Securing our applications and data has never been more topical. We've recently seen many high profile data breaches, numerous critical vulnerabilities and frantic teams left scrambling to mitigate the damage to their users and ultimately their company's brand. Our automated software delivery pipelines mean we can ship our code fast and without friction, but with multitudes of micro-services to manage, and their countless dependencies, the attack surfaces are increasingly vast and difficult to manage.
This talk covers some of the approaches you can use to identify and mitigate security risk and maximise your team's ability to respond! By 'shifting security left' and leaning on automation you'll reduce your chances of becoming a media headline and be well on the way to being able to react swiftly when the next big CVE happens.
Buildkite is a CI/CD platform with security and flexibility at the core of it's product. In my presentation for Programmable conference in Sydney, I talk about the big security risks in CI/CD and introduce some measures to mitigate them.
BSidesLondon 20th April 2011 - David Rook (@securityninja)
-----------------------
This demonstration filled talk will start by discussing the problems with the security code review approaches most people follow and the reasons why I created Agnitio. This will include a look at existing manual and automated static analysis procedures and tools. The talk will move onto exploring the Principles of Secure Development and how the principles have been mapped to over 60 different checklist items in Agnitio.
---- for more about David go to
http://www.securityninja.co.uk/
---- for more about Agnito go to
http://sourceforge.net/projects/agnitiotool/
Presentation from Cloud Expo Asia Hong Kong covering the rationale for "Compliance as Code" and how InSpec may be applied to servers, cloud platforms, and much more to keep track of your compliance everywhere.
Using Analyzers to Resolve Security Problemskiansahafi
in this presentation i took a project and used an analyzer(e.g. SonarQube) to detect the security issues with it and reported a the result and after resolving most of those problems i used the same analyzer to get another report and in the process showed how to use such analyzers to detect security issues in the web applications
See how IT Risks Impacts your Business. CAST help you to check on software performance, stability, maintainability, and security vulnerabilities in which CAST excels and successfully differentiates from code analyzers.CAST’s Application Intelligence Platform and Rapid Portfolio Analysis solutions can help you avoid these types of “software glitches” or "software risks" by allowing you to gain greater visibility through automated code review that identifies the root causes of risks before they become production problems, while expediting time-to-market with shorter release time lines and improved business agility.
Quality management in continuous delivery and dev ops world pm footprints v1Dr. Anish Cheriyan (PhD)
Quality Management in Continuous Delivery and DevOps mode of development need to be looked from a different perspective. This talk will focus on how the project management and quality management practices need to be seen in different view when the software delivery is done in DevOps and SecOps Approach. In this presentation the presenter will cover following aspects:
• Traditional Quality management in Software Development Life Cycle
• An Overview to Continuous Delivery approach
• DevOps and SecOps
• Architecture and Infrastructure readiness ,
• Quality Assurance / Security Assurance and Test Quality Assurance in the pipeline
• Dev and Ops Collaboration
• Quantitative analysis of the Continuous Delivery System
• Periodic Assessment for System Refactoring Pattern
• Causal Analysis feedback (Defects, Problems Learning) to CD System
• Project Management approach and Conclusion
Continuous Integration and Continuous Delivery on AzureCitiusTech
Healthcare organizations are increasingly turning to cloud computing to address business and patient needs of their rapidly evolving environment and modernize legacy applications. With Azure DevOps, healthcare IT teams can drive innovation, build new products and modernize their application environment.
Buildkite is a CI/CD platform with security and flexibility at the core of it's product. In my presentation for Programmable conference in Sydney, I talk about the big security risks in CI/CD and introduce some measures to mitigate them.
BSidesLondon 20th April 2011 - David Rook (@securityninja)
-----------------------
This demonstration filled talk will start by discussing the problems with the security code review approaches most people follow and the reasons why I created Agnitio. This will include a look at existing manual and automated static analysis procedures and tools. The talk will move onto exploring the Principles of Secure Development and how the principles have been mapped to over 60 different checklist items in Agnitio.
---- for more about David go to
http://www.securityninja.co.uk/
---- for more about Agnito go to
http://sourceforge.net/projects/agnitiotool/
Presentation from Cloud Expo Asia Hong Kong covering the rationale for "Compliance as Code" and how InSpec may be applied to servers, cloud platforms, and much more to keep track of your compliance everywhere.
Using Analyzers to Resolve Security Problemskiansahafi
in this presentation i took a project and used an analyzer(e.g. SonarQube) to detect the security issues with it and reported a the result and after resolving most of those problems i used the same analyzer to get another report and in the process showed how to use such analyzers to detect security issues in the web applications
See how IT Risks Impacts your Business. CAST help you to check on software performance, stability, maintainability, and security vulnerabilities in which CAST excels and successfully differentiates from code analyzers.CAST’s Application Intelligence Platform and Rapid Portfolio Analysis solutions can help you avoid these types of “software glitches” or "software risks" by allowing you to gain greater visibility through automated code review that identifies the root causes of risks before they become production problems, while expediting time-to-market with shorter release time lines and improved business agility.
Quality management in continuous delivery and dev ops world pm footprints v1Dr. Anish Cheriyan (PhD)
Quality Management in Continuous Delivery and DevOps mode of development need to be looked from a different perspective. This talk will focus on how the project management and quality management practices need to be seen in different view when the software delivery is done in DevOps and SecOps Approach. In this presentation the presenter will cover following aspects:
• Traditional Quality management in Software Development Life Cycle
• An Overview to Continuous Delivery approach
• DevOps and SecOps
• Architecture and Infrastructure readiness ,
• Quality Assurance / Security Assurance and Test Quality Assurance in the pipeline
• Dev and Ops Collaboration
• Quantitative analysis of the Continuous Delivery System
• Periodic Assessment for System Refactoring Pattern
• Causal Analysis feedback (Defects, Problems Learning) to CD System
• Project Management approach and Conclusion
Continuous Integration and Continuous Delivery on AzureCitiusTech
Healthcare organizations are increasingly turning to cloud computing to address business and patient needs of their rapidly evolving environment and modernize legacy applications. With Azure DevOps, healthcare IT teams can drive innovation, build new products and modernize their application environment.
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPQAware GmbH
Heise DevSec 2023, September 2023, Karlsruhe, Mario-Leander Reimer (@LeanderReimer, CTO @QAware).
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Continuous Delivery ist allgegenwärtig. Wirklich? Viele Teams straucheln immer noch dabei, regelmäßig gut getestete und vor allem sichere Software auszuliefern. Immer mit der gleichen, guten alten Ausrede: die nicht-funktionalen Tests seien zu aufwändig und zu teuer umzusetzen. Doch genau das Gegenteil ist der Fall!
In diesem Vortrag gehen wir kurz auf die aktuellen Bedrohungen und die Bedeutung früher und regelmäßiger Sicherheitstests von APIs ein. Anschließend zeigen wir, wie einfach es ist, diese Tests kontinuierlich und asynchron mit OWASP ZAP und Testkube gegen REST- und GraphQL-APIs direkt auf einem Kubernetes-Cluster auszuführen; immer dann wenn sich die API und der Service ändern.
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
Di Indonesia, 19,4% perusahaan sudah mulai menggunakan layanan cloud publik. Stapi sering kali saat perusahan sudah mengadopsi cloud, mereka baru menyadari betapa rumitnya penerapan cloud. Akibatnya, banyak perusahaan yang stuck dalam operasional aplikasi yang baru ini.
Hadirlah DevOps yang memberi layanan lebih cepat dan mendorong inovasi sekaligus meningkatkan produktivitas, komunikasi, dan keterlibatan karyawan. Tapi hadirnya layanan yang lebih cepat membuat risiko dalam penerapan aplikasi meningkat sebesar 53% upaya pencurian data menyasar aplikasi itu sendiri. Oleh karena itu, sangat penting bagi perusahaan untuk mengubah mindset dari menerapkan keamanan untuk kepatuhan ke metode yang lebih proaktif dengan memanfaatkan prinsip-prinsip DevOps dalam tool dan proses keamanan mereka.
Hmm jadi penasaran bagaimana sih memaksimalkan peran keamanan dalam penerapan Devops supaya berjalan dengan lacar? Hal ini akan kita bahas bersama 2 orang pembicara yang expert dibidangnya, yaitu Rei Munisati (Head of IT Security & Risk Compliance, Home Credit Indonesia) dan Taro Lay (Co-Founder Kalama Cyber Security) pada Tech Talk 2021 Live dengan tema "Peran IT Security dalam Penerapan DevOps."
Follow this presentation to see how an OSS audit and static code analysis can be used to reduce and mitigate the security risks associated with open source software and Internet-based applications. Presented January 2016 at the Open source compliance seminar hosted Brooks Kushman and Rogue Wave Software.
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesAmazon Web Services
The flexibility and scale of the AWS Cloud and the emergence of DevOps have combined to allow developers to build and deploy applications faster than ever before. Assessing these applications for security risks without slowing down the development process can be a challenge with traditional vulnerability assessment tools designed for on-premises infrastructure. Amazon Inspector, an automated security assessment service, addresses this by integrating security assessments directly into the development process of applications running on Amazon Elastic Compute Cloud (Amazon EC2).
In this session, we will review Amazon Inspector for performing host security assessments and how it can become a seamless part of your devops lifecycle. We will run through a demo of setting up assessment targets and templates, installing the AWS agent, and running assessments. We will explore the findings generated by an assessment and discuss how you can automate the running of assessments.
Learning Objectives:
An overview and the value of Security Assessment testing with Amazon Inspector
How customer sign up for, configure, and use the service
Understand AWS Agent and assessment data security
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksWeaveworks
Together with Snyk, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines combined with good security practices improves the overall security of your development workflow - from Git to production. In the webinar we will:
- Examine security concerns in a typical CICD pipeline
- Operate continuous delivery via pull request
- Discuss Read/Write access in a GitOps pipeline
- Share 5 tips and tricks on securing your source code repos from the beginning
Blog on this topic: https://www.weave.works/blog/secure-gitops-pipelines-for-kubernetes-with-snyk-and-weaveworks
Slide Griffin - Practical Attacks and MitigationsEnergySec
Over the past few years, penetration testing has gotten easier. What used to take a week of scanning, analysis, and exploit research now happens in one day on average in a common IT environment. The efficiency of compromise has increased based on several factors including increased knowledge sharing, more robust computing, and automated exploitation tools. OT environments are often utilizing the same operating systems and are prone to many of the same attacks. The main differences are the presence of custom protocols, embedded systems, and lack of formal security programs to address the gaps created by two-way data communication networks.
This talk will show the most common attacks which our team currently uses to gain access and control over the networks and systems we test. More importantly, we will discuss the “top 10” things an organization can do to mitigate, remediate, and have active visibility into critical systems.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
This talk focused on how the quality assurance practices need to be seen in different view when the software delivery is done in DevOps and SecOps Approach. SecOps stands for Security Operations. I will talk about the practices like Architecture and Infrastructure readiness , Quality Assurance / Security Assurance and Test Quality Assurance in the pipeline, Dev and Ops Collaboration, Quantitative analysis of the Continuous Delivery System , Periodic Assessment for System Refactoring Pattern, Causal Analysis feedback (Defects, Problems Learning) to CD System.
This talk focused on how the quality assurance practices need to be seen in different view when the software delivery is done in DevOps and SecOps Approach. SecOps stands for Security Operations. I will talk about the practices like Architecture and Infrastructure readiness , Quality Assurance / Security Assurance and Test Quality Assurance in the pipeline, Dev and Ops Collaboration, Quantitative analysis of the Continuous Delivery System , Periodic Assessment for System Refactoring Pattern, Causal Analysis feedback (Defects, Problems Learning) to CD System.
DevSecOps is a word that combines development, security, and operations. DevSecOps deals with software development, operations, security, and services. It emphasizes communication, collaboration, and integration between software developers, security teams, and information technology operations personnel.
In this session, you will learn how to integrate security techniques into the DevOps process.
Jirayut Nimsaeng
Founder & CEO
Opsta (Thailand) Co., Ltd.
Youtube Record: https://youtu.be/mi8Zo9O6OUY
TechTalkThai Conference: Enterprise Cybersecurity 2021
October 5, 2021
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
More Related Content
Similar to Securing your Software Delivery Pipelines with a slight shift to the left.
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPQAware GmbH
Heise DevSec 2023, September 2023, Karlsruhe, Mario-Leander Reimer (@LeanderReimer, CTO @QAware).
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Continuous Delivery ist allgegenwärtig. Wirklich? Viele Teams straucheln immer noch dabei, regelmäßig gut getestete und vor allem sichere Software auszuliefern. Immer mit der gleichen, guten alten Ausrede: die nicht-funktionalen Tests seien zu aufwändig und zu teuer umzusetzen. Doch genau das Gegenteil ist der Fall!
In diesem Vortrag gehen wir kurz auf die aktuellen Bedrohungen und die Bedeutung früher und regelmäßiger Sicherheitstests von APIs ein. Anschließend zeigen wir, wie einfach es ist, diese Tests kontinuierlich und asynchron mit OWASP ZAP und Testkube gegen REST- und GraphQL-APIs direkt auf einem Kubernetes-Cluster auszuführen; immer dann wenn sich die API und der Service ändern.
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
Di Indonesia, 19,4% perusahaan sudah mulai menggunakan layanan cloud publik. Stapi sering kali saat perusahan sudah mengadopsi cloud, mereka baru menyadari betapa rumitnya penerapan cloud. Akibatnya, banyak perusahaan yang stuck dalam operasional aplikasi yang baru ini.
Hadirlah DevOps yang memberi layanan lebih cepat dan mendorong inovasi sekaligus meningkatkan produktivitas, komunikasi, dan keterlibatan karyawan. Tapi hadirnya layanan yang lebih cepat membuat risiko dalam penerapan aplikasi meningkat sebesar 53% upaya pencurian data menyasar aplikasi itu sendiri. Oleh karena itu, sangat penting bagi perusahaan untuk mengubah mindset dari menerapkan keamanan untuk kepatuhan ke metode yang lebih proaktif dengan memanfaatkan prinsip-prinsip DevOps dalam tool dan proses keamanan mereka.
Hmm jadi penasaran bagaimana sih memaksimalkan peran keamanan dalam penerapan Devops supaya berjalan dengan lacar? Hal ini akan kita bahas bersama 2 orang pembicara yang expert dibidangnya, yaitu Rei Munisati (Head of IT Security & Risk Compliance, Home Credit Indonesia) dan Taro Lay (Co-Founder Kalama Cyber Security) pada Tech Talk 2021 Live dengan tema "Peran IT Security dalam Penerapan DevOps."
Follow this presentation to see how an OSS audit and static code analysis can be used to reduce and mitigate the security risks associated with open source software and Internet-based applications. Presented January 2016 at the Open source compliance seminar hosted Brooks Kushman and Rogue Wave Software.
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesAmazon Web Services
The flexibility and scale of the AWS Cloud and the emergence of DevOps have combined to allow developers to build and deploy applications faster than ever before. Assessing these applications for security risks without slowing down the development process can be a challenge with traditional vulnerability assessment tools designed for on-premises infrastructure. Amazon Inspector, an automated security assessment service, addresses this by integrating security assessments directly into the development process of applications running on Amazon Elastic Compute Cloud (Amazon EC2).
In this session, we will review Amazon Inspector for performing host security assessments and how it can become a seamless part of your devops lifecycle. We will run through a demo of setting up assessment targets and templates, installing the AWS agent, and running assessments. We will explore the findings generated by an assessment and discuss how you can automate the running of assessments.
Learning Objectives:
An overview and the value of Security Assessment testing with Amazon Inspector
How customer sign up for, configure, and use the service
Understand AWS Agent and assessment data security
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksWeaveworks
Together with Snyk, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines combined with good security practices improves the overall security of your development workflow - from Git to production. In the webinar we will:
- Examine security concerns in a typical CICD pipeline
- Operate continuous delivery via pull request
- Discuss Read/Write access in a GitOps pipeline
- Share 5 tips and tricks on securing your source code repos from the beginning
Blog on this topic: https://www.weave.works/blog/secure-gitops-pipelines-for-kubernetes-with-snyk-and-weaveworks
Slide Griffin - Practical Attacks and MitigationsEnergySec
Over the past few years, penetration testing has gotten easier. What used to take a week of scanning, analysis, and exploit research now happens in one day on average in a common IT environment. The efficiency of compromise has increased based on several factors including increased knowledge sharing, more robust computing, and automated exploitation tools. OT environments are often utilizing the same operating systems and are prone to many of the same attacks. The main differences are the presence of custom protocols, embedded systems, and lack of formal security programs to address the gaps created by two-way data communication networks.
This talk will show the most common attacks which our team currently uses to gain access and control over the networks and systems we test. More importantly, we will discuss the “top 10” things an organization can do to mitigate, remediate, and have active visibility into critical systems.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
This talk focused on how the quality assurance practices need to be seen in different view when the software delivery is done in DevOps and SecOps Approach. SecOps stands for Security Operations. I will talk about the practices like Architecture and Infrastructure readiness , Quality Assurance / Security Assurance and Test Quality Assurance in the pipeline, Dev and Ops Collaboration, Quantitative analysis of the Continuous Delivery System , Periodic Assessment for System Refactoring Pattern, Causal Analysis feedback (Defects, Problems Learning) to CD System.
This talk focused on how the quality assurance practices need to be seen in different view when the software delivery is done in DevOps and SecOps Approach. SecOps stands for Security Operations. I will talk about the practices like Architecture and Infrastructure readiness , Quality Assurance / Security Assurance and Test Quality Assurance in the pipeline, Dev and Ops Collaboration, Quantitative analysis of the Continuous Delivery System , Periodic Assessment for System Refactoring Pattern, Causal Analysis feedback (Defects, Problems Learning) to CD System.
DevSecOps is a word that combines development, security, and operations. DevSecOps deals with software development, operations, security, and services. It emphasizes communication, collaboration, and integration between software developers, security teams, and information technology operations personnel.
In this session, you will learn how to integrate security techniques into the DevOps process.
Jirayut Nimsaeng
Founder & CEO
Opsta (Thailand) Co., Ltd.
Youtube Record: https://youtu.be/mi8Zo9O6OUY
TechTalkThai Conference: Enterprise Cybersecurity 2021
October 5, 2021
Similar to Securing your Software Delivery Pipelines with a slight shift to the left. (20)
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
10. Supply Chain Levels for Software Artefacts
(SLSA)
A framework designed to help
organisations improve the integrity of
their software supply chains.
13. The Secure Software Development Framework
(SSDF) is a set of fundamental, sound, and
secure software development practices based
on established secure software development
practice documents from organizations such as
BSA, OWASP, and SAFECode. Few software
development life cycle (SDLC) models explicitly
address software security in detail, so practices
like those in the SSDF need to be added to and
integrated with each SDLC implementation.
14. The SSDF outlines solid practices for
embedding secure software
development practices in the delivery
lifecycle, that don’t just identify
threats but actually address them.
Source: https://csrc.nist.gov/Projects/ssdf
15.
16.
17. 33% of respondents described their
security strategy as having a mix of
prevention and detection.
Source: Left and Right of Boom in Cybersecurity ,Elastic, 2022
82% said they plan to implement, are
implementing or have implemented.
18. 33% of respondents described their
security strategy as having a mix of
prevention and detection.
Source: Left and Right of Boom in Cybersecurity ,Elastic, 2022
82% said they plan to implement, are
implementing or have implemented.
19. The road to hell is paved
with good intentions.
20. “would pursue laws to establish
liability for software companies
that sell technology that lacks
cybersecurity protections”
The Biden-Harris National Cybersecurity Strategy
32. Poisoned Pipeline Execution (PPE)
• Have isolated pipeline environments and contexts
• Sensitive and Non-Sensitive contexts
• Use branch protection rules in GitHub/GitLab/BitBucket
etc.
33. Upload Pipeline Build Docker Image
Linting Security Scans RSpec
Jest Code Coverage Bundle Analysis
Branch Build
Non-sensitive context
- no access to secrets
- no pipeline to prod
34. Upload Pipeline Build Docker Image
Linting Security Scans RSpec
Jest Code Coverage Bundle Analysis
Branch Build
Non-sensitive context
- no access to secrets
- no pipeline to prod
Sensitive context
- access to secrets
- additional permissions
Upload Pipeline Build Docker Image
Linting Security Scans RSpec
Jest Code Coverage Bundle Analysis
Main Build
Prepare for Deploy Deploy to Prod
43. • Restrict the scope of a pipeline's access & permissions
• Apply granular access controls:
• job-tokens
• OIDC
• Use these things with a dedicated Secrets Manager:
• Hashicorp Vault (Buildkite plugin)
• AWS Secure Secrets Manager (Buildkite plugin)
• Have ingress/egress filters to the internet:
• Tailscale
• Cloudflare etc.
• Always terminate agents and wipe VMs/Machines!
Insufficient PBAC (Pipeline-Based Access Controls)
44. SECURITY RISKS
SECURITY RISKS
1 — Insufficient Flow Control Mechanisms
2— Inadequate Identity and Access Management
3— Dependency Chain Abuse
4— Poisoned Pipeline Execution (PPE)
5 — Insufficient PBAC (Pipeline-Based Access Controls)
7 — Insecure System Configuration
8— Ungoverned Usage of 3rd Party Services
9 — Improper Artifact Integrity Validation
10 — Insufficient Logging and Visibility
Insufficient Credential Hygiene
45. • Limit the blast radius of potential breaches.
• Reduce risk of Poisoned Pipeline Execution (PPE):
• Limit what code is executed in certain contexts
• Have sensitive/non-sensitive build contexts
• Have strong Pipeline-Based Access Controls (PBAC):
• Limit scope of what builds/pipelines have access to
• Use ephemeral/tightly scoped access tokens
• Have sufficient Identity and Access Management:
• Stick to the principle of least privilege
• Be able to revoke access swiftly
Insufficient Credential Hygiene
52. Insufficient Flow Control Mechanisms
LGTM
• Unreviewed code can’t trigger deployment pipelines
• Code reviews & approvals should be part of the merge
process.
• Configure this process in your Source Control Manager:
• 2 human approvals prior to a PR being merged
• For teams with additional compliance regulations
consider using a `block step` in your pipeline.
56. Dependency Chain Abuse
• Get visibility into CVEs and act on them, use tools like:
• GitHub Dependabot
• Identifies & notifies users about vulnerable dependencies
• Can open PRs to keep dependencies updated
• Snyk
• Integrates with most CI/CD providers
• Does all aspects of security scanning
• Code/application/container scanning
• Asset Discovery and tagging (so you can pin versions)
• Avoid latest versions
• Verify the checksum
57. Software Bill of Materials
An immutable list of what’s in an application:
• Open source libraries (languages, imports/dependencies)
• Plugins, extensions, add-ons used
• Application code (versioned)
• Information about versions, licensing status and patch status of
these components
An SBOM for a SaaS application can include info like:
• APIs
• 3rd party services required to run the SaaS application.
63. Dependency Chain Abuse
• Get visibility into packages + CVEs with tools and act on them
• GitHub Dependabot
• Snyk
• Avoid latest versions
• Verify the checksum
• Practice Continous Compliance (Put a CC in CI/CD)
• Generate SBOMs for your applications
• Cloudsmith, JFrog, ReversingLabs, Sonatype
• Create action oriented workflows around SBOMs
72. OWASP Top 10 CI/CD Security risks
2022 State of DevOps Report
Supply Chain Levels for Software Artifacts (SLSA)
Secure Software Development Framework (SSDF)
US National Cybersecurity Strategy (March 2023)
Auth0's Open ID Connect Handbook
Software Bill of Materials (SBOM)
Automating Governance Risk and Compliance
Creating Actionable SBOMs with Cloudsmith & Buildkite
Resources