mRr4CMrfKN
Event: https://iapp.org/conference/privacy-security-risk-2015
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
Black Duck senior technology evangelist Tim Mackey talks containers this week at DevSecCon and elaborates on his presentation, “When Good Containers Go Bad,” with IT Pro, Cloud Pro and Data Centre News. Black Duck VP of Security Strategy Mike Pittenger shares his thoughts on the biggest security threat we face in 2018. Artifex and Hancom settle their long-running open source licensing dispute, and the hidden costs of open source security.
Read all the hottest open source security and cybersecurity news in this week’s Open Source Insight.
Why does security matter for devops by Caroline WongDevSecCon
This document discusses why security matters for DevOps. It begins by introducing the speaker and intended audience. It then explains how the role of security is changing from protecting the perimeter to addressing risks from vendors and mobile endpoints. Security matters for DevOps because major companies have experienced high-profile data breaches, which hurt sales, acquisition, press, and compliance. The document outlines the NIST Cybersecurity Framework approach of identifying, preventing, detecting, responding to, and recovering from incidents. It emphasizes that security for DevOps must be business-driven, on-demand to fit the DevOps toolchain, and built on a culture of trust.
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Black Duck by Synopsys
Black Duck is now a part of Synopsys, with the acquisition complete this week. Dr. Andreas Kuehlmann, General Manager of the Synopsys Software Integrity Group provides some background of how Synopsys and Black Duck joining forces will enhance the company’s efforts in the software security market by broadening our product offering and strengthening the Software Integrity Platform.
Tim Mackey, technical evangelist for Black Duck, tackles the tricky issue of container security. Mike Pittenger, vice president of security strategy for Black Duck, discusses open source security, the Equifax breach, OpenSSL and Heartbleed, and why a “software parts list” will become increasing important to organisations wanting to stay secure.
This week’s open source security and cybersecurity news follows in Open Source Insight.
Five Reasons to Look Beyond Math-based Next-Gen AntivirusSarah Vanier
The document discusses 5 reasons why "math-based" next-generation antivirus products that rely solely on prevention and predictive analysis are insufficient for comprehensive endpoint protection. First, they only address 50-60% of malware and cannot prevent non-file based attacks. Second, malware behavior is difficult to truly predict. Third, with millions of new variants weekly, a 99.9% detection rate is not adequate. Fourth, these products require significant time and resources to train their AI models. Fifth, their management is strictly cloud-based without an on-premise option. A better approach combines prevention, detection, and automated response across all attack vectors on the endpoint.
See a live demo and get answers to all your questions about Elastic Endpoint Security. It will be the only endpoint protection product to fully combine prevention, detection, and response into a single autonomous agent.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/security-starts-at-the-endpoint
Elastic Security: Enterprise Protection Built on the Elastic StackElasticsearch
Elastic Security provides global data threat prevention, collection, detection, and response. Learn how to outpace the adversaries with multi-layered technology, see live demos, and get answers to all your questions.
Using security to drive chaos engineering - April 2018Dinis Cruz
Presentation I delivered at ISSA UK "Application Security - London Chapter Meeting" https://www.eventbrite.co.uk/e/application-security-london-chapter-meeting-tickets-42284085839
Cybersecurity: How to Use What We Already Knowjxyz
Slides from my PSR keynote on how to secure software by bridging the gap between research and practice.
Video: https://t.co/mRr4CMrfKN
Event: https://iapp.org/conference/privacy-security-risk-2015
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
Black Duck senior technology evangelist Tim Mackey talks containers this week at DevSecCon and elaborates on his presentation, “When Good Containers Go Bad,” with IT Pro, Cloud Pro and Data Centre News. Black Duck VP of Security Strategy Mike Pittenger shares his thoughts on the biggest security threat we face in 2018. Artifex and Hancom settle their long-running open source licensing dispute, and the hidden costs of open source security.
Read all the hottest open source security and cybersecurity news in this week’s Open Source Insight.
Why does security matter for devops by Caroline WongDevSecCon
This document discusses why security matters for DevOps. It begins by introducing the speaker and intended audience. It then explains how the role of security is changing from protecting the perimeter to addressing risks from vendors and mobile endpoints. Security matters for DevOps because major companies have experienced high-profile data breaches, which hurt sales, acquisition, press, and compliance. The document outlines the NIST Cybersecurity Framework approach of identifying, preventing, detecting, responding to, and recovering from incidents. It emphasizes that security for DevOps must be business-driven, on-demand to fit the DevOps toolchain, and built on a culture of trust.
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Black Duck by Synopsys
Black Duck is now a part of Synopsys, with the acquisition complete this week. Dr. Andreas Kuehlmann, General Manager of the Synopsys Software Integrity Group provides some background of how Synopsys and Black Duck joining forces will enhance the company’s efforts in the software security market by broadening our product offering and strengthening the Software Integrity Platform.
Tim Mackey, technical evangelist for Black Duck, tackles the tricky issue of container security. Mike Pittenger, vice president of security strategy for Black Duck, discusses open source security, the Equifax breach, OpenSSL and Heartbleed, and why a “software parts list” will become increasing important to organisations wanting to stay secure.
This week’s open source security and cybersecurity news follows in Open Source Insight.
- Elastic Security provides a unified security solution including SIEM, endpoint security, threat hunting, and more powered by the Elastic Stack.
- It offers one agent that can instantly collect and protect data from endpoints as well as search across data anywhere for investigation and detection.
- The protections are developed with input from Elastic security experts and the open source community to provide unparalleled detection capabilities.
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerRahul Neel Mani
The document discusses the shift from traditional perimeter security to workload-centric security strategies in cloud computing environments. As organizations' IT infrastructures move to public and hybrid clouds, security must move with the workloads and be applied within the cloud. The document recommends a strategy of gaining visibility into cloud workloads, baking security into workloads from their development, using security groups and firewalls, and adopting a single security platform like Deep Security that can seamlessly protect workloads across cloud and physical environments.
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
Open Source Insight: Balancing Agility and Open Source Security for DevOpsBlack Duck by Synopsys
Lots of DevOps news this week, including why automation is critical for securing code, as well as balancing agility with security needs. Learn how to manage security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR, Carphone Warehouse gets hit with £400k fine over a 2015 hack. And why you should think like your attackers when developing your cybersecurity portfolio.
Read on for this week’s cybersecurity and open source security news in Open Source Insight!
Open Source Insight: Top Picks for Black Hat, GDPR & Open Source Webinar, ...Black Duck by Synopsys
Vulnerability of the week is CVE-2017-7526, but news abounds on GDPR and Open Source, Medical Device security, container security tools, Black Hat USA & more.
Philly ETE 2016: Securing Software by Constructionjxyz
The high-profile attacks and data-breaches of the last few years have shown us the importance of securing our software. While it is good that we are seeing more tools that can analyze systems for vulnerabilities, this does not help the programmer write secure code in the first place. To prevent security from becoming a bottleneck–and expensive security mistakes from becoming increasingly probable–we need to look to techniques that allow us to secure software by construction.
This talk has two parts. First, I will present technical ideas from research, including my own, that help secure software by construction. Even though these are reasonable ideas, however, the gap between academia and industry often prevents these ideas from becoming realized in practice. Second, I will discuss what prevents longer-term security solutions from being commercialized, how we started the Cybersecurity Factory accelerator bridge the research/industry gap, and how we can work together to address the issues that remain.
http://2016.phillyemergingtech.com/session/securing-software-by-construction/
Exploration Draft Document- CEM Machine Learning & AI Project 2018Leslie McFarlin
Draft document to present findings of exploratory work on the incorporation of machine learning and AI into an existing data security product. The project was abandoned due to conflicting work done by product management.
Threat modeling is a conceptual exercise that aims to identify security flaws in a system's design and modifications to mitigate those flaws. The OWASP Top 10 for 2021 includes "Insecure Design" as a new category focusing on design flaw risks. Threat modeling uses the STRIDE framework and focuses on the system being worked on, potential issues, mitigation plans, and reviewing effectiveness. It produces a human-readable JSON file stored with source code. In practice, threat modeling includes overall product, per-application models managed by a security champion and reviewed at sprint start when architecture changes.
The document discusses the need for antivirus software to secure devices like PCs, laptops, and smartphones from cyber threats. It notes that while people purchase insurance for things like life and vehicles, they sometimes forget to secure their digital devices, leading to big problems. The document then promotes Kaspersky antivirus software as the best solution, highlighting its use of cloud-based reputation databases and behavior-based detection methods to block both known and unknown malware threats. It provides an overview of Kaspersky Endpoint Security 8's features like application control, endpoint protection, integration with security networks in the cloud, and more.
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
The document discusses how Intel and McAfee have evolved together over the past 5 years since Intel acquired McAfee, looking at what they anticipated at the time compared to what actually occurred such as how the cyber threat landscape has changed and expanded more rapidly than expected, and how their focus has shifted from embedding security in silicon to leveraging it to boost software defenses and address new attack types like those originating from firmware and BIOS. It also examines how different attacker profiles have emerged and expanded in resources and sophistication more than anticipated.
SACON - Threat Hunting Workshop (Shomiron Das Gupta)Priyanka Aash
This document summarizes a workshop on threat hunting. The workshop covered:
- The process of threat hunting including planning, execution, and follow through.
- Tools and techniques for threat hunting including threat intelligence feeds, lookup sources, and analytics platforms.
- Two case studies were presented: the first involved hunting for an exfiltration source using DNS data, and the second involved hunting for webshells through detection automation.
- Key lessons included the importance of log data, understanding the threat landscape, hunting is a long process, and automation can save analyst time.
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
For several years now, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been monitoring more than 60 threat actors responsible for cyber-attacks worldwide. By closely observing these organizations, which appear to be fluent in many languages, including Russian, Chinese, German, Spanish, Arabic and Persian, we have put together a list of what seem to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention. As a participant of the webinar, you will be the first to hear our detailed analysis of the trends.
The webinar was hosted by Costin Raiu, Director of GReAT at Kaspersky Lab, on December 11.
“If we can call 2014‘sophisticated’, then the word for 2015 will be ‘elusive’. We believe that APT groups will evolve to become stealthier and sneakier, in order to better avoid exposure. This year we’ve already discovered APT players using several zero-days, and we’ve observed new persistence and stealth techniques. We have used this to develop and deploy several new defense mechanisms for our users,” comments Costin Raiu.
Listen to the presentation https://kas.pr/aptwebinar
Read the full report https://kas.pr/ksb
Do you find it difficult to manage cloud security in your organization? Here are seven tips that will help you effectively secure your cloud environments.
Full time PII data protection: How Randstad uses Elastic Security to keep cli...Elasticsearch
See how Randstad Netherlands uses all the features of the Elastic Stack to monitor their environments and put their analysts first. Randstad NL, an Elastic user since version 1.7, combines events from applications, systems and third party tooling into their Elastic Stack to detect and mitigate threats at scale — all from within Elastic Security.
The document summarizes the findings of a 2015 study on the costs of cybercrime:
- The average annual cost of cybercrime per company was $7.7 million globally, with successful attacks occurring over 1.9 times per company per week. Business disruption and lost productivity accounted for 39% of costs, while information loss accounted for 35%.
- The most effective tools for reducing costs were security intelligence systems, which saved companies an average of $1.9 million annually with a 23% ROI. Extensive deployment of encryption technologies saved $883,000 on average.
- The costliest attacks were from malicious insiders averaging $144,542 per attack, while detection of attacks was the most expensive internal
1. As developers drive cloud adoption for innovation, security must align with DevOps practices and integrate into their workflows.
2. A blueprint approach identifies common cloud assets and threats across full stacks to implement targeted controls.
3. Alert Logic provides integrated controls that offer broad pre-compromise and post-compromise coverage for common workloads through a combination of detection, blocking, and investigation capabilities.
This document discusses how security needs to adapt to keep up with rapid changes in technology and development practices. As internet usage and the number of developers have grown massively, the development process has become more complex, involving tools like AWS and DevOps. However, security has struggled to integrate effectively. The document argues security must improve its developer experience by focusing on high-impact issues, speaking the same language as developers, making tools easy to use, and tightly integrating with development workflows. By learning from how quality evolved, security can become a commodity that developers respect and rely on.
- Elastic Security provides a unified security solution including SIEM, endpoint security, threat hunting, and more powered by the Elastic Stack.
- It offers one agent that can instantly collect and protect data from endpoints as well as search across data anywhere for investigation and detection.
- The protections are developed with input from Elastic security experts and the open source community to provide unparalleled detection capabilities.
The Perimeter Security Retreat: Fall Back, Fall Back to the ServerRahul Neel Mani
The document discusses the shift from traditional perimeter security to workload-centric security strategies in cloud computing environments. As organizations' IT infrastructures move to public and hybrid clouds, security must move with the workloads and be applied within the cloud. The document recommends a strategy of gaining visibility into cloud workloads, baking security into workloads from their development, using security groups and firewalls, and adopting a single security platform like Deep Security that can seamlessly protect workloads across cloud and physical environments.
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
Open Source Insight: Balancing Agility and Open Source Security for DevOpsBlack Duck by Synopsys
Lots of DevOps news this week, including why automation is critical for securing code, as well as balancing agility with security needs. Learn how to manage security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR, Carphone Warehouse gets hit with £400k fine over a 2015 hack. And why you should think like your attackers when developing your cybersecurity portfolio.
Read on for this week’s cybersecurity and open source security news in Open Source Insight!
Open Source Insight: Top Picks for Black Hat, GDPR & Open Source Webinar, ...Black Duck by Synopsys
Vulnerability of the week is CVE-2017-7526, but news abounds on GDPR and Open Source, Medical Device security, container security tools, Black Hat USA & more.
Philly ETE 2016: Securing Software by Constructionjxyz
The high-profile attacks and data-breaches of the last few years have shown us the importance of securing our software. While it is good that we are seeing more tools that can analyze systems for vulnerabilities, this does not help the programmer write secure code in the first place. To prevent security from becoming a bottleneck–and expensive security mistakes from becoming increasingly probable–we need to look to techniques that allow us to secure software by construction.
This talk has two parts. First, I will present technical ideas from research, including my own, that help secure software by construction. Even though these are reasonable ideas, however, the gap between academia and industry often prevents these ideas from becoming realized in practice. Second, I will discuss what prevents longer-term security solutions from being commercialized, how we started the Cybersecurity Factory accelerator bridge the research/industry gap, and how we can work together to address the issues that remain.
http://2016.phillyemergingtech.com/session/securing-software-by-construction/
Exploration Draft Document- CEM Machine Learning & AI Project 2018Leslie McFarlin
Draft document to present findings of exploratory work on the incorporation of machine learning and AI into an existing data security product. The project was abandoned due to conflicting work done by product management.
Threat modeling is a conceptual exercise that aims to identify security flaws in a system's design and modifications to mitigate those flaws. The OWASP Top 10 for 2021 includes "Insecure Design" as a new category focusing on design flaw risks. Threat modeling uses the STRIDE framework and focuses on the system being worked on, potential issues, mitigation plans, and reviewing effectiveness. It produces a human-readable JSON file stored with source code. In practice, threat modeling includes overall product, per-application models managed by a security champion and reviewed at sprint start when architecture changes.
The document discusses the need for antivirus software to secure devices like PCs, laptops, and smartphones from cyber threats. It notes that while people purchase insurance for things like life and vehicles, they sometimes forget to secure their digital devices, leading to big problems. The document then promotes Kaspersky antivirus software as the best solution, highlighting its use of cloud-based reputation databases and behavior-based detection methods to block both known and unknown malware threats. It provides an overview of Kaspersky Endpoint Security 8's features like application control, endpoint protection, integration with security networks in the cloud, and more.
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
The document discusses how Intel and McAfee have evolved together over the past 5 years since Intel acquired McAfee, looking at what they anticipated at the time compared to what actually occurred such as how the cyber threat landscape has changed and expanded more rapidly than expected, and how their focus has shifted from embedding security in silicon to leveraging it to boost software defenses and address new attack types like those originating from firmware and BIOS. It also examines how different attacker profiles have emerged and expanded in resources and sophistication more than anticipated.
SACON - Threat Hunting Workshop (Shomiron Das Gupta)Priyanka Aash
This document summarizes a workshop on threat hunting. The workshop covered:
- The process of threat hunting including planning, execution, and follow through.
- Tools and techniques for threat hunting including threat intelligence feeds, lookup sources, and analytics platforms.
- Two case studies were presented: the first involved hunting for an exfiltration source using DNS data, and the second involved hunting for webshells through detection automation.
- Key lessons included the importance of log data, understanding the threat landscape, hunting is a long process, and automation can save analyst time.
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
For several years now, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been monitoring more than 60 threat actors responsible for cyber-attacks worldwide. By closely observing these organizations, which appear to be fluent in many languages, including Russian, Chinese, German, Spanish, Arabic and Persian, we have put together a list of what seem to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention. As a participant of the webinar, you will be the first to hear our detailed analysis of the trends.
The webinar was hosted by Costin Raiu, Director of GReAT at Kaspersky Lab, on December 11.
“If we can call 2014‘sophisticated’, then the word for 2015 will be ‘elusive’. We believe that APT groups will evolve to become stealthier and sneakier, in order to better avoid exposure. This year we’ve already discovered APT players using several zero-days, and we’ve observed new persistence and stealth techniques. We have used this to develop and deploy several new defense mechanisms for our users,” comments Costin Raiu.
Listen to the presentation https://kas.pr/aptwebinar
Read the full report https://kas.pr/ksb
Do you find it difficult to manage cloud security in your organization? Here are seven tips that will help you effectively secure your cloud environments.
Full time PII data protection: How Randstad uses Elastic Security to keep cli...Elasticsearch
See how Randstad Netherlands uses all the features of the Elastic Stack to monitor their environments and put their analysts first. Randstad NL, an Elastic user since version 1.7, combines events from applications, systems and third party tooling into their Elastic Stack to detect and mitigate threats at scale — all from within Elastic Security.
The document summarizes the findings of a 2015 study on the costs of cybercrime:
- The average annual cost of cybercrime per company was $7.7 million globally, with successful attacks occurring over 1.9 times per company per week. Business disruption and lost productivity accounted for 39% of costs, while information loss accounted for 35%.
- The most effective tools for reducing costs were security intelligence systems, which saved companies an average of $1.9 million annually with a 23% ROI. Extensive deployment of encryption technologies saved $883,000 on average.
- The costliest attacks were from malicious insiders averaging $144,542 per attack, while detection of attacks was the most expensive internal
1. As developers drive cloud adoption for innovation, security must align with DevOps practices and integrate into their workflows.
2. A blueprint approach identifies common cloud assets and threats across full stacks to implement targeted controls.
3. Alert Logic provides integrated controls that offer broad pre-compromise and post-compromise coverage for common workloads through a combination of detection, blocking, and investigation capabilities.
This document discusses how security needs to adapt to keep up with rapid changes in technology and development practices. As internet usage and the number of developers have grown massively, the development process has become more complex, involving tools like AWS and DevOps. However, security has struggled to integrate effectively. The document argues security must improve its developer experience by focusing on high-impact issues, speaking the same language as developers, making tools easy to use, and tightly integrating with development workflows. By learning from how quality evolved, security can become a commodity that developers respect and rely on.
Mobility and security are important factors that need to be prioritized by fintech startups in building user trust.
This presentations shares how to build, develop, and improve these two things so that your business can grow.
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Open Source Insight: AI for Open Source Management, IoT Time Bombs, Ready for...Black Duck by Synopsys
Some interesting topics in this week’s Open Source Insight, including news that Equifax knew about its security issues more than a year before the fact. We also look at the use of AI for open source management; the ticking time bomb that is IoT security; a preview of the Legal track at Black Duck FLIGHT 2017, and to round out the month, we offer a fun infographic in the spirit of Halloween.
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
Open Source Insight:2017 Top 10 IT Security Stories, Breaches, and Predictio...Black Duck by Synopsys
This document summarizes cybersecurity news and predictions for 2018 from Black Duck and Synopsys. It discusses the top 10 IT security stories of 2017, including many large data breaches. It also discusses how open source software vulnerabilities are a growing challenge since 96% of applications contain open source code and 60% have high-risk vulnerabilities. Predictions for 2018 include continued growth in machine learning powered by open source frameworks and a focus on software composition analysis to address open source security issues.
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
Continuing a month of major announcements, Black Duck launched its new product, OpsSight — comprehensive, automated open source container security for production environments — at its FLIGHT 2017 user conference in Boston this week. Targeting the production phase of the software development life cycle, the initial release of OpsSight is optimized for Red Hat’s OpenShift Container Platform.
If you missed FLIGHT 2017, you can read all the news about OpsSight below, as well as stories on FLIGHT keynoters Charlie Miller and Chris Valasek’s presentation on why IoT insecurity is here to stay; the top 5 cybersecurity mistakes you need to avoid; the SEC prepares new cybersecurity guidelines; and security for the connected car
Overview of Hot Technologies that are tearing up the security ecosystem. Cyber security experts now have to ‘Move their Cheese’ and deal with threats created by the Cloud, the Internet of Things, mobile/wireless and wearable technology.
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
World of Watson 2016 - Information InsecurityKeith Redman
We call it security, however we’re really dealing with our insecurities, especially around our information.
The recent Yahoo announcement is astonishing, not because it happened or the number of people potentially exposed, but for the time it took to realize it had happened – approximately 2 years(?)! Information is the lifeblood of Analytics. We need it and we need to protect it. Check out these sessions to see what’s new in addressing our Insecurities about our Information.
Securing platforms like Kubernetes can be challenging. Luckily there are tools to create insights into potential security threats. Get an introduction into the world of Security Information Event Monitoring (SIEM) and how to make OpenSearch your favorite solution for Security Analytics. You get familiar with the technology and concepts behind this powerful platform. Talk includes hands-on demo to get a grasp of provided functionality.
Asset Discovery in India – Redhunt LabsRedhuntLabs2
Leading Asset Discovery Company Redhunt Labs provides a variety of solutions to assist companies in India in securing their online assets and guarding against cyber threats. Our Agent less Platform NVADR has been successful for many of our customers in locating significant data leaks across publicly exposed Docker containers. NVADR has the capability to continually monitor your exposed Docker Assets from across the globe.
We also provide a Free Scan if you'd like to examine the Attack Surface of your company. Here to visit our page for more information.
5 benefits that ai gives to cloud security venkat k - mediumusmsystem
As cyber threats become more exceptional with each passing year, so should the technologies that businesses achieve to advance cybersecurity and prevent cyberattacks and data exposures.
Open Source Insight: NotPetya Strikes, Patching Is Vital for Risk ManagementBlack Duck by Synopsys
News about NotPetya is rebounding around the world this week as malware experts quickly determined that the resemblence to Petya is superficial. The consensus is now that NotPetya is a wiper, designed to inflict permanent damage, not ransomware as initially reported. Following closely on the heels of WannaCry incidents, NotPetya hit 64 countries by June 28, but with no kill switch available this time. Global cyberattacks such as these highlight the importance of cybersecurity everywhere, staying up to date on patches and ensuring that backups are up-to-date.
With that in mind, here are 10 best DevSecOps tools for 2023 so you can get started on the right foot with the latest and greatest techniques. https://bit.ly/3Fd295g
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.
Product security by Blockchain, AI and Security CertsLabSharegroup
Three themes You need to think about Product Security — and some tips for How to Do It
I have been working with software security laboratories and IT security firms for years. I have talked with clients, read and watched dozens of articles/videos and talked with several experts about product security themes, future, technologies.
The three themes are:
Is the blockchain the new technology of trust?
Blockchain has the potential to transform industries. However, some security experts raised questions: If blockchain is broadly used in technology solutions will security standards be adopted? How to protect the cryptographic keys that allow access to the blockchain applications? Although it is true that the potential is huge such as securing IoT nodes, edge devices with authentication, improved confidentiality and data integrity, disrupting current PKI systems, reducing DDoS attacks etc.
AI (Machine Learning, Deep Learning, Reinforcement Learning algorithm) potential in Product Security
Machine learning can help in creating products that analyse threats and respond to attacks and security incidents. There are several repositories on GitHub or open-source codes by IBM available for developers. Deep learning networks are rapidly growing due to cheap cloud GPU services and after Reinforcement learning algorithm’s last success nobody knows the upper limit.
Product Security by International security standards and practices
The present, future, and developmental orientations of independent third party certificates Industry. How can the international standards answer the rapid growth of new technologies and maintain secure applications in IoT, Blockchain or AI-driven industries?
Are IT products reliable, secure and will they stay that way?
I would like to explain Product Security in a simple way. My goal is the introduction of product security for Tech startups, fast-growing Tech firms. Furthermore, I would like to emphasize the benefits of product security certification.
Similar to Securing a great Developer Experience - v1.3 (20)
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
The document discusses the importance of DevSecOps. It notes that existing security solutions are no longer adequate as software can now be distributed globally and created more cheaply in the cloud. DevSecOps aims to integrate security into development and operations by making security teams empower developers and help them succeed. It outlines how security tools and responsibilities have evolved from separate security testing to being integrated into product teams. The document argues DevSecOps is important because fixing defects early is cheaper than during production, and most modern applications use open source components which could contain vulnerabilities. It concludes security teams should empower product teams and help solve technology problems while product teams should be mindful of security.
A two hour workshop that provides a practical introduction to secure coding. This was part of the {DECIPHER} Hackathon (https://www.eventbrite.sg/e/decipher-hackathon-tickets-57968120208).
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...Stefan Streichsbier
The document summarizes lessons learned from three companies ("horses") attempting digital transformations. Horse 1 had some quick wins using automation but lacked institutionalization. Horse 2 had a strong team but faced delays and lack of management support. Horse 3 had immense scale and speed but faced communication bottlenecks. The key takeaways are to have full executive support, limit scope, work with experts, automate, and focus on building sustainable habits.
Talk about application security in an agile world. How can security be integrated into agile and how can DevSecOps be leveraged to achieve security at scale at speed.
This document discusses the concepts of DevSecOps at a high level. It begins with a brief history of development methodologies, from Waterfall to Agile, and how Ops became a bottleneck. This led to trends in Agile Operations and collaboration between Dev and Ops, known as DevOps. DevSecOps expands this to incorporate security. It discusses the importance of culture, processes, and technologies for effective communication, automation, and collaboration across Dev, Ops, and Security. The goal is to enable organizations to deliver inherently secure software at DevOps speed through a high-trust environment and automated security pipelines integrated into the software development lifecycle.
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
This document discusses application security in an agile development world. It begins with a brief history of application security and defines it as a quality aspect that contributes to business success like user experience and performance. Application security was traditionally handled by network teams but is now the responsibility of developers. The document advocates for adopting a DevSecOps approach where security is integrated into the development process through activities like threat modeling, design reviews, security testing, and monitoring. This allows catching issues earlier in the development cycle when they are cheaper to fix. The document provides examples of how to incorporate security into agile frameworks like Scrum.
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
The document discusses how to integrate security practices into DevOps workflows at speed. It recommends a three step approach: 1) Make security part of agile planning and processes like Scrum, including security training, requirements, testing and demos. 2) Implement a "DevSecOps" pipeline that automates security checks and testing at each stage of development. 3) Continuously measure and reduce security debt and improve app robustness and security skills over time. The goal is to shift security left and make it part of fast-paced DevOps cycles.
The document announces events from DevSecOps Singapore to bring together developers, operations, and security professionals. It describes monthly meetups for talks and networking, workshops over 4 months on integrating security testing into the SDLC, and an annual conference in 2017. It provides announcements for the workshops and conference and calls for speakers, office space, and volunteers to help build the community.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
4. What are we going to cover?
And also, how security and developer experience are related.
How security is
keeping up with it
How the tech
landscape changed
What mindset security
has to adopt
5. Some Statistics
As of June 2017,
51% of the world's population
has internet access.
That’s close to
4,000,000,000 people
As of October 2018,
there are 31,000,000
developers on Github alone.
6. Mark Andreessen
Renowned VC
Software is eating the world,
in all sectors.
In the future
every company will become
a software company
“The Wall Street Journal” in 2011
8. It used to be so simple
Figure 1: Use an FTP Client
to Copy the Necessary Files
from Your Desktop to the
Web Server at the
Web Host Provider.
Source: https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/deploying-your-site-using-an-ftp-client-cs
Pro Tip:
• Add Google Analytics
(post November 2005)
9. Web masters
don’t need to
collaborate
Build?
I’m using PHP,
ASP, PERL, etc
Test locally,
As long as there
is no parsing
error, we’re all
good.
Drag and drop
files to Filezilla.
GoDaddy
10. It’s better now, but is it simpler?
https://gist.github.com/rasheedamir/7da0145ae1b5d9889e4085ded21d1acb
11. https://devopedia.org/devops
Web masters
don’t need to
collaborate
Build?
I’m using PHP,
ASP, PERL, etc
Test locally,
As long as there
is no parsing
error, we’re all
good.
Drag and drop
files to Filezilla.
GoDaddy
15. AWS Security Primer
https://news.ycombinator.com/item?id=14628108
https://cloudonaut.io/aws-security-primer/
I have worked extensively with AWS over the last 4 years,
and I can barely wrap my head around the scope of
managing security in AWS.
We have an entire department dedicated to security in
our company, and none of them are remotely close to
being experts in AWS security either.
I’m starting to get curious if there even is an expert who
could set up and maintain a bulletproof AWS account.
17. The Evolution of Security
Secure SDLCPenetration Testing DevSecOps
18. https://devopedia.org/devops
Application
Vulnerability
Correlation &
Security
Workflows
Security tools
integrating with
Chat Bots
Security sections
on all major
social media
platforms
Security tools
integrating with
SCMs
Security tools
integrating with
pipelines
Custom security
linters, and
compiler flags
All the security
tools, we need a
bigger box!
Security/Complia
nce/Infrastructur
e as Code,
Secret
Management
Secure
Repositories,
golden images,
artefact security
scanning
Cloud Platform
security tools
RASP, NG WAF,
Micro-
segmentation
19. Automated Security Defense
Do you know if you are
under attack at this
current moment?
Can you automatically
defend against attacks?
Do you know what the
attackers are going after?
21. Where do these tools live?
Source: https://twitter.com/djschleen
22. The vicious cycle
Tools compound
the issue.
There is too much
security debt
Developers “comply”
23. “The first rule of any technology used in a business is that
automation
applied to an efficient operation will magnify the efficiency.
Bill Gates
The second is that automation applied to an inefficient
operation
will magnify the inefficiency. ”
31. Signals vs Noise
Focus on high-impact
issues
Don’t add to the noise Ensure the issues have
high accuracy
Security Trivia #213: What is the largest security tool report that has been recorded?
13,000 pages
32. Lost in Translation
Speak the same language
as developers
Issues are useless
until they are fixed
Leverage the right
communication channel
Security Trivia #937: What is the official CWE title for a SQL Injection?
Improper Neutralization of Special Elements used in an SQL Command
33. Make it easy
Tightly integratedAllow developers to
get started in minutes
Provide all the needed
functionality
Security Trivia #23: How many of the 12 leading AST companies - according to
the Gartner Magic Quadrant – have clear pricing information on their website?
1
If you are passionate in ditching traditional security and helping companies in Asia getting into the age of DevSecOps then drop me a line. We are always looking for great people.
At GuardRails we are working on a very different approach to security, which puts developers first and I’m excited to announce that we have launched last week.
We gonna briefly discuss how the technology landscape has changed and what the implications are of that.
How security is keeping up with the change, or rather how it isn’t.
And what mindset shift security as an industry has to adopt to have a sustainable impact.
We have a chance to be a part of development for the first time in a meaningful way.
Let’s not blow it by adding the same old security toolchain to DevOps.
Origin of Software and Development, how it is tied to the proliferation of computer systems.
we are talking early 2000s here.
This still looks fairly simple, you have git your scm, Jenkins your bukld system, docker as containers, and kubernetes as the orchestration layer.
That’s not too bad, is it?
This is just tools you have to use to get an application from an idea in someones head to code running in production.
There are no security tools in that picture.
Have you looged into AWS/Google cloud platform lately?
This is the high level menu overview of the offered services respectively.
These pics were taken on Sunday, I bet you if you log in today, there are more services already
Feels a little bit like this, doesn’t it.
When googling security complexity to illustrate this problem, I stumbled over this little gem.
We understand that it’s already too much to understand modern development workflows and tooling. Understanding the security implications is almost impossible.
So what you see on this slide, is a AWS expert sitting down to understand the security areas they have to consider for their AWS account.
This gentlemen is by no means a security expert, not even a self proclaimed one.
The response he got on hackernews is a real eye opener.
This is just tools you have to use to get an application from an idea in someones head to code running in production.
There are no security tools in that picture.
It used to be infrastructure, open ports, patch management,
Then it was about building security in.
And now it’s all about shifting left.
We are getting closer to the developers and have more automation and give faster feedback.
But I tell you one thing, developers probably liked it better when we only bothered them once at the end of every release, not now when it’s every time they are committing code.
But has the quality improved? Or did we just get better at automating the nagging of developers.
What ever happened to the KISS principle.
How many people do you think understand that full end to end flow nowadays?
Not specially from a security point of view, but from a general technology and process point of view?
And yes besides DevSecOps and the wonderful things that we are trying to achieve and we are trying hard, what is really happening.
Think Application Performance monitoring for security
Understanding how your app is abused and misused helps with prioritization.
Security Debt is huge
Because security wasn’t a part of it and the tooling didn’t make it appealing for the reasons stated earlier.
Tools compound the issue, because they just make devs fix the issues they get, without actually taking ownership.
They point to the debt and show huge amounts of issues, over and over again. They don’t actually fix any issues, at all.
Most of them have been developed For the wrong audience
And boy does it show.They are not proactively doing these things, whatever gets put on their desks, they take care of it.
Security tools should be made for developers. Yet, most of them are designed for security analysts.
And it shows in many areas, such as setup, user experience, and workflow integration.
This may sound mean, but I think realizing this is an important step in the evolution of our industry.
But yeah to continue, with the advance of new technologies and automation the answer was as always more security tools.
The most humbling experience was switching from an advisor/consultant to an implementer and being responsible for the
Security of a high profile product (large team).
That’s great, right? But is it really working well? And I don’t even mean as an organization, I mean as in reaching 28 Million developers on github.
And even this is quite exclusive to certain organizations around the world.
None of this is really available to the majority of the 28M devs on Github.
And guess what, you are using the code of that majority in your production env.
It’s the same audience. It’ hasn’t solved it fully yet, but quality is becoming more and more a first class citizen and the only reason it managed to do that
Is because of developer experience.
Another good example of a quality tool that has done a tremendous job is codecov.
It made unit test coverage sexy, and that’s no easy feat :)
Let’s explore the term developer experience.
Usability can be modeled as the question “Can the user accomplish their goal?” whilst user experience can be phrased as
“Did the user have as delightful an experience as possible?”
Usability is concerned with the “effectiveness, efficiency and satisfaction with which specified users achieve
specified goals in particular environments
Bring up the apple example, Apple is priding themselves with the high level of usability they have created for their devices.
Using the iphone is supposed to be so simple and nice, and effective (your mileage may vary, but let’s just take this as an example, and not start an android vs ios war). User Experience on the other hand starts already in the apple store, when you look a the device that you fancy, when you open the box for the first time (there are thousands of hours of people unboxing their gadgets on youtube) and how much joy it brings you in your daily life.
DX describes the experience developers have when they use your product, be it client libraries, SDKs, frameworks,
open source code, tools, API, technology or service.
Ok, I’m excited, I love this stuff.
So let’s dive right into it, what are the three things that will help us secure a great Developer Experience.
Nowadays, there are too many distractions that are fighting for our attention.
That’s by design, product designers know how to addict us in the race to dominate the attention economy.
Security tools only add to these distractions. They find everything that could be a possible issue.
Most of the tools running against your codebase produce thousands of results.
Security is already intimidating enough. Let’s not make it worse by flooding developers with lots of security issues.
Security tools have to report issues that have a high impact if left unfixed. Less is more.
Don’t give them 1000s of user input is printed in command. Maybe focus on only dependencies With a csvss score of 7 or higher. Ignore dev dependencies.
Don’t value the devs time, lots of issues, vague descriptions and solutions (sad devs)
Value the devs time -> relevant results -> actionable feedback (happy devs)
Security experts have developed a very specific and unique language over the years. (XSS, CSRF, SAST)
But if you haven’t spent a good part of your career in application security, these terms are confusing.
Don’t try to sounds important
Especially traditional security tools produce hundreds of pages of PDF reports.
Have you ever been on the receiving end of one of those reports?
Or even worse, the one responsible for fixing those issues?
Imagine looking at hundreds of security issues with lots of cryptic details.
Details about how attackers can abuse your app full of references that don’t make sense.
But the key sections on how to fix the issues are thin.
There is rarely any actionable, framework-specific content — if there is anything at all.
Let us use plain, easy language and give useful instructions on how to fix issues.
Get started in minutes.
Doesn’t matter if they are curious and want to try it out.
Or if they want to deploy it for dozens of their apps.
That means no scheduling of demos with sales reps. That means clear pricing on the website. If spacex can do it, so can you. (This includes clear pricing
) Typical Security Tools are clearly targeting enterprise sales, typically as part of the CISO organisation.
If developers can’t easily take security software for a spin, then that’s a red flag already.
No developer is going to click on that book a demo button.
Workflow integration (understand your audience)
Out of workflow (IDE plugins are not enforceable and manageable, plus too many IDEs out there)
I don’t just mean make it part of the
CI/CD pipelines, I’m not talking about IDE plugins.
I’m talking about right there where the review happens in the PR comments.
If you are doing it right, then no developer is ever going to look at your dashboards.
All in one, Don’t make them look
For tool a for this, tool b for that
If it’s already hard to wrap your head around SASt, dAST iast, rasp, ngwaf, secret management and all of these things.
Then nobody is going to have time for that.
Ok, so we recognize that developers are key Therefore as the main audience for application/devops security tools should be developers, ensuring a great Developer Experience is and absolute must. These security tools must be designed for DX from day 1.
Developer experience requires security to be a first class citizen that ideally is not differentiable from the other work tasks.
There will always be complexity, our job is to provide focus.
Also, most of the development is not happening in enterprises, security has to become a commodity, otherwise it’s going
to be a battle that we can’t ever win.
The goal should be that a bootstrapped startup, can and wants to use security tools from the beginning.
If we can get closer to solving this, then we will be able to get developers to drive security themselves and ensure that the digital economy becomes a safer place for everyone.