This document outlines an agenda for a hands-on session on integrating Sonar with Jenkins on Amazon EC2. It includes steps for launching an EC2 instance, downloading keys, and accessing the instance via SSH. It then provides overviews of Jenkins for continuous integration and Sonar for code quality analysis. The document describes plugins for each and how Sonar can analyze code for violations, bugs, test coverage and more. It concludes with references for further information.
Automated Infrastructure Security: Monitoring using FOSSSonatype
Madhu Akula, Automation Ninja
We can see attacks happening in real time using a dashboard. By collecting logs from various sources we will monitor & analyse. Using data gleaned from the logs, we can apply defensive rules against the attackers. We will use AWS for managing and securing the infrastructure discussed in our talk.
For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market.
As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customise and deploy their very own FOSS based centralised visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.
VB2013 - Security Research and Development FrameworkAmr Thabet
That's my presentation in VB2013 in Berlin, Germany ... talking about a new development framework for security
it's created for writing security tools, malware analysis tools and network tools
So. many. vulnerabilities. Why are containers such a mess and what to do abou...Eric Smalling
What’s with all of these container image vulnerabilities? I’m a developer, not a security analyst! Whether you’re a solo dev or a large team embracing DevSecOps, join me to learn practices I’ve seen successful teams using to build safer container images & avoid the mistakes they made along the way.
If you’ve even run a vulnerability scan on a container you’ve probably seen it: the dreaded list with 100s, maybe even 1000s of issues on it. Containers have made life simpler in so many ways, but security sometimes doesn’t feel like one of them. So what can we do about it?
In this talk, I’ll share what I’ve learned working with users and companies and the best practices I’ve picked up along the way to builds safer container images. I’ll also share what not to do, because there are many rabbit holes you can go down that end up wasting time and energy.
I’ll share the processes and patterns that you can use whether you’re working on an individual project, or you’re part of a bigger team embracing DevSecOps.
Node.js Security Done Right - Tips and Tricks They Won't Teach You In SchoolLiran Tal
NodeJS, and JavaScript at large are quickly taking over software whether it is GitHub’s statistics for projects growth, the IoT industry, ChatOps projects written in JavaScript and Enterprises adoption is growing as well.
With this trend, it is imperative to review OWASP security practices and learn how to harden NodeJS Web Applications.
We will begin with a quick NodeJS intro and a few fail stories of how things can go wrong.
We will quickly dive into hands-on practical implementation of security measures to adopt in your current or future NodeJS project. Next I will show how to leverage widely adopted security tools for integration in the build and CI/CD process to audit and test for security vulnerabilities, as well as leveraging successful enterprise-level open source npm libraries to enhance your web application’s security.
In summary: in this session I will demonstrate:
* Securing ExpressJS by adopting mature and commonly used npm libraries
* Secure code guidelines for JavaScript software developers
* Integrating NodeJS security measures as part of your build CI/CD DevOps process
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
Android Deobfuscation: Tools and Techniquescaleb194331
Malware analysts are increasingly faced with the challenge of reverse engineering obfuscated code. This talk describes several obfuscation techniques and two new deobfuscation tools: dex-oracle and Simplify.
Automated Infrastructure Security: Monitoring using FOSSSonatype
Madhu Akula, Automation Ninja
We can see attacks happening in real time using a dashboard. By collecting logs from various sources we will monitor & analyse. Using data gleaned from the logs, we can apply defensive rules against the attackers. We will use AWS for managing and securing the infrastructure discussed in our talk.
For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market.
As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customise and deploy their very own FOSS based centralised visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.
VB2013 - Security Research and Development FrameworkAmr Thabet
That's my presentation in VB2013 in Berlin, Germany ... talking about a new development framework for security
it's created for writing security tools, malware analysis tools and network tools
So. many. vulnerabilities. Why are containers such a mess and what to do abou...Eric Smalling
What’s with all of these container image vulnerabilities? I’m a developer, not a security analyst! Whether you’re a solo dev or a large team embracing DevSecOps, join me to learn practices I’ve seen successful teams using to build safer container images & avoid the mistakes they made along the way.
If you’ve even run a vulnerability scan on a container you’ve probably seen it: the dreaded list with 100s, maybe even 1000s of issues on it. Containers have made life simpler in so many ways, but security sometimes doesn’t feel like one of them. So what can we do about it?
In this talk, I’ll share what I’ve learned working with users and companies and the best practices I’ve picked up along the way to builds safer container images. I’ll also share what not to do, because there are many rabbit holes you can go down that end up wasting time and energy.
I’ll share the processes and patterns that you can use whether you’re working on an individual project, or you’re part of a bigger team embracing DevSecOps.
Node.js Security Done Right - Tips and Tricks They Won't Teach You In SchoolLiran Tal
NodeJS, and JavaScript at large are quickly taking over software whether it is GitHub’s statistics for projects growth, the IoT industry, ChatOps projects written in JavaScript and Enterprises adoption is growing as well.
With this trend, it is imperative to review OWASP security practices and learn how to harden NodeJS Web Applications.
We will begin with a quick NodeJS intro and a few fail stories of how things can go wrong.
We will quickly dive into hands-on practical implementation of security measures to adopt in your current or future NodeJS project. Next I will show how to leverage widely adopted security tools for integration in the build and CI/CD process to audit and test for security vulnerabilities, as well as leveraging successful enterprise-level open source npm libraries to enhance your web application’s security.
In summary: in this session I will demonstrate:
* Securing ExpressJS by adopting mature and commonly used npm libraries
* Secure code guidelines for JavaScript software developers
* Integrating NodeJS security measures as part of your build CI/CD DevOps process
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
Android Deobfuscation: Tools and Techniquescaleb194331
Malware analysts are increasingly faced with the challenge of reverse engineering obfuscated code. This talk describes several obfuscation techniques and two new deobfuscation tools: dex-oracle and Simplify.
Java script nirvana in netbeans [con5679]Ryan Cuprak
JavaOne 2016
NetBeans is not just a Java IDE. It supports JavaScript as a first-class citizen and provides a complete integrated development environment. It also provides project types for server-side JavaScript (Node.js) as well as web browsers and mobile (Apache Cordova). In addition, it supports Grunt, Mocha and Selenium, Angular and Knockout, and more. This session provides an update on NetBeans 8.1 and demonstrates the top new JavaScript features. You will see a Node.js application in action, look at the support for JavaScript unit testing, and also see how easy it is to debug an Apache Cordova application running on a tethered iPhone.
If you are like most CFML developers the application you work on has been around for a few years. The task of securing your legacy application code from vulnerabilities can be an overwhelming and time consuming task. Many developers don't know where to start, and never do.
This session will arm you with an approach slaying the legacy security vulnerabilities in your CFML code.
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.
Après avoir fait ce talk à la conférence NSSpain, Simone Civetta va nous expliquer sur quelles métriques il est possible de se baser pour évaluer la qualité d’un code source. Cette question étant toujours sujette à débat, préparez vos arguments !
Why Kubernetes as a container orchestrator is a right choice for running spar...DataWorks Summit
Building and deploying an analytic service on Cloud is a challenge. A bigger challenge is to maintain the service. In a world where users are gravitating towards a model where cluster instances are to be provisioned on the fly, in order for these to be used for analytics or other purposes, and then to have these cluster instances shut down when the jobs get done, the relevance of containers and container orchestration is more important than ever.
Container orchestrators like Kubernetes can be used to deploy and distribute modules quickly, easily, and reliably. The intent of this talk is to share the experience of building such a service and deploying it on a Kubernetes cluster. In this talk, we will discuss all the requirements which an enterprise grade Hadoop/Spark cluster running on containers bring in for a container orchestrator.
This talk will cover in details how Kubernetes orchestrator can be used to meet all our needs of resource management, scheduling, networking, and network isolation, volume management, etc. We will discuss how we have replaced our home grown container orchestrator with Kubernetes which used to manage the container lifecycle and manage resources in accordance to our requirements. We will also discuss the feature list as container orchestrator which is helping us deploy and patch 1000s of containers and also a list which we believe need improvement or can be enhanced in a container orchestrator.
Speaker
Rachit Arora, SSE, IBM
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
They provide the workload isolation and security advantages of VMs. but at the same time maintain the speed of deployment and usability of containers.by using kata containers, instead of namespace, small virtual machines are created on the kernel and be strongly isolated. The technology of Kata Containers is based on KVM hypervisor. That’s why the level of isolation is equivalent to typical hypervisors. This session will focus on a live production phase when choosing kata instead of docker, and why they are preferable
Although containers provides software-level isolation of resources, the kernel needs to be shared. That’s why the isolation level in terms of security is not so high when compared with hypervisors.This learns to shift from Docker as the de facto standard to Kata containers and learn how to obtain higherl level of security
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Building machine learning applications locally with sparkJoel Pinho Lucas
In times of huge amounts of heterogeneous data available, processing and extracting knowledge requires more and more efforts on building complex software architectures. In this context, Apache Spark provides a powerful and efficient approach for large-scale data processing. This talk will briefly introduce a powerful machine learning library (MLlib) along with a general overview of the Spark framework, describing how to launch applications within a cluster. In this way, a demo will show how to simulate a Spark cluster in a local machine using images available on a Docker Hub public repository. In the end, another demo will show how to save time using unit tests for validating jobs before running them in a cluster.
Building machine learning applications locally with Spark — Joel Pinho Lucas ...PAPIs.io
In times of huge amounts of heterogeneous data available, processing and extracting knowledge requires more and more efforts on building complex software architectures. In this context, Apache Spark provides a powerful and efficient approach for large-scale data processing. This talk will briefly introduce a powerful machine learning library (MLlib) along with a general overview of the Spark framework, describing how to launch applications within a cluster. In this way, a demo will show how to simulate a Spark cluster in a local machine using images available on a Docker Hub public repository. In the end, another demo will show how to save time using unit tests for validating jobs before running them in a cluster.
Sitecore development approach evolution – destination helixPeter Nazarov
Sitecore Development Approach Evolution – Destination Helix
Sitecore officially recommended Helix as a set of overall design principles and conventions for Sitecore development around 18 month ago at SUGCON 2016 alongside with an official implementation example - Habitat. Why was it necessary? What are the benefits? Has it worked in practice? Peter Nazarov will share the outlook on why and how a combination of Sitecore Helix and Habitat benefits the business and development users of Sitecore in practice.
J2EE Getting started What is involved to be a J2EE Developer,
This presentation gives an overview of Technologies and Arch in General.
And shows where Spring,Struts,Hibernate,Webservices,MVC fit
5. AWS Console - Select Instance
https://portal.aws.amazon.com/gp/aws/user/subscription/index.html?ie=UTF8&offeri
ngCode=E4F8A8DE (Need to Register on this URL First to Use It)
9. 1) From the menu option “Conversions”, select
“Import key”
2) In the dialog, locate PEM file and “Open” it.
3) Change the comment from ‘imported-openssh-
key” to a something more descriptive
4) Optional: Enter a passphrase.
5) Create PPK file by clicking on “Save private key”
10. • Open Putty
• Add the “ppk key” in Connections->SSH->Auth
Section
• Session->Enter (Host0Name) / IP Address
• Login in as ec2-user
11. Sonar Jenkins SVN Instance
https://portal.aws.amazon.com/gp/aws/user/subscription/index.html?ie=UTF8&offeringCode=E4F8A8DE
Port/URL Description credentials
root user -> ec2-user ec2-user is the root user name Use ppk key
:22 Login using SSH Client like Putty. Use PEM Key
:80 Apache Server Test Page
:80/svnmanager
:80/svn/svnrepo
SVN Server admin/p@$$
w0rd
:8080/sonar Sonar on Tomcat Server admin/admi
n
:8181/spring-mvc-showcase/
:8080 Jenkins Server No
credentials
:3306 MySQL Server, use MySQL Client /
SSH Client
root / tiger
:465 Gmail port
12.
13. What Is Jenkins
• Continuous Integration
- Ant , Maven Builds
- Custom Builds
• Built In Java, Jenkins.war
• Plugin Echo System
• Strong Integration with
Other Tools like
– GIRA --SONAR
– Gerrit --Chat
• Used By – Like Netflix,
LinkedIn,GitHub etc
14. Some Jenkins Plugins To Have
Plugin Usage
SCM Plugins Source Control Plugins for SVN, P4 etc
JobHistory Plugin History of Changes in Configuration
DiskUsage Plugin Visualize the space , workspace, archived
builds takes.
BuildTimeOut Plugin Kill the Build after TimeOut
Parameterized Trigger Plugin To Pass parameters
Email –Ext Plugin To Format your Emails
• Use Plugins On Need Basis (Total 375 Plugins)
• https://wiki.jenkins-ci.org/display/JENKINS/Plugins
15. Jenkins Tips
• Do no have Monolithic Builds
– Use Master- Slave to distribute the jobs
– Split Jobs logically
• Jenkins Releases are Weekly
• Join Jenkins Community
18. • Squid (Core Analyzer)
– RFC (Response For Class)
– LCOM4 (Lack Of Cohesion Methods)
– DIT (Depth Of Inherentence Tree)
– NOC – Number Of Children
• CheckStyle (Adheres to Coding Standards)
23. • SQUID (Core Analyser)
– LCOM4 – Lack of Cohesion Methods
– DIT – Dependency Of Inheritence Tree
– NOC – No of Children
• CheckStyle
– Coding Standards
– Duplication,
– Memory Outage
26. • OpenSource
• Quality Management Program.
• More Than 600 Code Rules have been
Integrated
• Helps Detect Minor to Critical Defects
• Drills Code Top to Bottom
Watch the Quality Of Code Over Time