Talk from Serverless Days Austin with @iteration1 and @wickett. This talk covers serverless basics and the Secure WIP model as a way to bring security to the conversation.
DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice.
Shannon Lietz, Intuit
James WIckett, Signal Sciences
RSA Conference 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
The Seven Habits of the Highly Effective DevSecOpJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp?
This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops, and security to work together.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
Whether you’re building an application in a DevOps + Security culture, or have already bridged the gap with DevSecOps, the task remains the same: How do you ensure that security best practices are understood, architected for and integrated into your application from day 1 AND remain relevant year 1. During this talk I’ll focus on how to achieve these goals amidst the ever changing landscape of people, process, and technology in the cloud, in the context of various compute environments like instances, containers and serverless functions. and how to do so using off-the-shelf AWS services and features. I’ll complete the story by accompanying this discussion with a reference application architecture and examples. Attendees of this talk will receive actionable best practices and guidance, with specific implementation details for AWS
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
James Wickett and Karthik Gaekwad talk about Serverless Security at DevOps Days Austin.
Security in FaaS isn't what we are used to, but this talk shows you how what we learned in appsec still applies. Using LambHack, which is a vulnerable serverless application written in Go on AWS Lambda using Sparta, we will evaluate how to do security in serverless.
In this talk, we will talk about security strategies and pitfalls in the serverless world. You'll leave with an understanding of how to approach security conversations about serverel
Talk goals:
- How to approach the security concerns in a serverless world.
- Talk about the 'WIP' methodology for serverless security.
- Understand current serverless attacks for things to defend against.
- Learn what different cloud providers (AWS/GKE/Azure/Oracle Cloud) do to protect you in a serverless world.
DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice.
Shannon Lietz, Intuit
James WIckett, Signal Sciences
RSA Conference 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
The Seven Habits of the Highly Effective DevSecOpJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp?
This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops, and security to work together.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
Whether you’re building an application in a DevOps + Security culture, or have already bridged the gap with DevSecOps, the task remains the same: How do you ensure that security best practices are understood, architected for and integrated into your application from day 1 AND remain relevant year 1. During this talk I’ll focus on how to achieve these goals amidst the ever changing landscape of people, process, and technology in the cloud, in the context of various compute environments like instances, containers and serverless functions. and how to do so using off-the-shelf AWS services and features. I’ll complete the story by accompanying this discussion with a reference application architecture and examples. Attendees of this talk will receive actionable best practices and guidance, with specific implementation details for AWS
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
James Wickett and Karthik Gaekwad talk about Serverless Security at DevOps Days Austin.
Security in FaaS isn't what we are used to, but this talk shows you how what we learned in appsec still applies. Using LambHack, which is a vulnerable serverless application written in Go on AWS Lambda using Sparta, we will evaluate how to do security in serverless.
In this talk, we will talk about security strategies and pitfalls in the serverless world. You'll leave with an understanding of how to approach security conversations about serverel
Talk goals:
- How to approach the security concerns in a serverless world.
- Talk about the 'WIP' methodology for serverless security.
- Understand current serverless attacks for things to defend against.
- Learn what different cloud providers (AWS/GKE/Azure/Oracle Cloud) do to protect you in a serverless world.
Learn what devsecops really means! See why security is in crisis and how it can find a new path forward.
Talk from DevSecOps Leadership Forum in Dallas, Texas, April 22nd, 2018.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
Today everybody wants to deploy the app and infrastructure faster without any disputes. An Even, Agile framework can help to deploy faster in real-time. But Continuous Innovation may conflict with stability and security. Without security at every stage, DevOps merely introduces vulnerabilities into application quickly. To resolve such conflict, the gap in recursive feedback loops need to be eliminated. Mostly, teams are not effectively working in a collaboration and interacting with each other smoothly. This results in gaps and produce problems with code development and quality, meaning slower delivery plans and serious vulnerabilities that create security risk at most. Fortunately, these shortcomings can be addressed very well, as developers/testers are set to launch off into the DevSecOps world or via adopting rugged DevOps model.
Scale DevSecOps with your Continuous Integration PipelineDevOps.com
Hear from AppSec and Development leaders on how they apply the principles of DevOps to deliver secure products and services to customers. Learn how you can scale your DevSecOps initiatives to reduce time-to-deployment and lower costs as you deliver secure software. During this webinar, you will learn about the latest tools and techniques that will enable your development teams to embed security scanning into your IDE as you are coding, returning most scans in seconds – all while integrating into your CI pipeline. Our speaker will provide:
An overview of Veracode Greenlight and its integrations with developer tools;
A summary of recent Greenlight use cases and successes;
Examples of how Greenlight integrates into your CI pipeline
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
Organizations today are utilizing DevOps to accelerate the software development and deployment pace with the goal of releasing better quality software more reliably. But as more high profile data breaches occur they help to awaken interest in how to integrate security into this practice without inhibiting the DevOps agility. Let's face it, attacks on web applications have become a menace, and the volume of data breaches caused by them is rapidly rising each year. Rogue actors are taking advantage of the weaknesses in our software and processes. How do we strike back against this? Enter a new hope: DevSecOps!
DevSecOps is the solution that is talked about, but not always understood. In this talk, we discuss:
* What is DevSecOps
* Changing the security mindset
* The Do's and Don'ts for success
Serverless Security: Doing Security in 100 millisecondsJames Wickett
Talk on serverless security with a brief history of cloud, containers and now serverless. This talk also features serverless patterns, and security considerations needed in this new environment. This talk was given at AppSecUSA 2016.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
Harnessing the power of cloud for real securityErkang Zheng
Find out how LifeOmic security and engineering leveraged cloud services to define a highly secure architecture for real security and HIPAA compliance. The "Essential Eight" of our security principles, and a real implementation example for secure deployment into our virtually air-gapped production environments. A model we call #zerotrustplus.
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://lascon.org
http://lascon2015.sched.org/event/175e3c828095386b2fa0fc660b2502a3
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
The New Ways of Chaos, Security, and DevOpsJames Wickett
VMware Thought Leadership Series: The New Ways of Chaos, Security, and DevOps
Abstract:
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and DevOps closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
How to Effect Change in the Epistemological Wasteland of Application SecurityJames Wickett
From GOTO London 2015
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays
apidays Australia 2023 - Platforms, Products, and People: The Power of APIs
October 11 & 12, 2023
https://www.apidays.global/australia/
API Security Breach Analysis & Empowering Devs to Make Secure APIs
Jeremy Snyder, Founder and CEO of FireTail
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Learn what devsecops really means! See why security is in crisis and how it can find a new path forward.
Talk from DevSecOps Leadership Forum in Dallas, Texas, April 22nd, 2018.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
Today everybody wants to deploy the app and infrastructure faster without any disputes. An Even, Agile framework can help to deploy faster in real-time. But Continuous Innovation may conflict with stability and security. Without security at every stage, DevOps merely introduces vulnerabilities into application quickly. To resolve such conflict, the gap in recursive feedback loops need to be eliminated. Mostly, teams are not effectively working in a collaboration and interacting with each other smoothly. This results in gaps and produce problems with code development and quality, meaning slower delivery plans and serious vulnerabilities that create security risk at most. Fortunately, these shortcomings can be addressed very well, as developers/testers are set to launch off into the DevSecOps world or via adopting rugged DevOps model.
Scale DevSecOps with your Continuous Integration PipelineDevOps.com
Hear from AppSec and Development leaders on how they apply the principles of DevOps to deliver secure products and services to customers. Learn how you can scale your DevSecOps initiatives to reduce time-to-deployment and lower costs as you deliver secure software. During this webinar, you will learn about the latest tools and techniques that will enable your development teams to embed security scanning into your IDE as you are coding, returning most scans in seconds – all while integrating into your CI pipeline. Our speaker will provide:
An overview of Veracode Greenlight and its integrations with developer tools;
A summary of recent Greenlight use cases and successes;
Examples of how Greenlight integrates into your CI pipeline
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
Organizations today are utilizing DevOps to accelerate the software development and deployment pace with the goal of releasing better quality software more reliably. But as more high profile data breaches occur they help to awaken interest in how to integrate security into this practice without inhibiting the DevOps agility. Let's face it, attacks on web applications have become a menace, and the volume of data breaches caused by them is rapidly rising each year. Rogue actors are taking advantage of the weaknesses in our software and processes. How do we strike back against this? Enter a new hope: DevSecOps!
DevSecOps is the solution that is talked about, but not always understood. In this talk, we discuss:
* What is DevSecOps
* Changing the security mindset
* The Do's and Don'ts for success
Serverless Security: Doing Security in 100 millisecondsJames Wickett
Talk on serverless security with a brief history of cloud, containers and now serverless. This talk also features serverless patterns, and security considerations needed in this new environment. This talk was given at AppSecUSA 2016.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
Harnessing the power of cloud for real securityErkang Zheng
Find out how LifeOmic security and engineering leveraged cloud services to define a highly secure architecture for real security and HIPAA compliance. The "Essential Eight" of our security principles, and a real implementation example for secure deployment into our virtually air-gapped production environments. A model we call #zerotrustplus.
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://lascon.org
http://lascon2015.sched.org/event/175e3c828095386b2fa0fc660b2502a3
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
The New Ways of Chaos, Security, and DevOpsJames Wickett
VMware Thought Leadership Series: The New Ways of Chaos, Security, and DevOps
Abstract:
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and DevOps closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
How to Effect Change in the Epistemological Wasteland of Application SecurityJames Wickett
From GOTO London 2015
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays
apidays Australia 2023 - Platforms, Products, and People: The Power of APIs
October 11 & 12, 2023
https://www.apidays.global/australia/
API Security Breach Analysis & Empowering Devs to Make Secure APIs
Jeremy Snyder, Founder and CEO of FireTail
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Swift is a robust language for mobile but cloud development opens the door to new opportunities for today's top app developers. Integrating projects to backend systems can sometimes be problematic, requiring new tools and skills. It doesn't have to be; end-to-end Swift opens the door to radically simpler app dev so we can all focus on the engagement. This session will describe the work that's been done to bring Swift to the server, both in terms of efforts in the Swift.org projects, and with implementation of server frameworks, and show you how you can quickly create and deploy applications with both server and client components.
Presented by Chris Bailey at the Swift Summit, Nov 7th 2016
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...apidays
apidays LIVE Australia 2020 - Building Business Ecosystems
From micro to macro-coordination through domain-centric DDL pipeline
Alex Khilko, CTO of PlayQ Inc.
어떻게 하면 배포 프로세스를 빠르게 개선할 수 있을까요?
git branch를 푸시하고 개별 테스트 서버를 만드려면 어떻게 해야 할까요?
쿠버네티스와 GitOps, Argo CD를 이용한 배포 방법을 소개 합니다.
Open Infrastructure & Cloud Native Days Korea 2019 발표자료
원본 슬라이드 다운로드 - http://bit.ly/subicura-gitops
Swift Summit: Pushing the boundaries of Swift to the ServerChris Bailey
Swift is a robust language for mobile but cloud development opens the door to new opportunities for today's top app developers. Integrating projects to backend systems can sometimes be problematic, requiring new tools and skills. It doesn't have to be; end-to-end Swift opens the door to radically simpler app dev so we can all focus on the engagement. This session will describe the work that's been done to bring Swift to the server, both in terms of efforts in the Swift.org projects, and with implementation of server frameworks, and show you how you can quickly create and deploy applications with both server and client components.
Presented at the Swift Summit, Nov 7th 2016
SpringBoot and Spring Cloud Service for MSAOracle Korea
Cloud 환경에서 MSA를 하기 위해서 Service Discovery, Circuit Breaker 등을 사용하여 Application을 개발하는 방법과 SpringBoot 와 Spring Cloud Service 를 사용하는데, Cloud에서 Kubernetes를 위시한 Container 생태계가 어떻게 MSA에 영향을 미치는지 알아봅니다.
Introducing the New Features of AWS Greengrass (IOT365) - AWS re:Invent 2018Amazon Web Services
With AWS Greengrass, you can bring local compute, messaging, data caching, sync, and machine-learning inference capabilities to edge devices. Join us in this session to learn about new features that extend the capabilities of AWS Greengrass devices.
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
From Shift Left to Full Circle - A Pragmatic Approach to Catching Up and Keeping Up With API Security
Chuck Herrin, CTO at WIB
Slides from my talk at APIDays Paris 2020 on building APIs in a Cloud Native Era. This discusses the challenges in building APIs in the Cloud and how we need to address them smartly.
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Diasapidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Building APIs in a Cloud Native era
Nuwan Dias, VP & Deputy CTO - API Management & Integration at WSO2
Continuous (Non)-Functional Testing of Microservices on k8s QAware GmbH
Continuous Lifecycle Online 2021, May 11th 2021, online: Vortrag von Mario-Leander Reimer (@LeanderReimer, Principal Software Architect bei QAware)
== Please download slides if blurred! ==
Abstract:
Continuous delivery is everywhere. Well, not quite! Many teams still fail to continuously deliver well tested and stable product increments to production, especially when it comes to its non-functional attributes. Usually with the same old excuse: these high-level tests are too laborious and expensive to implement. But the opposite could be the case! This slides will show how easy it is to implement continuous performance, security and acceptance tests based for microservices on Kubernetes using well-known open source tools.
APIs are changing the way we build applications and changing the way we expose data, both inside and outside our organizations. But what is the most efficient and effective way to deliver these APIs? That’s the job of the API gateway. In this session, we will look at different deployment patterns for API gateways.
Introduction to Serverless Computing - OOP MunichBoaz Ziniman
erverless computing allows you to build and run applications without the need for provisioning or managing servers. With serverless computing, you can build web, mobile, and IoT backends; run stream processing or big data workloads; run chatbots, and more.
In this session, we will learn how to get started with Serverless computing using AWS Lambda, which lets you run code without provisioning or managing servers.
Security in a Site Reliability Engineering (SRE) context with a focus on being pragmatic just makes sense. In this talk, we will look at 4 key areas where SRE and Security tribes can join forces and influence the overall business. This is a lab/discussion session.
A Way to Think about DevSecOps: MEASUREJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in history to learn how engineering decisions affect the lives of those around us, with an eye on how to make meaningful progress today.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce MEASURE, a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
----
thanks to Verica https://verica.io and techstrongcon.com
The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This talk will highlight security’s place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
From Innotech Austin 2019 and Cloud Austin Nov 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
This talk is half discussion of the DevSecOps 2018 community survey report and half conversation with the crowd in attendance on what they want the future to look like. This was prepared for the July 2018 meetup of DevOps Austin.
The talk was created by @wickett of Signal Sciences and @ernestmueller of AlienVault.
Call it what you will - DevSecOps, DevOpsSec, Rugged, Agile Application Security, Shift Left Unicorn Dust AppSec,... The face of security is changing. We'll go through the results of the DevSecOps Community Survey and examine the trends. Then we'll lead a group discussion on the topic. How have you tried to make security part of your SDLC? What have you seen work? What hasn't? What's important to you?
From Austin OWASP meetup in June 2018
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
OWASP AppSec California 2018
LambHack: A Vulnerable Serverless ApplicationJames Wickett
LambHack is a vulnerable serverless application written in golang in AWS Lambda running on the Go Sparta Serverless Framework. This talk focuses on how application security still has tons of meaning in serverless.
Talk from 12 Clouds of Christmas at Cloud Austin.
Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett
Presentation from SpringOne Platform 2017 conference by Pivotal.
DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed.
Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps:
Treat all systems and infrastructure as code
Change the engineering culture to orient around delivery
Favor a fast delivery cadence
Create feedback loops across the organization
With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas.
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSecJames Wickett
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
Serverless Security: A Pragmatic Primer for builders and defenders
Covers an intro to serverless, security ideas, and an open source vulnerable lambda application called lambhack.
From LASCON 2017, Austin, Texas.
The Path of DevOps Enlightenment for InfoSecJames Wickett
Presentation at All Day DevOps on the path for infosec and security engineers in the modern software development flow and their place in DevOps. The journey is important but the destination is critical.
The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
From DevOps Days KC 2017
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
5. Where we are going
* Serverless changes the security landscape
* Where security fits into serverless
* The Secure WIP model for serverless
* A quick look at lambhack
* Serverless provider security tips
@wickett + @iteration1 @ Serverless Days Austin 2019
8. Serverless encourages functions as deploy units,
coupled with third party services that allow running
end-to-end applications without worrying about
system operation.
@wickett + @iteration1 @ Serverless Days Austin 2019
24. Companies are spending a great
deal on security, but we read of
massive computer-related attacks.
Clearly something is wrong. The
root of the problem is twofold:
we’re protecting the wrong things,
and we’re hurting productivity in
the process.
@wickett + @iteration1 @
Serverless Days Austin 2019
25. [Security by risk assessment]
introduces a dangerous fallacy:
that structured inadequacy is
almost as good as adequacy and
that underfunded security efforts
plus risk management are about
as good as properly funded
security work
@wickett + @iteration1 @
Serverless Days Austin 2019
27. While engineering teams are busy
deploying leading-edge technologies,
security teams are still focused on fighting
yesterday’s battles.
SANS 2018 DevSecOps Survey
@wickett + @iteration1 @ Serverless Days Austin 2019
28. 95%
of security professionals spend their time
protecting legacy applications
@wickett + @iteration1 @ Serverless Days Austin 2019
29. "many security teams
work with a worldview
where their goal is to
inhibit change as much
as possible"
@wickett + @iteration1 @
Serverless Days Austin 2019
30. Serverless model doesn't
fit into security team's
worldview
@wickett + @iteration1 @ Serverless Days Austin 2019
31. How do we
change this?
@wickett + @iteration1 @ Serverless Days Austin 2019
33. Secure WIP for Serverless
→ The code that you actually write
→ The code you inherited
→ The container you were provided
@wickett + @iteration1 @ Serverless Days Austin 2019
38. OWASP Top 10 (2017)
@wickett + @iteration1 @ Serverless Days Austin 2019
39. VERY relevant in serverless
* A1 Injection
* A5 Broken Access Control
* A6 Security Misconfiguration
* A9 Components with known vulnerabilities
* A10 Insufficient Logging & Monitoring
..talk about these as we go along..
@wickett + @iteration1 @ Serverless Days Austin 2019
42. OWASP A1-Injection
Issue: Data coming is hostile
* Same issues as in traditional apps, but more prevalent.
* Frontend frameworks made this transparent before.
@wickett + @iteration1 @ Serverless Days Austin 2019
43. OWASP A1-Injection
What should I do?
* Keep your data seperate from commands/queries.
* Verify you are sanitizing any data being stored.
* Pay attention to input validation.
* Use whitelist validation wherever possible.
@wickett + @iteration1 @ Serverless Days Austin 2019
44. OWASP A5-Broken Access Control
Issue: Users cannot act outside their intended
permissions.
* URL Modificiations
Example: lambhack demo with uname
* Metadata, Header manipulation
* Token Expiration (or lack thereof)
@wickett + @iteration1 @ Serverless Days Austin 2019
45. OWASP A5-Broken Access Control
What do I do?
* Deny by default strategy
* Have an access control mechanism in place
* Rate limit against automated tooling
* Log the failures (but not the sensitive data)
@wickett + @iteration1 @ Serverless Days Austin 2019
49. Vulnerable Lambda + API Gateway stack
→ Wanted to see make the point that appsec is
relevant in serverless
→ Born from the heritage of WebGoat, Rails Goat …
@wickett + @iteration1 @ Serverless Days Austin 2019
50.
51. Lambhack
→ A Vulnerable Lambda + API Gateway stack
→ Open Source, MIT licensed
→ Includes arbitrary code execution in a query
string
@wickett + @iteration1 @ Serverless Days Austin 2019
52. Basically a reverse shell in
http query string for lambda
@wickett + @iteration1 @ Serverless Days Austin 2019
61. AppSec Thoughts from Lambhack
→ Lambda has limited Blast Radius, but not zero
→ Monitoring/Logging plays a key role here
→ Detect longer run times
→ Higher error rate occurrences
→ Log actions of lambdas
@wickett + @iteration1 @ Serverless Days Austin 2019
63. It all seems so simple...
222 Lines of Code
5 direct dependencies
54 total deps (incl. indirect)
(example thanks to snyk.io)
@wickett + @iteration1 @ Serverless Days Austin 2019
69. OWASP-A9 Components with known
vulnerabilities
What should I do?
* Monitor dependencies continuously.
* If you use a Docker based system, use the registry scanning tools.
* Watch for CVE's (they will happen).
@wickett + @iteration1 @ Serverless Days Austin 2019
70. OWASP-A6 Security Misconfiguration
Issue: Configuration or misconfiguration
* Function permissiveness and roles (too much privilege)
* Configuration for services (supporting cloud based services)
* Security configuration left in logging
@wickett + @iteration1 @ Serverless Days Austin 2019
71. OWASP-A6 Security Misconfiguration
What should I do?
* Consider limiting your blast radius
* Harden security provider config (IAM/storage)
* Scan for global bucket read/write access
* Use a principle of least privilege
* Enterprise setting: MFA to access cloud console
@wickett + @iteration1 @ Serverless Days Austin 2019
72. Most common attacks
(Via puresec whitepaper)
→ Crypto Mining (via remote code execution)
→ Hijacking business flow
→ Denial of wallet
→ Data misconfiguration
@wickett + @iteration1 @ Serverless Days Austin 2019
77. Gone in 60 Milliseconds
Intrusion and Exfiltration in Server-less Architecture
https://media.ccc.de/v/33c3-7865-
gonein60_milliseconds
@wickett + @iteration1 @ Serverless Days Austin 2019
78. Focus on IAM
Roles and
Policies
@wickett + @iteration1 @ Serverless Days Austin 2019
79. Good hygiene
* Disable root access keys
* Manage users with profiles
* Secure your keys in your deploy system
* Secure keys in dev system
* Use provider MFA
@wickett + @iteration1 @ Serverless Days Austin 2019
80. AWS lets you
roll your own
@wickett + @iteration1 @ Serverless Days Austin 2019
81.
82. Choose your own adventure
→ Your very own Honeypot
→ Defend scanners and attack tooling
→ Parsing reputation lists
→ Deal with whitelisting/blacklisting
→ Tuning WAF Regex rules
@wickett + @iteration1 @ Serverless Days Austin 2019
83. Cool, but not exactly a friendly setup for
devs or ops
@wickett + @iteration1 @ Serverless Days Austin 2019
84. Azure
→ Lots of great resources in the docs
→ Overview
→ Security Policy
→ Key Vault Service
@wickett + @iteration1 @ Serverless Days Austin 2019
85. Google Cloud
→ Follow IAM and data best practices
→ Security command
→ Storage best practices
@wickett + @iteration1 @ Serverless Days Austin 2019
86. Oracle Cloud Infrastructure
→ Use compartments concepts and IAM to limit
blast radius
→ Limit specific user/group access to specific
compartments
→ Security guidance
@wickett + @iteration1 @ Serverless Days Austin 2019
87. What about roll your own?
→ Knative
→ OpenFaaS
→ Fn
→ and others...
@wickett + @iteration1 @ Serverless Days Austin 2019
88. Kubernetes Security
→ Many Faas providers can use K8s to deploy/scale
→ Use K8s best practices
→ Starting point- SignalSciences Webinar on
cloudnative security
@wickett + @iteration1 @ Serverless Days Austin 2019
89. Security Pitfalls for serverless
* Auditors/Compliance
* Lack of instrumentation
* Lack of security controls in dev pipeline
* Provider config
* Lambhack as a way to facilitate conversations
@wickett + @iteration1 @ Serverless Days Austin 2019
90. Security's Path
to Influence
1. Identify Resource Misutilization
2. Add Telemetry and Feedback
Loops
3. Automate and Monitor Across
the Software Pipeline
4. Influence Organizational
Culture
91. The New Security Playbook
* Speed up delivery instead of blocking
* Empathy towards devs and ops
* Normal - provide value by making security normal
* Automate - security testing in every phase
@wickett + @iteration1 @ Serverless Days Austin 2019
92. Conclusions
* Use the Secure WIP model
* Involve security team in serverless
* New Security Playbook
* Foster discussion on where to apply controls
@wickett + @iteration1 @ Serverless Days Austin 2019