Actually, this is about the things a Cloud Evangelist DOESN'T say and correlates the experience, belief systems and issues of developers and security folks. It's a plea to have devs evangelize to and enroll security in their efforts as it relates to security of their platforms...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...Skybox Security
Speaker: Gidi Cohen, CEO and Founder – Skybox Security, Inc.
Whether you are planning a transition to next-gen firewalls or have already done so, maximizing your next-gen firewall investment is imperative. Yet, most enterprises experience common management challenges that can slow down deployments, complicate existing firewall operations processes, and delay use of the most advanced next-gen firewall features.
In this session, Gidi Cohen, CEO and founder of Skybox Security, shares customer case studies and research to illustrate these transition challenges and outline a phased approach to evaluate, adjust, and implement updated processes and tools so you can effectively manage your next-gen firewall deployment.
Don't let this happen to you! Cloud, complexity and driftJames Urquhart
Presentation given at Gluecon 2012 on Thursday morning at 9AM MT. Covers complex adaptive systems and systems thinking as applied to cloud computing and the API economy.
The Practitioner's Guide to Cloud SecurityZohar Alon
My presentation from Cloud Expo Europe, London January 2013.
Outlining which technologies could be leveraged today to secure an organization cloud infrastructure.
1. Responsibility
2. Strong Authentication
3. WAF
4. Log
5. Dynamic Cloud Server Firewall
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...Skybox Security
Speaker: Gidi Cohen, CEO and Founder – Skybox Security, Inc.
Whether you are planning a transition to next-gen firewalls or have already done so, maximizing your next-gen firewall investment is imperative. Yet, most enterprises experience common management challenges that can slow down deployments, complicate existing firewall operations processes, and delay use of the most advanced next-gen firewall features.
In this session, Gidi Cohen, CEO and founder of Skybox Security, shares customer case studies and research to illustrate these transition challenges and outline a phased approach to evaluate, adjust, and implement updated processes and tools so you can effectively manage your next-gen firewall deployment.
Don't let this happen to you! Cloud, complexity and driftJames Urquhart
Presentation given at Gluecon 2012 on Thursday morning at 9AM MT. Covers complex adaptive systems and systems thinking as applied to cloud computing and the API economy.
The Practitioner's Guide to Cloud SecurityZohar Alon
My presentation from Cloud Expo Europe, London January 2013.
Outlining which technologies could be leveraged today to secure an organization cloud infrastructure.
1. Responsibility
2. Strong Authentication
3. WAF
4. Log
5. Dynamic Cloud Server Firewall
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Skybox Security
Presented at Black Hat 2014.
Heartbleed. Target. Adobe … businesses are under siege by cybercriminals looking for financial gain and political actors looking for trade secrets. It’s a wildly uneven match where a motivated attacker can find exploitable attack vectors in minutes and maintain unabated access for months, while the security team continues to rely on time-honored methodology to fix vulnerabilities in order of severity.
But severity-based vulnerability management misses the mark completely, as it overlooks the fact that risk exposure is the real concern. This workshop will focus on identifying critical vulnerabilities so they can be fixed as quickly as possible to ensure a reduction in risk and the shrinking the attack surface over time.
In this deep dive session on vulnerability analysis and prioritization, we’ll cover:
- Calculating risk exposure: Risk = Impact * Likelihood * Time
- The data you need to be collecting about assets and vulnerabilities
- Prioritizing vulnerabilities using simple 2 factor relationships
- Asset-to-vulnerability correlation to augment the accuracy and freshness of active scan data
- Techniques to drive down the risk exposure time
Impress your security team and avoid becoming a cautionary tale! Security needs to come first, but how? What do you do if you're not a security expert? From secure development to dealing with cloud-native infrastructure, and being ready for trouble, this presentation will help you feel secure.
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
It’s a new era for IT security teams. Tasked with ensuring the success of business-changing IT initiatives from mobile and BYOD to virtualization and cloud services, CISOs are finding that existing security controls and processes create complexity instead of reducing risks. At the same time, highly publicized breaches and new forms of attacks have raised awareness of the business impact of cyber threats to the board level. It’s time for a hard look at your current security program. Can you demonstrate an effective security strategy that will protect your company’s vital services, systems and data?
Gidi Cohen challenges you to reinvent your security approach. More than offering just a few ideas, Cohen will examine why some popular security controls are no longer effective at minimizing risks, and explore proven next-generation techniques to increase your ability to see, measure, and gain control over business risks.
Presented by Gidi Cohen, CEO and Founder - Skybox Security at the CISO Summit in San Francisco, CA.
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
As our world becomes digital, the systems we build must be secure by design. The security community has developed a well-understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers. And when the principles are explained, they are often shrouded in the jargon of the security engineering community, so mainstream developers struggle to understand and apply them.
This talk explains why secure design matters and introduces 10 of the most important proven principles for designing secure systems, distilled from the wisdom of the security engineering community.
Cloud has brought in the concept of managing security within bounded contexts. All else is outside the scope of the service provider or the hosting vendor. How do you plan for scope security activities around the nebulous scope of the cloud especially in a hybrid / multi cloud scenarios where clear cut boundaries are not well defined.How can architecture frameworks help you to fix this issue which is like trying to safeguard a fort not knowing which doors to lock and where to start ?The talk will focus on how enterprise architecture frameworks can help create the much needed trace ability and help define the scope of the security architecture activity. Using tried and tested means has the advantage of not having to reinvent the wheel and avoid missing out plugging the weak links within your enterprise.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
Cloud security: Accelerating cloud adoption Dell World
Organizations now have an opportunity to more rapidly overcome their security concerns by using third-party cloud platforms. In this session, Dell SecureWorks security experts discuss the Shared Security Responsibility model, how organizations need to think about security architecture in the cloud, and new Dell SecureWorks services that are helping organizations plan, architect, manage and respond to threats in the cloud.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
Top Ten Security Considerations when Setting up your OpenNebula CloudNETWAYS
Creating new nodes in your cloud environment was never as easy. Just a few clicks away system engineers create new virtual machines, assign network environments for them and deploy software components. Viable security engineering has ever been a key task to ensure your data’s confidentiality, integrity, and availibity. While hardening your operating systems and wisely designing you applications, cloud computing introduced a new challenge for engineers who are responsible for security.
A breach in the perimeters of one of your central components threatens the overall security of all systems in any environment. The talk discusses predominant attack patterns that system engineers and security officers should consider. The top 10 threats come together with practical suggestions to improve data center security in the cloud.
OpenNebulaConf 2013 - Top Ten Security Considerations when Setting up your Op...OpenNebula Project
Creating new nodes in your cloud environment was never as easy. Just a few clicks away system engineers create new virtual machines, assign network environments for them and deploy software components. Viable security engineering has ever been a key task to ensure your data’s confidentiality, integrity, and availibity. While hardening your operating systems and wisely designing you applications, cloud computing introduced a new challenge for engineers who are responsible for security.
A breach in the perimeters of one of your central components threatens the overall security of all systems in any environment. The talk discusses predominant attack patterns that system engineers and security officers should consider. The top 10 threats come together with practical suggestions to improve data center security in the cloud.
Bio:
Nils Magnus works as a senior system engineer at inovex GmbH, Germany and designs cloud infrastructure for data centers. In previous roles he wrote as a journalist for Linux Magazine and was senior consultant for high security environments. Nils also serves at the Board of Directory of LinuxTag Association. He speaks for 15+ years at conferences around the world on the advantages of free and open source software, as well as on cloud and security management issues.
Better Security Testing: Using the Cloud and Continuous DeliveryTechWell
Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing may be dropped to help the team “catch up.” Everyone wants more secure development; they just don’t want to spend time or money to get it. Gene Gotimer describes his experiences with implementing a continuous delivery process in the cloud and how he integrated security testing into that process. Gene discusses how to take advantage of the automated provisioning and automated deploys already being implemented to give more opportunities along the way for security testing without schedule disruption. Learn how you can incrementally mature a practice to build security into the process—without a large-scale, time-consuming, or costly effort.
Top ten security considerations when setting up your open nebula cloudinovex GmbH
Creating new nodes in your cloud environment was never as easy. Just a few clicks away system engineers create new virtual machines, assign network environments for them and deploy software components. Viable security engineering has ever been a key task to ensure your data’s confidentiality, integrity, and availibity. While hardening your operating systems and wisely designing you applications, cloud computing introduced a new challenge for engineers who are responsible for security.
A breach in the perimeters of one of your central components threatens the overall security of all systems in any environment. The talk discusses predominant attack patterns that system engineers and security officers should consider. The top 10 threats come together with practical suggestions to improve data center security in the cloud.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.
• How Software Development Methodologies may increase the security level
• Detecting and handling vulnerabilities in dependencies in a pragmatic way
• High-level principles that ~always increase the security level
-Microsoft Security Development Lifecycle practices
-What is Dev SecOps
-Static and Dynamic Application Security Testing
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
App Security? There’s a metric for that! (Part 1 of 2)
Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.
Be sure to check out Part 2 of this presentation for a more "Hands On" approach.
http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, ParisOW2
This talk presents VESPA, an open self-protection architecture and framework for cloud infrastructures that overcomes the previous limitations. Developed in the OpenCloudWare project, VESPA adopts a policy-based management approach, and allows a two-level regulation of security, both within a software layer and across layers. Flexible coordination between self-protection loops allows enforcing a rich spectrum of security strategies such as cross-layer detection and reaction. A multi-plane, extensible architecture also enables simple integration of commodity detection and reaction components. Evaluation results on a VESPA KVM-based implementation show that the design is applicable for effective and yet flexible self-protection of cloud infrastructures.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
More Related Content
Similar to Shit My Cloud Evangelist Says...Just Not To My CSO
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Skybox Security
Presented at Black Hat 2014.
Heartbleed. Target. Adobe … businesses are under siege by cybercriminals looking for financial gain and political actors looking for trade secrets. It’s a wildly uneven match where a motivated attacker can find exploitable attack vectors in minutes and maintain unabated access for months, while the security team continues to rely on time-honored methodology to fix vulnerabilities in order of severity.
But severity-based vulnerability management misses the mark completely, as it overlooks the fact that risk exposure is the real concern. This workshop will focus on identifying critical vulnerabilities so they can be fixed as quickly as possible to ensure a reduction in risk and the shrinking the attack surface over time.
In this deep dive session on vulnerability analysis and prioritization, we’ll cover:
- Calculating risk exposure: Risk = Impact * Likelihood * Time
- The data you need to be collecting about assets and vulnerabilities
- Prioritizing vulnerabilities using simple 2 factor relationships
- Asset-to-vulnerability correlation to augment the accuracy and freshness of active scan data
- Techniques to drive down the risk exposure time
Impress your security team and avoid becoming a cautionary tale! Security needs to come first, but how? What do you do if you're not a security expert? From secure development to dealing with cloud-native infrastructure, and being ready for trouble, this presentation will help you feel secure.
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
It’s a new era for IT security teams. Tasked with ensuring the success of business-changing IT initiatives from mobile and BYOD to virtualization and cloud services, CISOs are finding that existing security controls and processes create complexity instead of reducing risks. At the same time, highly publicized breaches and new forms of attacks have raised awareness of the business impact of cyber threats to the board level. It’s time for a hard look at your current security program. Can you demonstrate an effective security strategy that will protect your company’s vital services, systems and data?
Gidi Cohen challenges you to reinvent your security approach. More than offering just a few ideas, Cohen will examine why some popular security controls are no longer effective at minimizing risks, and explore proven next-generation techniques to increase your ability to see, measure, and gain control over business risks.
Presented by Gidi Cohen, CEO and Founder - Skybox Security at the CISO Summit in San Francisco, CA.
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
As our world becomes digital, the systems we build must be secure by design. The security community has developed a well-understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers. And when the principles are explained, they are often shrouded in the jargon of the security engineering community, so mainstream developers struggle to understand and apply them.
This talk explains why secure design matters and introduces 10 of the most important proven principles for designing secure systems, distilled from the wisdom of the security engineering community.
Cloud has brought in the concept of managing security within bounded contexts. All else is outside the scope of the service provider or the hosting vendor. How do you plan for scope security activities around the nebulous scope of the cloud especially in a hybrid / multi cloud scenarios where clear cut boundaries are not well defined.How can architecture frameworks help you to fix this issue which is like trying to safeguard a fort not knowing which doors to lock and where to start ?The talk will focus on how enterprise architecture frameworks can help create the much needed trace ability and help define the scope of the security architecture activity. Using tried and tested means has the advantage of not having to reinvent the wheel and avoid missing out plugging the weak links within your enterprise.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
Cloud security: Accelerating cloud adoption Dell World
Organizations now have an opportunity to more rapidly overcome their security concerns by using third-party cloud platforms. In this session, Dell SecureWorks security experts discuss the Shared Security Responsibility model, how organizations need to think about security architecture in the cloud, and new Dell SecureWorks services that are helping organizations plan, architect, manage and respond to threats in the cloud.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
Top Ten Security Considerations when Setting up your OpenNebula CloudNETWAYS
Creating new nodes in your cloud environment was never as easy. Just a few clicks away system engineers create new virtual machines, assign network environments for them and deploy software components. Viable security engineering has ever been a key task to ensure your data’s confidentiality, integrity, and availibity. While hardening your operating systems and wisely designing you applications, cloud computing introduced a new challenge for engineers who are responsible for security.
A breach in the perimeters of one of your central components threatens the overall security of all systems in any environment. The talk discusses predominant attack patterns that system engineers and security officers should consider. The top 10 threats come together with practical suggestions to improve data center security in the cloud.
OpenNebulaConf 2013 - Top Ten Security Considerations when Setting up your Op...OpenNebula Project
Creating new nodes in your cloud environment was never as easy. Just a few clicks away system engineers create new virtual machines, assign network environments for them and deploy software components. Viable security engineering has ever been a key task to ensure your data’s confidentiality, integrity, and availibity. While hardening your operating systems and wisely designing you applications, cloud computing introduced a new challenge for engineers who are responsible for security.
A breach in the perimeters of one of your central components threatens the overall security of all systems in any environment. The talk discusses predominant attack patterns that system engineers and security officers should consider. The top 10 threats come together with practical suggestions to improve data center security in the cloud.
Bio:
Nils Magnus works as a senior system engineer at inovex GmbH, Germany and designs cloud infrastructure for data centers. In previous roles he wrote as a journalist for Linux Magazine and was senior consultant for high security environments. Nils also serves at the Board of Directory of LinuxTag Association. He speaks for 15+ years at conferences around the world on the advantages of free and open source software, as well as on cloud and security management issues.
Better Security Testing: Using the Cloud and Continuous DeliveryTechWell
Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing may be dropped to help the team “catch up.” Everyone wants more secure development; they just don’t want to spend time or money to get it. Gene Gotimer describes his experiences with implementing a continuous delivery process in the cloud and how he integrated security testing into that process. Gene discusses how to take advantage of the automated provisioning and automated deploys already being implemented to give more opportunities along the way for security testing without schedule disruption. Learn how you can incrementally mature a practice to build security into the process—without a large-scale, time-consuming, or costly effort.
Top ten security considerations when setting up your open nebula cloudinovex GmbH
Creating new nodes in your cloud environment was never as easy. Just a few clicks away system engineers create new virtual machines, assign network environments for them and deploy software components. Viable security engineering has ever been a key task to ensure your data’s confidentiality, integrity, and availibity. While hardening your operating systems and wisely designing you applications, cloud computing introduced a new challenge for engineers who are responsible for security.
A breach in the perimeters of one of your central components threatens the overall security of all systems in any environment. The talk discusses predominant attack patterns that system engineers and security officers should consider. The top 10 threats come together with practical suggestions to improve data center security in the cloud.
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.
• How Software Development Methodologies may increase the security level
• Detecting and handling vulnerabilities in dependencies in a pragmatic way
• High-level principles that ~always increase the security level
-Microsoft Security Development Lifecycle practices
-What is Dev SecOps
-Static and Dynamic Application Security Testing
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
App Security? There’s a metric for that! (Part 1 of 2)
Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.
Be sure to check out Part 2 of this presentation for a more "Hands On" approach.
http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, ParisOW2
This talk presents VESPA, an open self-protection architecture and framework for cloud infrastructures that overcomes the previous limitations. Developed in the OpenCloudWare project, VESPA adopts a policy-based management approach, and allows a two-level regulation of security, both within a software layer and across layers. Flexible coordination between self-protection loops allows enforcing a rich spectrum of security strategies such as cross-layer detection and reaction. A multi-plane, extensible architecture also enables simple integration of commodity detection and reaction components. Evaluation results on a VESPA KVM-based implementation show that the design is applicable for effective and yet flexible self-protection of cloud infrastructures.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Shit My Cloud Evangelist Says...Just Not To My CSO
1. Sh*t my cloud evangelist
says...
...Just not to my CSO
2. About @Beaker:
✤ I’m an a*hole with a blog (rationalsurvivability.com)
✤ Global Chief Security Architect for a company who
provides networking & security widgets to SP’s &
Enterprises
✤ Love Cloud & particularly fond of those that do my
bidding in a manner commensurate with my OCD-driven
need to manage outcomes in a reasonably predictable
way
3. About @Beaker:
✤ I’m an a*hole with a blog (rationalsurvivability.com)
✤ Global Chief Security Architect for a company who
provides networking & security widgets to SP’s &
Enterprises
✤ Love Cloud & particularly fond of those that do my
bidding in a manner commensurate with my OCD-driven
need to manage outcomes in a reasonably predictable
way
<< @SMCES
6. Developer Priorities* VS Security Priorities
*Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
7. Developer Priorities* VS Security Priorities
1. Functions and features as 1. Security
specified or envisioned
*Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
8. Developer Priorities* VS Security Priorities
1. Functions and features as 1. Security
specified or envisioned
2. Performance 2. Compliance
*Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
9. Developer Priorities* VS Security Priorities
1. Functions and features as 1. Security
specified or envisioned
2. Performance 2. Compliance
3. Usability 3. Uptime
*Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
10. Developer Priorities* VS Security Priorities
1. Functions and features as 1. Security
specified or envisioned
2. Performance 2. Compliance
3. Usability 3. Uptime
4. Uptime 4. Performance
*Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
11. Developer Priorities* VS Security Priorities
1. Functions and features as 1. Security
specified or envisioned
2. Performance 2. Compliance
3. Usability 3. Uptime
4. Uptime 4. Performance
5. Maintainability 5. Functions and features as
specified or envisioned
*Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
12. Developer Priorities* VS Security Priorities
1. Functions and features as 1. Security
specified or envisioned
2. Performance 2. Compliance
3. Usability 3. Uptime
4. Uptime 4. Performance
5. Maintainability 5. Functions and features as
specified or envisioned
6. Security 6. Usability/Maintainability
*Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
13. Developer Priorities* VS Security Priorities
1. Functions and features as 1. Security
specified or envisioned
2. Performance 2. Compliance
3. Usability 3. Uptime
4. Uptime 4. Performance
5. Maintainability 5. Functions and features as
specified or envisioned
6. Security 6. Usability/Maintainability
*Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
15. @SMCES... VS ...SECURITY
✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t
and it’s everyone’s responsibility detect & prevent basic threats, let alone complex,
adaptive and emerging adversaries; See OWASP
Top 10 vs APT
16. @SMCES... VS ...SECURITY
✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t
and it’s everyone’s responsibility detect & prevent basic threats, let alone complex,
adaptive and emerging adversaries; See OWASP
Top 10 vs APT
✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is
expected never to fail (even though it does)
17. @SMCES... VS ...SECURITY
✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t
and it’s everyone’s responsibility detect & prevent basic threats, let alone complex,
adaptive and emerging adversaries; See OWASP
Top 10 vs APT
✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is
expected never to fail (even though it does)
✤ Cloud is more agile, costs less and delivers more ✤ Cloud encourages bypassing controls, promotes
value, more quickly & flexibly and without capital reckless operations and will ultimately cost more
costs to clean up the mess
18. @SMCES... VS ...SECURITY
✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t
and it’s everyone’s responsibility detect & prevent basic threats, let alone complex,
adaptive and emerging adversaries; See OWASP
Top 10 vs APT
✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is
expected never to fail (even though it does)
✤ Cloud is more agile, costs less and delivers more ✤ Cloud encourages bypassing controls, promotes
value, more quickly & flexibly and without capital reckless operations and will ultimately cost more
costs to clean up the mess
✤ The only “True Cloud” is Public, pay-per use, ✤ Private Clouds, extending in limited fashion to
multi-tenant platforms. All else are “False Public clouds will provide a controllable, hybrid
Clouds” architecture we can secure
19. @SMCES... VS ...SECURITY
✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t
and it’s everyone’s responsibility detect & prevent basic threats, let alone complex,
adaptive and emerging adversaries; See OWASP
Top 10 vs APT
✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is
expected never to fail (even though it does)
✤ Cloud is more agile, costs less and delivers more ✤ Cloud encourages bypassing controls, promotes
value, more quickly & flexibly and without capital reckless operations and will ultimately cost more
costs to clean up the mess
✤ The only “True Cloud” is Public, pay-per use, ✤ Private Clouds, extending in limited fashion to
multi-tenant platforms. All else are “False Public clouds will provide a controllable, hybrid
Clouds” architecture we can secure
✤ Legacy IT organizational hierarchy and siloed ✤ Compliance will have the last laugh when you
operations is dead. Long live Shadow IT and bypass security and bad things happen;
DevOps...or NoOps Separation of Duties & Least Privilege
20. @SMCES... VS ...SECURITY
✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t
and it’s everyone’s responsibility detect & prevent basic threats, let alone complex,
adaptive and emerging adversaries; See OWASP
Top 10 vs APT
✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is
expected never to fail (even though it does)
✤ Cloud is more agile, costs less and delivers more ✤ Cloud encourages bypassing controls, promotes
value, more quickly & flexibly and without capital reckless operations and will ultimately cost more
costs to clean up the mess
✤ The only “True Cloud” is Public, pay-per use, ✤ Private Clouds, extending in limited fashion to
multi-tenant platforms. All else are “False Public clouds will provide a controllable, hybrid
Clouds” architecture we can secure
✤ Legacy IT organizational hierarchy and siloed ✤ Compliance will have the last laugh when you
operations is dead. Long live Shadow IT and bypass security and bad things happen;
DevOps...or NoOps Separation of Duties & Least Privilege
✤ Automation enables simplicity, scalability, agility, ✤ Abstraction yields “simplexity” and complex
resiliency and better security; Availability is the System Failures due to automation in security will
priority be catastrophic; Fail CLOSED
23. What’s Missing?
✤ Instrumentation that is inclusive of security
✤ Intelligence and context shared between infrastructure and
applistructure layers
24. What’s Missing?
✤ Instrumentation that is inclusive of security
✤ Intelligence and context shared between infrastructure and
applistructure layers
✤ Maturity of “automation mechanics” and frameworks
25. What’s Missing?
✤ Instrumentation that is inclusive of security
✤ Intelligence and context shared between infrastructure and
applistructure layers
✤ Maturity of “automation mechanics” and frameworks
✤ Standard interfaces, precise syntactical representation of elemental
security constructs < We need the “EC2 API” of Security
26. What’s Missing?
✤ Instrumentation that is inclusive of security
✤ Intelligence and context shared between infrastructure and
applistructure layers
✤ Maturity of “automation mechanics” and frameworks
✤ Standard interfaces, precise syntactical representation of elemental
security constructs < We need the “EC2 API” of Security
✤ An operational methodology that ensures a common understanding
of outcomes & “Agile” culture in general
27. What’s Missing?
✤ Instrumentation that is inclusive of security
✤ Intelligence and context shared between infrastructure and
applistructure layers
✤ Maturity of “automation mechanics” and frameworks
✤ Standard interfaces, precise syntactical representation of elemental
security constructs < We need the “EC2 API” of Security
✤ An operational methodology that ensures a common understanding
of outcomes & “Agile” culture in general
✤ Sanitary Application Security Practices
29. “Information Security” Sucks
Figu
re 21
. Hac
king
meth
ods b
y per
cent
Expl
oitat of br
ion o each
f es w
defa
ult o ithin
r gue Hack
ssab ing
le cr
eden
Use tials
of st
olen
login
cred
Brut entia 9%
Expl e for ls
oitat ce an
ion o d dic
f bac tiona
kdoo ry at
r or c tack
omm s
and a
Expl nd co 55%
oitat ntrol
ion o chan 40%
f ins nel +#
uffic 14%
ient 29%
auth –
no lo entica 51%
(e.g.,
gin r t
equirion 25%
ed) 6% –#
SQL 3% 29%
injec
tion
Rem 3%–
ote fi
le inclu
sion 1% 14%
Abus
e of
func 6%
tiona <1%
lity #
Unkn 3%
VGhhbmsgeW91IGZvciBwYXJ0aWNpcGF0aW5nIGluIHRoZSAyMDEyIFZlcml6b24gREJJUiBDb3Zl own
4%
#
ciBDaGFsbGVuZ2UuCldlIGhvcGUgeW91IGVuam95IHRoaXMgY2hhbGxlbmdlIGFzIG11Y2ggYXMg
d2UgaGF2ZSBlbmpveWVkIGNyZWF0aW5nIGl0LiAgCgoKVGhlcmUgb25jZSB3YXMgYSBsYWR5IGZy
b20gTmFudHVja2V0LApXaXRoIHRleHQgc28gd2lkZSB3ZSBjb3VsZCBncm9rIGl0Lgp3ZSBjaG9w
cGVkIGFuZCBzbGljZWQgaXQgYWxsIGRheSBsb25nLApPbmx5IHRvIGZpbmQgc2hlIHdhc27igJl0
IGFsbCB3cm9uZy4KCldpdGggc2tpbGwgYW5kIGVhc2Ugd2UgYmF0dGxlZCB0aGlzIGZpZ2h0LApF
king
eGNlcHQgc2hlIHdhcyBub3QgdG90YWxseSByaWdodC4KVHdpc3RpbmcgYW5kIHR1cm5pbmcgd2Ug
Hac
a2VwdCBvbiBzdHJvbmcsCldlIHNob3VsZCBoYXZlIGJlZW4gc2luZ2luZyBhbGwgYWxvbmc6CgpN
hin
wit
YXJ5IGhhZCBhIGxpdHRsZSBsYW1iLApsaXR0bGUgbGFtYiwgbGl0dGxlIGxhbWIsCk1hcnkgaGFk
es 31%
IGEgbGl0dGxlIGxhbWIsCndob3NlIGZsZWVjZSB3YXMgd2hpdGUgYXMgc25vdy4KCkFuZCBldmVy
ch
eXdoZXJlIHRoYXQgTWFyeSB3ZW50LApNYXJ5IHdlbnQsIE1hcnkgd2VudCwKYW5kIGV2ZXJ5d2hl
rea wn
of b
cmUgdGhhdCBNYXJ5IHdlbnQsCnRoZSBsYW1iIHdhcyBzdXJlIHRvIGdvLgoKSXQgZm9sbG93ZWQg
nt kno
aGVyIHRvIHNjaG9vbCBvbmUgZGF5CnNjaG9vbCBvbmUgZGF5LCBzY2hvb2wgb25lIGRheSwKSXQg
rce Un
Zm9sbG93ZWQgaGVyIHRvIHNjaG9vbCBvbmUgZGF5LAp3aGljaCB3YXMgYWdhaW5zdCB0aGUgcnVs
y pe
ZXMuCgpJdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheSwKbGF1Z2ggYW5kIHBsYXks
rs b ion
IGxhdWdoIGFuZCBwbGF5LAppdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheQp0byBz
vec
to icat All O
ZWUgYSBsYW1iIGF0IHNjaG9vbC4KCkFuZCBzbyB0aGUgdGVhY2hlciB0dXJuZWQgaXQgb3V0LAp0
ppl rgs
ing ba
dXJuZWQgaXQgb3V0LCB0dXJuZWQgaXQgb3V0LApBbmQgc28gdGhlIHRlYWNoZXIgdHVybmVkIGl0
ck r We
IG91dCwKYnV0IHN0aWxsIGl0IGxpbmdlcmVkIG5lYXIsCgpBbmQgd2FpdGVkIHBhdGllbnRseSBh
. Ha or o l
Ym91dCwKcGF0aWVudGx5IGFib3V0LCBwYXRpZW50bHkgYWJvdXQsCkFuZCB3OGVkIHBhdGllbnRs
2 2 kdo nne Larg
ure Bac ol cha
eSBhYm91dAp0aWxsIE1hcnkgZGlkIGFwcGVhci4KCiJXaHkgZG9lcyB0aGUgbGFtYiBsb3ZlIE1h
Fig er O
cnkgc28/IgpMb3ZlIE1hcnkgc28/IExvdmUgTWFyeSBzbz8KIldoeSBkb2VzIHRoZSBsYW1iIGxv
/ tr rgs
con
dmUgTWFyeSBzbywiCnRoZSBlYWdlciBjaGlsZHJlbiBjcnkuCgoiV2h5LCBNYXJ5IGxvdmVzIHRo
ess
acc es
ZSBsYW1iLCB5b3Uga25vdy4iClRoZSBsYW1iLCB5b3Uga25vdywgdGhlIGxhbWIsIHlvdSBrbm93
ote servic
LAoiV2h5LCBNYXJ5IGxvdmVzIHRoZSBsYW1iLCB5b3Uga25vdywiCnRoZSB0ZWFjaGVyIGRpZCBy
Remktop
ZXBseS4KJHAK
4%
des
–
10%
25%
17%
+
88% s
Org
54% ger
Lar
rgs
34% All
O
20%
30. “Information Security” Sucks
Figu
re 21
. Hac
king
meth
ods b
y per
cent
Expl
oitat of br
ion o each
f es w
defa
ult o ithin
r gue Hack
ssab ing
le cr
eden
Use tials
of st
olen
login
cred
Brut entia 9%
Expl e for ls
oitat ce an
ion o d dic
f bac tiona
kdoo ry at
r or c tack
omm s
and a
Expl nd co 55%
oitat ntrol
ion o chan 40%
f ins nel +#
uffic 14%
ient 29%
auth –
no lo entica 51%
(e.g.,
gin r t
equirion 25%
ed) 6% –#
SQL 3% 29%
injec
tion
Rem 3%–
ote fi
le inclu
sion 1% 14%
Abus
e of
func 6%
tiona <1%
lity #
Unkn 3%
VGhhbmsgeW91IGZvciBwYXJ0aWNpcGF0aW5nIGluIHRoZSAyMDEyIFZlcml6b24gREJJUiBDb3Zl own
4%
#
ciBDaGFsbGVuZ2UuCldlIGhvcGUgeW91IGVuam95IHRoaXMgY2hhbGxlbmdlIGFzIG11Y2ggYXMg
d2UgaGF2ZSBlbmpveWVkIGNyZWF0aW5nIGl0LiAgCgoKVGhlcmUgb25jZSB3YXMgYSBsYWR5IGZy
b20gTmFudHVja2V0LApXaXRoIHRleHQgc28gd2lkZSB3ZSBjb3VsZCBncm9rIGl0Lgp3ZSBjaG9w
cGVkIGFuZCBzbGljZWQgaXQgYWxsIGRheSBsb25nLApPbmx5IHRvIGZpbmQgc2hlIHdhc27igJl0
IGFsbCB3cm9uZy4KCldpdGggc2tpbGwgYW5kIGVhc2Ugd2UgYmF0dGxlZCB0aGlzIGZpZ2h0LApF
king
eGNlcHQgc2hlIHdhcyBub3QgdG90YWxseSByaWdodC4KVHdpc3RpbmcgYW5kIHR1cm5pbmcgd2Ug
Hac
a2VwdCBvbiBzdHJvbmcsCldlIHNob3VsZCBoYXZlIGJlZW4gc2luZ2luZyBhbGwgYWxvbmc6CgpN
hin
wit
YXJ5IGhhZCBhIGxpdHRsZSBsYW1iLApsaXR0bGUgbGFtYiwgbGl0dGxlIGxhbWIsCk1hcnkgaGFk
es 31%
IGEgbGl0dGxlIGxhbWIsCndob3NlIGZsZWVjZSB3YXMgd2hpdGUgYXMgc25vdy4KCkFuZCBldmVy
ch
eXdoZXJlIHRoYXQgTWFyeSB3ZW50LApNYXJ5IHdlbnQsIE1hcnkgd2VudCwKYW5kIGV2ZXJ5d2hl
rea wn
of b
cmUgdGhhdCBNYXJ5IHdlbnQsCnRoZSBsYW1iIHdhcyBzdXJlIHRvIGdvLgoKSXQgZm9sbG93ZWQg
nt kno
aGVyIHRvIHNjaG9vbCBvbmUgZGF5CnNjaG9vbCBvbmUgZGF5LCBzY2hvb2wgb25lIGRheSwKSXQg
rce Un
Zm9sbG93ZWQgaGVyIHRvIHNjaG9vbCBvbmUgZGF5LAp3aGljaCB3YXMgYWdhaW5zdCB0aGUgcnVs
y pe
ZXMuCgpJdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheSwKbGF1Z2ggYW5kIHBsYXks
rs b ion
IGxhdWdoIGFuZCBwbGF5LAppdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheQp0byBz
vec
to icat All O
ZWUgYSBsYW1iIGF0IHNjaG9vbC4KCkFuZCBzbyB0aGUgdGVhY2hlciB0dXJuZWQgaXQgb3V0LAp0
ppl rgs
ing ba
dXJuZWQgaXQgb3V0LCB0dXJuZWQgaXQgb3V0LApBbmQgc28gdGhlIHRlYWNoZXIgdHVybmVkIGl0
ck r We
IG91dCwKYnV0IHN0aWxsIGl0IGxpbmdlcmVkIG5lYXIsCgpBbmQgd2FpdGVkIHBhdGllbnRseSBh
. Ha or o l
Ym91dCwKcGF0aWVudGx5IGFib3V0LCBwYXRpZW50bHkgYWJvdXQsCkFuZCB3OGVkIHBhdGllbnRs
2 2 kdo nne Larg
ure Bac ol cha
eSBhYm91dAp0aWxsIE1hcnkgZGlkIGFwcGVhci4KCiJXaHkgZG9lcyB0aGUgbGFtYiBsb3ZlIE1h
Fig er O
cnkgc28/IgpMb3ZlIE1hcnkgc28/IExvdmUgTWFyeSBzbz8KIldoeSBkb2VzIHRoZSBsYW1iIGxv
/ tr rgs
con
dmUgTWFyeSBzbywiCnRoZSBlYWdlciBjaGlsZHJlbiBjcnkuCgoiV2h5LCBNYXJ5IGxvdmVzIHRo
ess
acc es
ZSBsYW1iLCB5b3Uga25vdy4iClRoZSBsYW1iLCB5b3Uga25vdywgdGhlIGxhbWIsIHlvdSBrbm93
ote servic
LAoiV2h5LCBNYXJ5IGxvdmVzIHRoZSBsYW1iLCB5b3Uga25vdywiCnRoZSB0ZWFjaGVyIGRpZCBy
Remktop
ZXBseS4KJHAK
4%
des
–
10%
25%
17%
+
88% s
Org
54% ger
Lar
rgs
34% All
O
20%
31. “Information Security” Sucks
Figu
re 21
. Hac
king
meth
ods b
y per
cent
Expl
oitat of br
ion o each
f es w
defa
ult o ithin
r gue Hack
ssab ing
le cr
eden
Use tials
of st
olen
login
cred
Brut entia 9%
Expl e for ls
oitat ce an
ion o d dic
f bac tiona
kdoo ry at
r or c tack
omm s
and a
Expl nd co 55%
oitat ntrol
ion o chan 40%
f ins nel +#
uffic 14%
ient 29%
auth –
no lo entica 51%
(e.g.,
gin r t
equirion 25%
ed) 6% –#
SQL 3% 29%
injec
tion
Rem 3%–
ote fi
le inclu
sion 1% 14%
Abus
e of
func 6%
tiona <1%
lity #
Unkn 3%
VGhhbmsgeW91IGZvciBwYXJ0aWNpcGF0aW5nIGluIHRoZSAyMDEyIFZlcml6b24gREJJUiBDb3Zl own
4%
#
ciBDaGFsbGVuZ2UuCldlIGhvcGUgeW91IGVuam95IHRoaXMgY2hhbGxlbmdlIGFzIG11Y2ggYXMg
d2UgaGF2ZSBlbmpveWVkIGNyZWF0aW5nIGl0LiAgCgoKVGhlcmUgb25jZSB3YXMgYSBsYWR5IGZy
b20gTmFudHVja2V0LApXaXRoIHRleHQgc28gd2lkZSB3ZSBjb3VsZCBncm9rIGl0Lgp3ZSBjaG9w
cGVkIGFuZCBzbGljZWQgaXQgYWxsIGRheSBsb25nLApPbmx5IHRvIGZpbmQgc2hlIHdhc27igJl0
IGFsbCB3cm9uZy4KCldpdGggc2tpbGwgYW5kIGVhc2Ugd2UgYmF0dGxlZCB0aGlzIGZpZ2h0LApF
king
eGNlcHQgc2hlIHdhcyBub3QgdG90YWxseSByaWdodC4KVHdpc3RpbmcgYW5kIHR1cm5pbmcgd2Ug
Hac
a2VwdCBvbiBzdHJvbmcsCldlIHNob3VsZCBoYXZlIGJlZW4gc2luZ2luZyBhbGwgYWxvbmc6CgpN
hin
wit
YXJ5IGhhZCBhIGxpdHRsZSBsYW1iLApsaXR0bGUgbGFtYiwgbGl0dGxlIGxhbWIsCk1hcnkgaGFk
es 31%
IGEgbGl0dGxlIGxhbWIsCndob3NlIGZsZWVjZSB3YXMgd2hpdGUgYXMgc25vdy4KCkFuZCBldmVy
ch
eXdoZXJlIHRoYXQgTWFyeSB3ZW50LApNYXJ5IHdlbnQsIE1hcnkgd2VudCwKYW5kIGV2ZXJ5d2hl
rea wn
of b
cmUgdGhhdCBNYXJ5IHdlbnQsCnRoZSBsYW1iIHdhcyBzdXJlIHRvIGdvLgoKSXQgZm9sbG93ZWQg
nt kno
aGVyIHRvIHNjaG9vbCBvbmUgZGF5CnNjaG9vbCBvbmUgZGF5LCBzY2hvb2wgb25lIGRheSwKSXQg
rce Un
Zm9sbG93ZWQgaGVyIHRvIHNjaG9vbCBvbmUgZGF5LAp3aGljaCB3YXMgYWdhaW5zdCB0aGUgcnVs
y pe
ZXMuCgpJdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheSwKbGF1Z2ggYW5kIHBsYXks
rs b ion
IGxhdWdoIGFuZCBwbGF5LAppdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheQp0byBz
vec
to icat All O
ZWUgYSBsYW1iIGF0IHNjaG9vbC4KCkFuZCBzbyB0aGUgdGVhY2hlciB0dXJuZWQgaXQgb3V0LAp0
ppl rgs
ing ba
dXJuZWQgaXQgb3V0LCB0dXJuZWQgaXQgb3V0LApBbmQgc28gdGhlIHRlYWNoZXIgdHVybmVkIGl0
ck r We
IG91dCwKYnV0IHN0aWxsIGl0IGxpbmdlcmVkIG5lYXIsCgpBbmQgd2FpdGVkIHBhdGllbnRseSBh
. Ha or o l
Ym91dCwKcGF0aWVudGx5IGFib3V0LCBwYXRpZW50bHkgYWJvdXQsCkFuZCB3OGVkIHBhdGllbnRs
2 2 kdo nne Larg
ure Bac ol cha
eSBhYm91dAp0aWxsIE1hcnkgZGlkIGFwcGVhci4KCiJXaHkgZG9lcyB0aGUgbGFtYiBsb3ZlIE1h
Fig er O
cnkgc28/IgpMb3ZlIE1hcnkgc28/IExvdmUgTWFyeSBzbz8KIldoeSBkb2VzIHRoZSBsYW1iIGxv
/ tr rgs
con
dmUgTWFyeSBzbywiCnRoZSBlYWdlciBjaGlsZHJlbiBjcnkuCgoiV2h5LCBNYXJ5IGxvdmVzIHRo
ess
acc es
ZSBsYW1iLCB5b3Uga25vdy4iClRoZSBsYW1iLCB5b3Uga25vdywgdGhlIGxhbWIsIHlvdSBrbm93
ote servic
LAoiV2h5LCBNYXJ5IGxvdmVzIHRoZSBsYW1iLCB5b3Uga25vdywiCnRoZSB0ZWFjaGVyIGRpZCBy
Remktop
ZXBseS4KJHAK
4%
des
–
10%
25%
17%
+
88% s
Org
54% ger
Lar
rgs
34% All
O
20%
33. API Security Sucks Harder
✤ Most Security Drones can’t spell XML
✤ ...they rarely use SOAP
✤ ...they don’t get REST
✤ SSL and Firewalls: the breakfast of champions
35. Fool! You Fell Victim To One Of
the Classic Blunders!
✤ Never Get Involved In
a Cloud War In Asia
36. Fool! You Fell Victim To One Of
the Classic Blunders!
✤ Never Get Involved In
a Cloud War In Asia
✤ Never Go In Against a
Dutchman When APIs
Are On the Line!
37. Fool! You Fell Victim To One Of
the Classic Blunders!
✤ Never Get Involved In
a Cloud War In Asia
✤ Never Go In Against a
Dutchman When APIs
Are On the Line!
38. Fool! You Fell Victim To One Of
the Classic Blunders!
✤ Never Get Involved In
a Cloud War In Asia
✤ Never Go In Against a
Dutchman When APIs
Are On the Line!
* You Can Order Iocaine Powder On Amazon - Free Shipping With Prime!
39. Sh*T My Cloud Evangelist Fails to say...
CE
NS
OR
ED
As illustrated by George’s
7 Dirty Words
49. Scalability
✤ Distributed Networked System problems are tough; Distributed
Networked System Security problems are tougher
50. Scalability
✤ Distributed Networked System problems are tough; Distributed
Networked System Security problems are tougher
✤ “Traditional” security doesn’t scale across distributed software-driven
architecture; policies disconnected from workloads...more complicated
as we go from IaaS > PaaS
51. Scalability
✤ Distributed Networked System problems are tough; Distributed
Networked System Security problems are tougher
✤ “Traditional” security doesn’t scale across distributed software-driven
architecture; policies disconnected from workloads...more complicated
as we go from IaaS > PaaS
✤ Unfortunate reconciliation of Metcalfe’s Law vs. Moore's Law vs. HD
Moore’s Law (Casual Attacker power grows at the rate of Metasploit)
52. Scalability
✤ Distributed Networked System problems are tough; Distributed
Networked System Security problems are tougher
✤ “Traditional” security doesn’t scale across distributed software-driven
architecture; policies disconnected from workloads...more complicated
as we go from IaaS > PaaS
✤ Unfortunate reconciliation of Metcalfe’s Law vs. Moore's Law vs. HD
Moore’s Law (Casual Attacker power grows at the rate of Metasploit)
✤ Security is not programmatic & leveragable automation across
heterogenous systems in security is LULZ
54. Security@Scale
✤ It doesn’t. The MeatCloud giveth, the MeatCloud
taketh away...
55. Security@Scale
✤ It doesn’t. The MeatCloud giveth, the MeatCloud
taketh away...
✤ Beyond Gb/s, Connections/s, flows, etc., security
requires the notion of context, policy, and potentially
state...eventual consistency doesn’t work with
security
56. Security@Scale
✤ It doesn’t. The MeatCloud giveth, the MeatCloud
taketh away...
✤ Beyond Gb/s, Connections/s, flows, etc., security
requires the notion of context, policy, and potentially
state...eventual consistency doesn’t work with
security
✤ The Self-Defending {network | application} is
complicated simultaneously with the concepts of
“data gravity” and mobility
62. Portability
✤ If we don’t have consistency in standards/formats for
workloads & stack insertion, we’re not going to have
consistency in security; Lack of consistent telemetry
63. Portability
✤ If we don’t have consistency in standards/formats for
workloads & stack insertion, we’re not going to have
consistency in security; Lack of consistent telemetry
✤ Inconsistent policies and network topologies make security
service, topology & device-specific...flatter means
responses to “network” attacks must be dealt with by the
application...or not
64. Portability
✤ If we don’t have consistency in standards/formats for
workloads & stack insertion, we’re not going to have
consistency in security; Lack of consistent telemetry
✤ Inconsistent policies and network topologies make security
service, topology & device-specific...flatter means
responses to “network” attacks must be dealt with by the
application...or not
✤ Abstraction has become a distraction
65. Portability
✤ Dude, Where’s My IOS ACL
5-Tuple!?
Working with VMware vShield REST API in perl. Richard Park, Sourcefire
66. Portability
✤ ...or this:
AWS Security : A Practitioner’s Perspective. Jason Chan, Netflix
68. Fungibility
✤ Fundamentally, we need reusable and programmatic
security design patterns; Controls today are CLI/GUI based
69. Fungibility
✤ Fundamentally, we need reusable and programmatic
security design patterns; Controls today are CLI/GUI based
✤ Few are API-driven or feature capabilities for
orchestration, provisioning as the workloads they protect
70. Fungibility
✤ Fundamentally, we need reusable and programmatic
security design patterns; Controls today are CLI/GUI based
✤ Few are API-driven or feature capabilities for
orchestration, provisioning as the workloads they protect
✤ Each level of “the stack” means security controls can’t be
reused and are “slice” specific (more on this in a minute)
71. Fungibility
✤ Fundamentally, we need reusable and programmatic
security design patterns; Controls today are CLI/GUI based
✤ Few are API-driven or feature capabilities for
orchestration, provisioning as the workloads they protect
✤ Each level of “the stack” means security controls can’t be
reused and are “slice” specific (more on this in a minute)
✤ If we’re having trouble digesting IaaS, guess what PaaS
does to the conversation?
72. Fungibility
✤ Fundamentally, we need reusable and programmatic
security design patterns; Controls today are CLI/GUI based
✤ Few are API-driven or feature capabilities for
orchestration, provisioning as the workloads they protect
✤ Each level of “the stack” means security controls can’t be
reused and are “slice” specific (more on this in a minute)
✤ If we’re having trouble digesting IaaS, guess what PaaS
does to the conversation?
74. The Hamster Sine Wave of Pain...*
The Security Hamster Sine Wave of Pain
Network
Centricity
Control Deployment/Investment Focus
User
Centricity
Information
Centricity
Application
Centricity
Host
Centricity
Time
* With Apologies to Andy Jaquith & His Hamster...
75. The Hamster Sine Wave of Pain...*
The Security Hamster Sine Wave of Pain
Network
Centricity
Control Deployment/Investment Focus
User
Centricity
Information
Centricity
Cloud
Application
Centricity
Host
Centricity
Time
* With Apologies to Andy Jaquith & His Hamster...
76. The Hamster Sine Wave of Pain...*
The Security Hamster Sine Wave of Pain
We Are Here
Network
Centricity
Control Deployment/Investment Focus
User
Centricity
Information
Centricity
Cloud
Application
Centricity
Host
Centricity
Time
* With Apologies to Andy Jaquith & His Hamster...
77. The Hamster Sine Wave of Pain...*
The Security Hamster Sine Wave of Pain
We Are Here
Network
Centricity
Control Deployment/Investment Focus
User
Centricity
Information
Centricity
Cloud
Application
Centricity
Host
Centricity
Deployment Is Here
Time
* With Apologies to Andy Jaquith & His Hamster...
80. Compliance
✤ Security != Compliance and “security” doesn’t matter
✤ Regulatory compliance and frameworks don’t address
emerging/disruptive innovation quickly enough - or at
all
81. Compliance
✤ Security != Compliance and “security” doesn’t matter
✤ Regulatory compliance and frameworks don’t address
emerging/disruptive innovation quickly enough - or at
all
✤ How do we demonstrate compliance against
measurements that don’t exist?
82. Compliance
✤ Security != Compliance and “security” doesn’t matter
✤ Regulatory compliance and frameworks don’t address
emerging/disruptive innovation quickly enough - or at
all
✤ How do we demonstrate compliance against
measurements that don’t exist?
✤ Lack of automation for gathering audit/compliance
artifacts
84. Mapping the Model to the Metal
Cloud Model
Presentation Presentation
Modality Platform
APIs
Applications
Data Metadata Content
Integration & Middleware
APIs
Core Connectivity & Delivery
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Abstraction
Hardware
Facilities
85. Mapping the Model to the Metal
Cloud Model
Presentation Presentation
Modality Platform
APIs
Security Control Model
Applications SDLC, Binary Analysis,
Applications Scanners, WebApp Firewalls,
Transactional Sec.
Data Metadata Content
DLP, CMF, Database Activity
Information Monitoring, Encryption
Integration & Middleware
GRC, IAM, VA/VM, Patch
Management Management, Config.
Management, Monitoring
APIs
Core Connectivity & Delivery NIDS/NIPS, Firewalls, DPI,
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Network Anti-DDoS, QoS, DNSSEC
Abstraction
Trusted Computing Hardware & Software RoT & API’s
Host-based Firewalls, HIDS/
Hardware HIPS, Integrity & File/log
Compute & Storage
Management, Encryption,
Masking
Physical Plant Security, CCTV,
Facilities Physical Guards
86. Mapping the Model to the Metal
Cloud Model
Presentation Presentation
Modality Platform
APIs
Security Control Model
Applications SDLC, Binary Analysis,
Applications Scanners, WebApp Firewalls,
Transactional Sec. Compliance Model
Data Metadata Content
Information
DLP, CMF, Database Activity PCI
Monitoring, Encryption
Integration & Middleware Firewalls
GRC, IAM, VA/VM, Patch Code Review
Management, Config. WAF
Management Encryption
Management, Monitoring
APIs
Unique User IDs
Anti-Virus
Monitoring/IDS/IPS
Patch/Vulnerability MgMt
Physical Access Control
Core Connectivity & Delivery NIDS/NIPS, Firewalls, DPI,
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Two-Factor Authentication...
Network Anti-DDoS, QoS, DNSSEC
Abstraction
Hardware & Software RoT & API’s
Trusted Computing
HIPAA
Host-based Firewalls, HIDS/
HIPS, Integrity & File/log
Hardware Compute & Storage
Management, Encryption,
ISO
Masking
Facilities Physical
Physical Plant Security, CCTV, COBIT
Guards