Shift Left. Wait, what? No, Shift Right!!!

•

0 likes•1,581 views

Presented on November 7, 2018 at Triangle DevOps (https://www.meetup.com/triangle-devops/). Recently in the DevSecOps world there has been a call to shift left. However, application security has been shifting left for years already. What we should be doing is shifting application security to the right (production). This can be done by instrumenting applications for security.

Technology

Shift Left. Wait, what? No,
Triangle DevOps
11/7/2018
Photo by Nick Fewings on Unsplash
...Shift Right!!!

About me
Phillip Maddux
Principle AppSec Researcher & Advisor
@Signal Sciences
https://signalsciences.com
Career Summary
WebDev, DBA, SA, IT Auditor (~7 yrs)
AppSec in Financials, EY & GS (~9 yrs)
On the socials
● Twitter: @foospidy
● Github: http://github.com/foospidy
● LinkedIn: http://linkedin.pxmx.io
● Blog: http://pxmx.io
Honeypot Enthusiast
● HoneyPy
● Honeydb.io

For clarification… this is not about voting
Photo by Mirah Curzer on Unsplash

We’ve been hearing a lot
about shifting left.
Photo by Samuel Zeller on Unsplash
An approach to software testing and
system testing in which testing is
performed earlier in the lifecycle
(i.e., moved left on the project
timeline). It is the first half of
the maxim "Test early and often." -
Wikipedia
The DevSecOps paradigm that we are all preaching is
"Shift Security Left" e.g. design and develop your
application with security in mind as early as possible
and integrate security into CI/CD pipeline.
- An AppSec person in an AppSec Slack channel
Fun Fact: There is even a cloud
security company named “ShiftLeft”.

That is all good
Photo by Jonathan Daniels on Unsplash

But we’ve
been shifting
left for
years
Photo by Tim Gouw on Unsplash

We need to shift right in a way that
enables us to...
Photo by Jon Tyson on Unsplash
...respond to threats and prioritize what
we do on the left.

Instrument for security...
Photo by Patrick Fore on Unsplash
We already do this for application performance monitoring
One of the best approaches is to provide rapid
feedback to developers. In the land of
application performance, we found that
running APM tools in production was a way to
help developers find places to optimize their
code. This created a feedback loop from
production (the right) to development (the
left).[1]
Any sensitive /
high risk
transactions.
1. James Wickett, https://labs.signalsciences.com/devsecops-security-shift-right

Shift right, and start applying a feedback loop
to Dev, Sec, and Ops!
Photo by Jerry Kiesewetter on Unsplash
Thank you
Also, check out James
Wickett’s blog post for
additional thoughts on
this topic.

In the last few years of AppSec and DevOps, we've heard the calls to shift left. But how far left can we go, and is it really going to help eliminate exploitable bugs or scale your AppSec program? What if we consider a different direction, shifting right! Can a focus on shifting to the right be more effective in mitigating real-world threats and prioritization? In this presentation, I'll explore these questions and propose concepts that show why shifting right is right! 

CSA Raleigh application security and deception in the cloud

Phillip Maddux

Presented on January 17, 2019 at Raleigh/Durham/RTP - Cloud Security Alliance Chapter (https://www.meetup.com/Raleigh-Durham-RTP-Cloud-Security-Alliance-Chapter/). Over the last several years there has been a steady and increasing march towards shifting applications to the cloud. To keep pace with this cloud adoption, in some cases multi-cloud adoption, security teams need consistent real-time threat visibility over their web applications production. In this talk, we'll discuss some of the foundational concepts that comprise a practical approach to threat visibility and securing applications in the cloud. In addition, extending visibility to breaches in progress, deception can be a valuable layer in your defense in depth strategy. We'll discuss the concept of deception and how it can be deployed in the cloud. Overall, the audience will gain a greater insight into application security and deception for the cloud. As we head into 2019, we need to prepare for a year that will prove these concepts are critical for defending deployments in the cloud.

SecOps Armageddon: A look into the future of security & operations

Phillip Maddux

Deception in Cyber Security (League of Women in Cyber Security)

Phillip Maddux

Failure is inevitable but it isn't permanent

Tom Stiehm

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon

Tom Stiehm

Shifting Security Left - The Innovation of DevSecOps - AgileDC

Tom Stiehm

Sigma Open Tech Week: Bitter Truth About Software Security

Vlad Styran

Three years, 20,000 DevOps professionals, and some science... What did we find? Well, the headline is that IT *does* matter if you do it right. With a mix of technology, processes, and a great culture, IT contributes to organizations' profitability, productivity, and market share. We also found that using continuous delivery and lean management practices not only makes IT better -- giving you throughput and stability without tradeoffs -- but it also makes your work feel better -- making your organizational culture better and decreasing burnout. Jez and Nicole will share these findings as well as tips and tricks to help make your own DevOps transformation awesome.

Security in agile teams

Maria Gomez

Collaborative security : Securing open source software

Priyanka Aash

There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL. (Source : RSA Conference USA 2017)

New Era of Software with modern Application Security (v0.6)

Dinis Cruz

Description: This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way. The v.06 was presented at London Software Craftsmanship Community on 18/Feb/2016 - http://www.meetup.com/london-software-craftsmanship/members/184071944/ The v.0.6 was presented at the OWASP London Chapter meeting on 25t/Feb/2016

Security at Scale - Lessons from Six Months at Yahoo

Alex Stamos

Securing 100 products - How hard can it be?

Priyanka Aash

Many companies establish their Secure Development Lifecycle. The adoption of it crucial especially for corporations with dozens of applications. The main challenges they face are the diversity of architecture, dev languages, methodologies, compliance, regulations, etc. This talk will shed light on scaling up and out the application security capabilities and maximizing the software security maturity. (Source : RSA Conference USA 2017)

The sooner the better but never too late

Vlad Styran

DEVSECOPS: Coding DevSecOps journey

Jason Suttie

QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...

QAFest

Це буде огляд підходів до побудови програми безпеки програмного забезпечення в команді розробки або кампанії загалом, доповнений висновками з мого власного досвіду виконання практичних та консультаційних проектів в сфері Application Security.

Craft 2019 - Security Chaos Engineering - Security Precognition

Aaron Rinehart

Security incident response is a reactive and chaotic exercise. What if it were possible to flip the scenario on its head? Security focused chaos engineering takes the approach of advancing the security incident response apparatus by reversing the postmortem and preparation phases. Contrary to Purple Team or Red Team game days, Security Chaos Engineering does not use threat actor tactics, techniques and procedures. It develops teams through unique configuration, cyber threat and user error scenarios that challenge responders to react to events outside their playbooks and comfort zones. Security Chaos Engineering allows incident response and product teams to derive new information about the state of security within their distributed systems that was previously unknown. Within this new paradigm of instrumentation where we proactively conduct “Pre-Incident” vs. “Post-Incident” reviews we are now able to more accurately measure how effective our security incident response teams, tools, skills, and procedures are during the manic of the Incident Response function. In this session Aaron Rinehart, the mind behind the first Open Source Security Chaos Engineering tool ChaoSlingr, will introduce how Security Chaos Engineering can be applied to create highly secure, performant, and resilient distributed systems.

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...

Vlad Styran

DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca

DevSecCon

2016 virus bulletin

Adrian Sanabria

Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.

Using security to drive chaos engineering

Dinis Cruz

Mobile Application Security Threats through the Eyes of the Attacker

bugcrowd

Continuous Acceleration with a Software Supply Chain Approach

Sonatype

"Security is Everybody's Job", Akira Brand

Fwdays

In DevOps everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job.

Evolving DevOps in the Age of Cloud Native

VMware Tanzu

What's hot

Silver Lining for Miles: DevOps for Building Security Solutions

SeniorStoryteller

Amy DeMartine - 7 Habits of Rugged DevOps

SeniorStoryteller

The R.O.A.D to DevOps

SeniorStoryteller

Ops Happen: Improve Security Without Getting in the Way

SeniorStoryteller

What we learned from three years sciencing the crap out of devops

Nicole Forsgren

Security in agile teams

Maria Gomez

Collaborative security : Securing open source software

Priyanka Aash

New Era of Software with modern Application Security (v0.6)

Dinis Cruz

Security at Scale - Lessons from Six Months at Yahoo

Alex Stamos

Securing 100 products - How hard can it be?

Priyanka Aash

The sooner the better but never too late

Vlad Styran

DEVSECOPS: Coding DevSecOps journey

Jason Suttie

QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...

QAFest

Craft 2019 - Security Chaos Engineering - Security Precognition

Aaron Rinehart

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...

Vlad Styran

DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca

DevSecCon

2016 virus bulletin

Adrian Sanabria

Using security to drive chaos engineering

Dinis Cruz

Mobile Application Security Threats through the Eyes of the Attacker

bugcrowd

Continuous Acceleration with a Software Supply Chain Approach

Sonatype

What's hot (20)

Silver Lining for Miles: DevOps for Building Security Solutions

Amy DeMartine - 7 Habits of Rugged DevOps

The R.O.A.D to DevOps

Ops Happen: Improve Security Without Getting in the Way

What we learned from three years sciencing the crap out of devops

Security in agile teams

Collaborative security : Securing open source software

New Era of Software with modern Application Security (v0.6)

Security at Scale - Lessons from Six Months at Yahoo

Securing 100 products - How hard can it be?

The sooner the better but never too late

DEVSECOPS: Coding DevSecOps journey

QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...

Craft 2019 - Security Chaos Engineering - Security Precognition

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...

DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca

2016 virus bulletin

Using security to drive chaos engineering

Mobile Application Security Threats through the Eyes of the Attacker

Continuous Acceleration with a Software Supply Chain Approach

Similar to Shift Left. Wait, what? No, Shift Right!!!

"Security is Everybody's Job", Akira Brand

Fwdays

Evolving DevOps in the Age of Cloud Native

VMware Tanzu

DevSecOps at Agile 2019

Elizabeth Ayer

If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk. This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later. This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them. There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.

Гірка правда про безпеку програмного забезпечення, Володимир Стиран

Sigma Software

DOES15 - Elisabeth Hendrickson - Its All About Feedback

Gene Kim

Elisabeth Hendrickson, VP of Engineering, Pivotal’s Big Data Suite Fifteen years ago I was running a traditional QA department, and I had a horrifying realization: the better I got at my job, the worse I made things for the organization as a whole. This counter-intuitive realization spurred me on a journey to understand the relationship between testing and quality, and ultimately to the study of feedback loops in software development processes. Ultimately I found my way to Extreme Programming, and now work at Pivotal where we practice a particularly opinionated form of it. In this talk you’ll hear about my journey from the traditional silos with inherently long feedback latency to my current reality of increasingly tight feedback loops, and the lessons I’ve learned along the way.

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec

Sonatype

A Big Dashboard of Problems.pdf

TravisMcPeak1

[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Cont...

Rakuten Group, Inc.

Shift left-testing

Alan Richardson

What is Shift Left Testing? Do you need to use that term to improve your Software Testing and Development process? I don't think so. - why I don't use the term Shift Left - Explanation of what Shift Left means when people use it - Explanation of what Shift Left might mean when people hear it - How to Shift Left incorrectly - How to improve your test process without using the phrase Shift Left. Hire me for consultancy and buy my online books and training at: - https://compendiumdev.co.uk - http://eviltester.com - http://seleniumsimplified.com - http://javafortesters.com

How to Use Agile to Move the Earth

Ryan Martens

Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...

DevOps Indonesia

Building a Modern Security Engineering Organization

Zane Lackey

Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering: - Practical advice for building and scaling modern AppSec and NetSec programs - Lessons learned for organizations seeking to launch a bug bounty program - How to run realistic attack simulations and learn the signals of compromise in your environment

Navigating uncertainty: The art and science of learning and doing 10x in a te...

National Retail Federation

Working with Developers for Fun and Profit

Jack Moffett

Working with Developers for Fun and Profit

Jack Moffett

From DevOps to NoOps how not to get Equifaxed Apidays

Ori Pekelman

Monitoring the #DevOps way

Theo Schlossnagle

Make_a_PM_Resolution_for_2007David Whelbourn, MBA, PMP, PRINCE2, MSP

Knowledge is Power: Visualizing JIRA's Performance Data

Atlassian

Once Upon A Time in Application Security land...A true story of how applicati...

Debbie Rosen

Did you know that that today's software applications are predominately assembled from pre-built "building blocks" otherwise known as open source components? And research shows that 71% of these applications have at least one critical vulnerability (not to mention legal and licensing risks). While this dependence on 3rd party and open source components is one of any organizations' greatest exposures, the good news is that it is also one of the easiest to tackle.

Similar to Shift Left. Wait, what? No, Shift Right!!! (20)

"Security is Everybody's Job", Akira Brand

Evolving DevOps in the Age of Cloud Native

DevSecOps at Agile 2019

Гірка правда про безпеку програмного забезпечення, Володимир Стиран

DOES15 - Elisabeth Hendrickson - Its All About Feedback

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec

A Big Dashboard of Problems.pdf

[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Cont...

Shift left-testing

How to Use Agile to Move the Earth

Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...

Building a Modern Security Engineering Organization

Navigating uncertainty: The art and science of learning and doing 10x in a te...

Working with Developers for Fun and Profit

From DevOps to NoOps how not to get Equifaxed Apidays

Monitoring the #DevOps way

Make_a_PM_Resolution_for_2007

Knowledge is Power: Visualizing JIRA's Performance Data

Once Upon A Time in Application Security land...A true story of how applicati...

More from Phillip Maddux

Application security for the modern web - ISSA South Texas Houston DevOps

Phillip Maddux

Presented on September 9, 2018 at ISSA South Texas Houston DevOps conference (http://www.southtexasissa.org/). Over the last several years we’ve witnessed, and experienced, an advance towards new approaches in web technologies and the processes to deploy web applications. In this talk, we’ll explore and describe the “Modern Web”, discuss observations on the evolution of the Secure SDLC, recognize existing challenges in achieving real-time threat visibility once web applications are deployed to production, and finally, walk through the concepts that address the challenges in fast paced “agile” development cycles.

Honeypots, Deception, and Frankenstein

Phillip Maddux

Presented on May 9, 2018 at SOURCE Conference Boston (https://sourceconference.com/events/bos18/). This version contains minor updates from previous presentations. This talk will provide a quick overview honeypots, an explanation of the cyber deception space, and the benefits of implementing deception as part of your cyber defense program. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating deception sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing a "Frankenstein Cloud Architecture", for minimal cost.

Honeypots, Deception, and Frankenstein

Phillip Maddux

Presented on April 14, 2018 at CarolinaCon (https://www.carolinacon.org). This talk will provide a quick overview honeypots, an explanation of the cyber deception space, and the benefits of implementing deception as part of your cyber defense program. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating deception sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing a "Frankenstein Cloud Architecture", for minimal cost.

HoneyPy & HoneyDB (TriPython)

Phillip Maddux

Presented on June 22, 2017 at TriPython (https://www.meetup.com/tripython/events/240082927/). This talk will provide a light intro to honeypots and their benefits, and highlight two projects HoneyPy and HoneyDB. Operating honeypot sensors on your internal network is a simple way to make your network “noisy” and can trip up malicious actors that have already penetrated your network. Also, leveraging data from honeypot sensors on the Internet can be a useful source of threat information.

HoneyPy & HoneyDB (CarolinaCon 13)

Phillip Maddux

Presented on May 21, 2017 at CarolinaCon (https://www.carolinacon.org). This talk will provide a light intro to honeypots and their benefits, and highlight two projects HoneyPy and HoneyDB. Operating honeypot sensors on your internal network is a simple way to make your network “noisy” and can trip up malicious actors that have already penetrated your network. Also, leveraging data from honeypot sensors on the Internet can be a useful source of threat information.

HoneyPy & HoneyDB (LASCON 2016)

Phillip Maddux

Presented on November 4, 2016 at LASCON (https://lascon2016.sched.com/event/8W7h/honeypy-amp-honeydb). This talk will provide a light intro to honeypots and their benefits, and highlight two projects HoneyPy and HoneyDB. Operating honeypot sensors on your internal network is a simple way to make your network “noisy” and can trip up malicious actors that have already penetrated your network. Also, leveraging data from honeypot sensors on the Internet can be a useful source of threat information.

HoneyPy Honeypot (OWASP Triangle Chapter)

Phillip Maddux

Presented on May 19, 2016 at the OWASP Triangle Chapter (https://www.meetup.com/owasptriangle/events/230531768/). Honeypots can be a valuable resource in detecting malicious actors on a network. The discussion will cover a brief intro on honeypots and then turns to HoneyPy, which is an open source honeypot that is extensible and simple to deploy. In addition, the talk will explore HoneyPy's integration with several other tools to increase visibility of malicious hosts on the Internet.

More from Phillip Maddux (7)

Application security for the modern web - ISSA South Texas Houston DevOps

Honeypots, Deception, and Frankenstein

HoneyPy & HoneyDB (TriPython)

HoneyPy & HoneyDB (CarolinaCon 13)

HoneyPy & HoneyDB (LASCON 2016)

HoneyPy Honeypot (OWASP Triangle Chapter)

Recently uploaded

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

JMeter webinar - integration with InfluxDB and Grafana

RTTS

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

The Future of Platform Engineering

Jemma Hussein Allen

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Product School

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Recently uploaded (20)

Designing Great Products: The Power of Design and Leadership by Chief Designe...

JMeter webinar - integration with InfluxDB and Grafana

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

The Future of Platform Engineering

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

ODC, Data Fabric and Architecture User Group

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

PHP Frameworks: I want to break free (IPC Berlin 2024)

UiPath Test Automation using UiPath Test Suite series, part 3

The Art of the Pitch: WordPress Relationships and Sales

GraphRAG is All You need? LLM & Knowledge Graph

UiPath Test Automation using UiPath Test Suite series, part 4

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

DevOps and Testing slides at DASA Connect

Shift Left. Wait, what? No, Shift Right!!!

1. Shift Left. Wait, what? No, Triangle DevOps 11/7/2018 Photo by Nick Fewings on Unsplash ...Shift Right!!!

2. About me Phillip Maddux Principle AppSec Researcher & Advisor @Signal Sciences https://signalsciences.com Career Summary WebDev, DBA, SA, IT Auditor (~7 yrs) AppSec in Financials, EY & GS (~9 yrs) On the socials ● Twitter: @foospidy ● Github: http://github.com/foospidy ● LinkedIn: http://linkedin.pxmx.io ● Blog: http://pxmx.io Honeypot Enthusiast ● HoneyPy ● Honeydb.io

3. For clarification… this is not about voting Photo by Mirah Curzer on Unsplash

4. We’ve been hearing a lot about shifting left. Photo by Samuel Zeller on Unsplash An approach to software testing and system testing in which testing is performed earlier in the lifecycle (i.e., moved left on the project timeline). It is the first half of the maxim "Test early and often." - Wikipedia The DevSecOps paradigm that we are all preaching is "Shift Security Left" e.g. design and develop your application with security in mind as early as possible and integrate security into CI/CD pipeline. - An AppSec person in an AppSec Slack channel Fun Fact: There is even a cloud security company named “ShiftLeft”.

5. That is all good Photo by Jonathan Daniels on Unsplash

6. But we’ve been shifting left for years Photo by Tim Gouw on Unsplash

7. We need to shift right in a way that enables us to... Photo by Jon Tyson on Unsplash ...respond to threats and prioritize what we do on the left.

8. Instrument for security... Photo by Patrick Fore on Unsplash We already do this for application performance monitoring One of the best approaches is to provide rapid feedback to developers. In the land of application performance, we found that running APM tools in production was a way to help developers find places to optimize their code. This created a feedback loop from production (the right) to development (the left).[1] Any sensitive / high risk transactions. 1. James Wickett, https://labs.signalsciences.com/devsecops-security-shift-right

9. Shift right, and start applying a feedback loop to Dev, Sec, and Ops! Photo by Jerry Kiesewetter on Unsplash Thank you Also, check out James Wickett’s blog post for additional thoughts on this topic.

Shift Left. Wait, what? No, Shift Right!!!

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Shift Left. Wait, what? No, Shift Right!!!

Similar to Shift Left. Wait, what? No, Shift Right!!! (20)

More from Phillip Maddux

More from Phillip Maddux (7)

Recently uploaded

Recently uploaded (20)

Shift Left. Wait, what? No, Shift Right!!!