Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
香港六合彩
1. Brought to you by: CAC Management Consultants International An international executive development consultancy in the Asia Pacific Region, specialised in providing training to corporations and outplacement consulting. New Story of the Hare and Tortoise
2. Once upon a time a tortoise and a hare had an argument about who was faster. They decided to settle the argument with a race. They agreed on a route and started off the race. 從前,有一隻烏龜和一隻兔子在互相爭辯誰跑得快。他們決定來一場比賽分高下,選定了路線,就此起跑 。
3. The hare shot ahead and ran briskly for some time. Then seeing that he was far ahead of the tortoise, he thought he'd sit under a tree for some time and relax before continuing the race. 兔子帶頭衝出,奔馳了一陣子,眼看它已遙遙領先烏龜,心想,它可以在樹下坐一會兒,放鬆一下,然後再繼續比賽。
4. He sat under the tree and soon fell asleep. The tortoise plodding on overtook him and soon finished the race, emerging as the undisputed champ. 兔子很快地在樹下就睡著了,而一路上笨手笨腳走來的烏龜則超越過它,不一會兒完成比賽 ,成為貨真價實的冠軍。
5. The hare woke up and realised that he'd lost the race. The moral of the story is that slow and steady wins the race. 等兔子一覺醒來,才發覺它輸了。這個故事給我們的啟示是: 緩慢且持續的人會贏得比賽。
6. This is the version of the story that we've all grown up with. 這是從小伴隨我們長大的龜兔賽跑故事的版本 。
7. But then recently, someone told me a more interesting version of this story. It continues. 但最近有人告訴了我一個更有趣的版本。故事這麼連續下去。
8. The hare was disappointed at losing the race and he did some Defect Prevention (Root Cause Analysis). He realised that he'd lost the race only because he had been overconfident, careless and lax. 兔子當然因輸了比賽而倍感失望,為此他做了些缺失預防工作(根本原因解析)。它很清楚,失敗是因它太有信心,大意,以及散漫。
9. If he had not taken things for granted, there's no way the tortoise could have beaten him. So he challenged the tortoise to another race. The tortoise agreed. 如果它不要自認一切都是理所當然的,烏龜是不可能打敗它的。因此,它單挑烏龜再來另一場比賽,而烏龜也同意。
10. This time, the hare went all out and ran without stopping from start to finish. He won by several miles. 這次,兔子全力以赴,從頭到尾,一口氣跑完,領先烏龜好幾公里。
11. The moral of the story ? Fast and consistent will always beat the slow and steady. 這故事的有什麼啟示? 動作快且前後一致的人將可勝過緩慢且持續的人。
12. If you have two people in your organisation, one slow, methodical and reliable, and the other fast and still reliable at what he does, the fast and reliable chap will consistently climb the organisational ladder faster than the slow, methodical chap. 如果在你的工作單位有兩個人,一個緩慢,按部就班,且可靠,另一個則是動作快,且辦事還算牢靠,那麼動作快且牢靠的人會在組織中一直往上爬,陞遷的速度比那緩慢且按部就班辦事的人快。
13. It's good to be slow and steady; but it's better to be fast and reliable. 緩慢且持續固然很好,但動作快且牢靠則更勝一籌。
14. But the story doesn't end here. The tortoise did some thinking this time, and realised that there's no way he can beat the hare in a race the way it was currently formatted. 這故事還沒完沒了。這下輪到烏龜要好好檢討,它很清楚,照目前的比賽方法,它不可能擊敗兔子。
15. He thought for a while, and then challenged the hare to another race, but on a slightly different route. 它想了一會兒,然後單挑兔子再來另一場比賽,但是是在另一條稍許不同的路線上。
16. The hare agreed. They started off. In keeping with his self-made commitment to be consistently fast, the hare took off and ran at top speed until he came to a broad river. 兔子同意,然後兩者同時出發。為了確保自己立下的承諾-從頭到尾要一直快速前進,兔子飛馳而出,極速奔跑,直到碰到一條寬闊的河流。
17. The finishing line was a couple of kilometers on the other side of the river. 而比賽的終點就在幾公里外的河對面。
18. The hare sat there wondering what to do. In the meantime the tortoise trundled along, got into the river, swam to the opposite bank, continued walking and finished the race. 兔子呆坐在那裡,一時不知怎麼辦。這時候,烏龜卻一路跚跚而來,撩入河裡,游到對岸,繼續爬行,完成比賽。
19. The moral of the story? First identify your core competency and then change the playing field to suit your core competency. 這故事的有什麼啟示? 首先,辨識出你的核心競爭力,然後改變遊戲場所以適應(發揮)你的核心競爭力。
20. In an organisation, if you are a good speaker, make sure you create opportunities to give presentations that enable the senior management to notice you. 在你的工作單位,如果你是一個能言善道的人,一定要想法創造機會,好好表現自己,以便讓層峰注意到你。
21. If your strength is analysis, make sure you do some sort of research, make a report and send it upstairs. Working to your strengths will not only get you noticed but will also create opportunities for growth and advancement. 如果你的優勢是從事分析工作,那麼你一定要做一些研究,寫一個報告,然後呈送上樓。依著自己的優勢 ( 專長 ) 來工作,不僅會讓上頭的人注意到你,也會創造成長和進步的機會。
23. The hare and the tortoise, by this time, had become pretty good friends and they did some thinking together. Both realised that the last race could have been run much better. 這下子,兔子和烏龜成了惺惺相惜的好朋友。它們一起檢討,兩個都很清楚,在上一次的比賽中,它們可以表現得更好。
24. So they decided to do the last race again, but to run as a team this time. 所以,他們決定再賽一場,但這次是同隊合作 。
25. They started off, and this time the hare carried the tortoise till the riverbank. There, the tortoise took over and swam across with the hare on his back. 它們一起出發,這次可是兔子扛著烏龜,直到河邊。在那裡,烏龜接手,背著兔子過河。。
26. On the opposite bank, the hare again carried the tortoise and they reached the finishing line together. They both felt a greater sense of satisfaction than they'd felt earlier. 到了河對岸,兔子再次扛著烏龜,兩個一起抵達終點。比起前次,它們都感受到一種更大的成就感。
27. The moral of the story? It's good to be individually brilliant and to have strong core competencies; but unless you're able to work in a team and harness each other's core competencies, you'll always perform below par because there will always be situations at which you'll do poorly and someone else does well.
29. Teamwork is mainly about situational leadership, letting the person with the relevant core competency for a situation take leadership. 團隊合作主要就是有關情境(權變)領導這檔事,讓具備處理某一情境能力(核心競爭力)的人當家做主。
30. There are more lessons to be learnt from this story. 從這故事,我們可以學到更多
31. Note that neither the hare nor the tortoise gave up after failures. The hare decided to work harder and put in more effort after his failure. 我們了解,在遭逢失敗後,兔子和烏龜都沒有就此放棄。兔子決定更拼,並且投入更多的努力。
32. The tortoise changed his strategy because he was already working as hard as he could. In life, when faced with failure, sometimes it is appropriate to work harder and put in more effort. 在盡了全力之後,烏龜則選擇改變策略。在人的一生中,當失敗臨頭時,有時我們需更加努力。
33. Sometimes it is appropriate to change strategy and try something different. And sometimes it is appropriate to do both. 有時則需改變策略,嘗試不同的抉擇。有時候,兩者都要一起來。
34. The hare and the tortoise also learnt another vital lesson. When we stop competing against a rival and instead start competing against the situation, we perform far better. 兔子和烏龜也學到了最關鍵的一課。當我們不再與競爭對手較力,而開始逐鹿某一情境時,我們會表現得更好 。
35. When Roberto Goizueta took over as CEO of Coca-Cola in the 1980s, he was faced with intense competition from Pepsi that was eating into Coke's growth. 1980 年代,當古茲維塔接掌可口可樂執行長時,他面對的是百事可樂的激烈競爭,可口可樂的市場成長正被它蠶食掉。
36. His executives were Pepsi-focussed and intent on increasing market share 0.1 per cent a time. 古茲維塔手下的那些管理者,把焦點全灌注在百事可樂身上,一心一意只想著一次增長百分之零點一的市場佔有率。
37. Goizueta decided to stop competing against Pepsi and instead compete against the situation of 0.1 per cent growth. 古茲維塔決定停止與百事可樂的競爭,而改與百分之零點一的成長此一情境角逐。
38. He asked his executives what was the average fluid intake of an American per day? The answer was 14 ounces. What was Coke's share of that? Two ounces. Goizueta said Coke needed a larger share of that market. 他問起美國人一天的平均液態食品消耗量為多少?答案是十四盎斯。可口可樂在其中有多少?答案是兩盎斯。古茲維塔說,可口可樂需要在那塊市場做大佔有率。
39. The competition wasn't Pepsi. It was the water, tea, coffee, milk and fruit juices that went into the remaining 12 ounces. The public should reach for a Coke whenever they felt like drinking something. 我們的競爭對象不是百事可樂,要是佔掉市場剩餘十二盎司的水、茶、咖啡、牛奶及果汁。當大家想要喝一點什麼時,應該是去找可口可樂。
40. To this end, Coke put up vending machines at every street corner. Sales took a quantum jump and Pepsi has never quite caught up since. 為達此目的,可口可樂在每一街頭擺上販賣機,銷售量因此節節上升,百事可樂從此再也追趕不上。