Containers have emerged as an indispensable component of modern cloud-native applications, serving diverse roles from development environments to application distribution and deployment on platforms like Azure's App Service and Kubernetes. In this presentation, we will delve into a suite of powerful tools designed to ensure the adoption of best practices in container management. You'll gain insights into how to scan container images rigorously, identifying and mitigating vulnerabilities effectively. We'll also explore the art of generating comprehensive software bill of materials (SBOM) for your containers and the significance of signing container images for enhanced security. The ultimate goal of this presentation is to empower you with the knowledge and skills necessary to seamlessly integrate these tools and practices into your CI (Continuous Integration) pipelines. By the end of this session, you'll be well-equipped to fortify your container workflows, delivering secure and robust cloud-native applications that thrive in today's dynamic digital landscape.
Open source security tools for Kubernetes.Michael Ducy
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.
In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
In this talk I’ll present the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts.
There will be also a demo of the mentioned tools in action to implement a secure supply chain pipeline for your Drupal projects.
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfICS
This webinar will cover why SBOMs should be required to improve software supply chain security, what to look for in a SBOM and how to evaluate open source and third-party components as well as how to use a SBOM to identify software risk and eliminate vulnerabilities throughout the software supply chain.
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
This talk "What is the secure software supply chain and the current state of the PHP ecosystem" discusses the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts.
INTERFACE by apidays 2023 - Security Exposure Management in API First World, ...apidays
INTERFACE by apidays 2023
APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization
June 28 & 29, 2023
Security Exposure Management in API First World
Sandeep Nain, VP Security and Trust at Carta
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Continuous Security: From tins to containers - now what!Michael Man
Information Security departments often view containers as challenging to manage (code moves too fast for risk analysis, thousands of containers with limited visibility or control). Government organizations such as NIST have come out with guidelines for Application Container Security, while serverless technologies such as Azure Container Instances or AWS Fargate create additional challenges regarding how security risks are managed.
Open source security tools for Kubernetes.Michael Ducy
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.
In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
In this talk I’ll present the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts.
There will be also a demo of the mentioned tools in action to implement a secure supply chain pipeline for your Drupal projects.
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfICS
This webinar will cover why SBOMs should be required to improve software supply chain security, what to look for in a SBOM and how to evaluate open source and third-party components as well as how to use a SBOM to identify software risk and eliminate vulnerabilities throughout the software supply chain.
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
This talk "What is the secure software supply chain and the current state of the PHP ecosystem" discusses the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts.
INTERFACE by apidays 2023 - Security Exposure Management in API First World, ...apidays
INTERFACE by apidays 2023
APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization
June 28 & 29, 2023
Security Exposure Management in API First World
Sandeep Nain, VP Security and Trust at Carta
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Continuous Security: From tins to containers - now what!Michael Man
Information Security departments often view containers as challenging to manage (code moves too fast for risk analysis, thousands of containers with limited visibility or control). Government organizations such as NIST have come out with guidelines for Application Container Security, while serverless technologies such as Azure Container Instances or AWS Fargate create additional challenges regarding how security risks are managed.
In this talk, you will hear the best practices from analysts at Gartner, engineers at Heroku, and experiences at VSP distilled down into a top ten list of characteristics that applications ought to have to achieve high availability, scalability and flexibility. Target audience includes developers of APIs and web-based applications, the analysts and architects that design them and the infrastructure teams that support them.
SLTS kernel and base-layer development in the Civil Infrastructure PlatformYoshitake Kobayashi
The Civil Infrastructure Platform (CIP) is creating a super long-term supported (SLTS) open source "base layer" for industrial grade software. We have been working on security fixes and some backported features since the moment we decided that Linux kernel v4.4 would be the first SLTS version. In this talk, we will describe the current development status of the SLTS kernel and testing environment. First, we'll explain our kernel development policy. Then, we'll describe the functionality that has been backported. Second, we'll talk about testing before using our base-layer on real products. We have been developing a test framework to collect and share test results. To build it, we don't want to duplicate existing work such as KernelCI, Fuego and others. For that reason, we are trying to collaborate and contribute to such projects. And finally, we'll discuss the future roadmap.
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYIJNSA Journal
In this paper, we propose and implement an internal continuous integration system, based on two opensource tools Jenkins and GitLab, taking into account the safety factor for servers in the system. In the proposed system, we use a combination of firewall function and reverse proxy function to protect Jenkins server itself and reduce the risk of this server against attacks on the CVE-2021-44228 security vulnerability, may exist in plugins of Jenkins. This system is highly practical, and it can be applied to immediately protect service servers when a vulnerability in it has been discovered but the corresponding patch has not been found or the condition to update the patch is not allowed yet.
Slide Griffin - Practical Attacks and MitigationsEnergySec
Over the past few years, penetration testing has gotten easier. What used to take a week of scanning, analysis, and exploit research now happens in one day on average in a common IT environment. The efficiency of compromise has increased based on several factors including increased knowledge sharing, more robust computing, and automated exploitation tools. OT environments are often utilizing the same operating systems and are prone to many of the same attacks. The main differences are the presence of custom protocols, embedded systems, and lack of formal security programs to address the gaps created by two-way data communication networks.
This talk will show the most common attacks which our team currently uses to gain access and control over the networks and systems we test. More importantly, we will discuss the “top 10” things an organization can do to mitigate, remediate, and have active visibility into critical systems.
Cloud Native Night November 2017, Munich: Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware).
Join our Meetup: www.meetup.com/cloud-native-muc
Abstract: Until today existing enterprise applications are integrated, tested, and deployed as monoliths. This is very time-consuming and hinders agile business models. Cloud technology promises unlimited scalability, short release cycles, quick deployments and antifragility. But can we evolve these systems into the cloud with reasonable effort? What do we have to change and what are the risks involved? This talk will share the experiences from a real world customer project and present an industrialized approach for the Cloud-native evolution of existing IT landscapes.
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Amine Barrak
Presentation of Best student paper award on CASCON2018 intitled: Just-in-time Detection of Protection-Impacting Changes on WordPress and MediaWiki
Link to the paper: https://dl.acm.org/citation.cfm?id=3291310
Middleware is essential for application development which increases the productivity of full-stack developers by bringing battle hardened functional capabilities covering the majority of a digital-driven project. However, with the adoption to Microservices and cloud-native application architecture middleware cannot use like used in the past, this is a solution for the above problem.
Complexity created by distributed computing encapsulated by the middleware for over two decades and made application developers productive by letting them focus on business logic relevant to their domain. Modern architecture and technology drift, such as Microservices, Cloud-native, and Serverless do not have room to embed middleware into the application development while the need is still there.
In this talk, Asanka is going to deep-dive into an API-centric, decentralized, and code-first approach to fill the void of middleware and make the application developer productive again.
Transforming your Security Products at the EndpointIvanti
Are you thinking about extending the endpoint capabilities of your Security Solution? Join us for a dep dive into the value of embedding patch management capabilities into your security software. Learn how other security companies have chosen to add patching and remdiation. Why in 2018 patching is more important than ever as your customers confront ransomware, zero day attacks, and more.
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
In this talk I’ll explain what is the Software Supply Chain, common threats and mitigations and how they apply to IAC ecosystem too. I’ll show off security threats using Terraform and its ecosystem and finally i’ll talk about OCI images talking about digital signatures and SBOM using Sigstore and Syft. I’ll do a live coding session showing off how to deploy secure OCI images on K8S cluster with security policies built with Kyverno, the session includes also security scanning using the generated SBOM.
Moderne Serverless-Computing-Plattformen sind in aller Munde und stellen ein Programmiermodell zur Verfügung, wo sich der Nutzer keine Gedanken mehr über die Administration der Server, Storage, Netzwerk, virtuelle Maschinen, Hochverfügbarkeit und Skalierbarkeit machen brauch, sondern sich auf das Schreiben von eigenen Code konzentriert. Der Code bildet die Geschäftsanforderungen modular in Form von kleinen Funktionspaketen (Functions) ab. Functions sind das Herzstück der Serverless-Computing-Plattform. Sie lesen von der (oft Standard-)Eingabe, tätigen ihre Berechnungen und erzeugen eine Ausgabe. Die zu speichernden Ergebnisse von Funktionen werden in einem permanenten Datastore abgelegt, wie z.B. der Autonomous Database gespeichert. Die Autonomous Database besitzt folgende drei Eigenschaften self-driving, self-repairing und self-securing, die für einen modernen Anwendungsentwicklungsansatz benötigt werden.
Designing Impactful Services and User Experience - Lim Wee KheeNUS-ISS
In this engaging talk, we explore crafting impactful user-centric services, revealing the design principles that drive exceptional experiences. From empathetic customer journeys to innovative interfaces, learn how design can create meaningful connections, inspiring you to revolutionise your approach and drive lasting change in user satisfaction and brand success.
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...NUS-ISS
In today's digital age, the key to true transformation lies in our people. This talk will highlight the importance of digital fluency, emphasizing that everyone in an organization is now a digital professional. By synergizing the fundamental digital skills ranging from an agile mindset to making data-informed decisions and design thinking, we will discuss how a digitally skilled workforce can propel organizations to drive digital transformation with new heights of value creation. Though widespread workforce upskilling presents its challenges, this talk offers innovative organizational learning approaches that may pave the way to success. Join us to find out how to shape the future of your organization where success is defined not just by technology but by a workforce fully equipped with digital competencies, ready to take on whatever the future holds.
More Related Content
Similar to Supply Chain Security for Containerised Workloads - Lee Chuk Munn
In this talk, you will hear the best practices from analysts at Gartner, engineers at Heroku, and experiences at VSP distilled down into a top ten list of characteristics that applications ought to have to achieve high availability, scalability and flexibility. Target audience includes developers of APIs and web-based applications, the analysts and architects that design them and the infrastructure teams that support them.
SLTS kernel and base-layer development in the Civil Infrastructure PlatformYoshitake Kobayashi
The Civil Infrastructure Platform (CIP) is creating a super long-term supported (SLTS) open source "base layer" for industrial grade software. We have been working on security fixes and some backported features since the moment we decided that Linux kernel v4.4 would be the first SLTS version. In this talk, we will describe the current development status of the SLTS kernel and testing environment. First, we'll explain our kernel development policy. Then, we'll describe the functionality that has been backported. Second, we'll talk about testing before using our base-layer on real products. We have been developing a test framework to collect and share test results. To build it, we don't want to duplicate existing work such as KernelCI, Fuego and others. For that reason, we are trying to collaborate and contribute to such projects. And finally, we'll discuss the future roadmap.
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYIJNSA Journal
In this paper, we propose and implement an internal continuous integration system, based on two opensource tools Jenkins and GitLab, taking into account the safety factor for servers in the system. In the proposed system, we use a combination of firewall function and reverse proxy function to protect Jenkins server itself and reduce the risk of this server against attacks on the CVE-2021-44228 security vulnerability, may exist in plugins of Jenkins. This system is highly practical, and it can be applied to immediately protect service servers when a vulnerability in it has been discovered but the corresponding patch has not been found or the condition to update the patch is not allowed yet.
Slide Griffin - Practical Attacks and MitigationsEnergySec
Over the past few years, penetration testing has gotten easier. What used to take a week of scanning, analysis, and exploit research now happens in one day on average in a common IT environment. The efficiency of compromise has increased based on several factors including increased knowledge sharing, more robust computing, and automated exploitation tools. OT environments are often utilizing the same operating systems and are prone to many of the same attacks. The main differences are the presence of custom protocols, embedded systems, and lack of formal security programs to address the gaps created by two-way data communication networks.
This talk will show the most common attacks which our team currently uses to gain access and control over the networks and systems we test. More importantly, we will discuss the “top 10” things an organization can do to mitigate, remediate, and have active visibility into critical systems.
Cloud Native Night November 2017, Munich: Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware).
Join our Meetup: www.meetup.com/cloud-native-muc
Abstract: Until today existing enterprise applications are integrated, tested, and deployed as monoliths. This is very time-consuming and hinders agile business models. Cloud technology promises unlimited scalability, short release cycles, quick deployments and antifragility. But can we evolve these systems into the cloud with reasonable effort? What do we have to change and what are the risks involved? This talk will share the experiences from a real world customer project and present an industrialized approach for the Cloud-native evolution of existing IT landscapes.
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Amine Barrak
Presentation of Best student paper award on CASCON2018 intitled: Just-in-time Detection of Protection-Impacting Changes on WordPress and MediaWiki
Link to the paper: https://dl.acm.org/citation.cfm?id=3291310
Middleware is essential for application development which increases the productivity of full-stack developers by bringing battle hardened functional capabilities covering the majority of a digital-driven project. However, with the adoption to Microservices and cloud-native application architecture middleware cannot use like used in the past, this is a solution for the above problem.
Complexity created by distributed computing encapsulated by the middleware for over two decades and made application developers productive by letting them focus on business logic relevant to their domain. Modern architecture and technology drift, such as Microservices, Cloud-native, and Serverless do not have room to embed middleware into the application development while the need is still there.
In this talk, Asanka is going to deep-dive into an API-centric, decentralized, and code-first approach to fill the void of middleware and make the application developer productive again.
Transforming your Security Products at the EndpointIvanti
Are you thinking about extending the endpoint capabilities of your Security Solution? Join us for a dep dive into the value of embedding patch management capabilities into your security software. Learn how other security companies have chosen to add patching and remdiation. Why in 2018 patching is more important than ever as your customers confront ransomware, zero day attacks, and more.
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
In this talk I’ll explain what is the Software Supply Chain, common threats and mitigations and how they apply to IAC ecosystem too. I’ll show off security threats using Terraform and its ecosystem and finally i’ll talk about OCI images talking about digital signatures and SBOM using Sigstore and Syft. I’ll do a live coding session showing off how to deploy secure OCI images on K8S cluster with security policies built with Kyverno, the session includes also security scanning using the generated SBOM.
Moderne Serverless-Computing-Plattformen sind in aller Munde und stellen ein Programmiermodell zur Verfügung, wo sich der Nutzer keine Gedanken mehr über die Administration der Server, Storage, Netzwerk, virtuelle Maschinen, Hochverfügbarkeit und Skalierbarkeit machen brauch, sondern sich auf das Schreiben von eigenen Code konzentriert. Der Code bildet die Geschäftsanforderungen modular in Form von kleinen Funktionspaketen (Functions) ab. Functions sind das Herzstück der Serverless-Computing-Plattform. Sie lesen von der (oft Standard-)Eingabe, tätigen ihre Berechnungen und erzeugen eine Ausgabe. Die zu speichernden Ergebnisse von Funktionen werden in einem permanenten Datastore abgelegt, wie z.B. der Autonomous Database gespeichert. Die Autonomous Database besitzt folgende drei Eigenschaften self-driving, self-repairing und self-securing, die für einen modernen Anwendungsentwicklungsansatz benötigt werden.
Designing Impactful Services and User Experience - Lim Wee KheeNUS-ISS
In this engaging talk, we explore crafting impactful user-centric services, revealing the design principles that drive exceptional experiences. From empathetic customer journeys to innovative interfaces, learn how design can create meaningful connections, inspiring you to revolutionise your approach and drive lasting change in user satisfaction and brand success.
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...NUS-ISS
In today's digital age, the key to true transformation lies in our people. This talk will highlight the importance of digital fluency, emphasizing that everyone in an organization is now a digital professional. By synergizing the fundamental digital skills ranging from an agile mindset to making data-informed decisions and design thinking, we will discuss how a digitally skilled workforce can propel organizations to drive digital transformation with new heights of value creation. Though widespread workforce upskilling presents its challenges, this talk offers innovative organizational learning approaches that may pave the way to success. Join us to find out how to shape the future of your organization where success is defined not just by technology but by a workforce fully equipped with digital competencies, ready to take on whatever the future holds.
How the World's Leading Independent Automotive Distributor is Reinventing Its...NUS-ISS
In this captivating session, we'll unveil the profound impact of AI, poised to revolutionise the business landscape. Prepare to shift your perspective, as we transition from the lens of a data scientist to the visionary mindset of a product manager. We're about to demystify the captivating world of Generative AI, dispelling myths and illuminating its remarkable potential. We will also delve into the pioneering applications that Inchcape is leading, pushing the boundaries of what's achievable. Join us for an exhilarating journey into the future of AI, where professionalism meets unparalleled excitement, and innovation takes center stage!
The Importance of Cybersecurity for Digital TransformationNUS-ISS
In the rapidly evolving landscape of digital transformation, the importance of cybersecurity cannot be overstated. As organizations embrace digital technologies to enhance their operations, innovate, and connect with customers in new and dynamic ways, they simultaneously become more vulnerable to cyber threats.
This talk will discuss the importance of having a well thought through approach in dealing with cybersecurity in the form of a strategy that lays out the various programmes and initiatives that will underpin a secure and resilient digital transformation journey. Not surprisingly, having a pool of well-trained cybersecurity personnel is one of the key ingredient in a cyber strategy as exemplified in Singapore's own national cybersecurity strategy.
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...NUS-ISS
Join us for a deep dive into the art of architecting Customer Experience (CX) measurement frameworks and ensuring that CX metrics are precisely tailored for their intended purpose. In this engaging session, you'll walk away with actionable insights and a tangible plan for refining your measurement strategies. Discover how to craft CX measurement frameworks that align seamlessly with your business objectives, ensuring that your metrics deliver meaningful and robust insights. Whether you're seeking to enhance customer satisfaction, optimise processes, or drive innovation, this session will provide you with potential approaches and practical steps to bolster the effectiveness and relevance of your CX metrics. It's your blueprint for creating a customer-centric roadmap to success.
Understanding GenAI/LLM and What is Google Offering - Felix GohNUS-ISS
With the recent buzz on Generative AI & Large Language Models, the question is to what extent can these technologies be applied at work or when you're studying and how easy is it to manage/develop your own models? Hear from our guest speaker from Google as he shares some insights into how industries are evolving with these trends and what are some of Google's offerings from Duet AI in Google Workspace to the GenAI App Builder on Google Cloud.
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng TszeNUS-ISS
Enterprises striving to unlock value through digital products face a pivotal shift towards product-centric management, a transformation that carries its share of challenges. To navigate this journey successfully, close collaboration between Enterprise Architects and Digital Product Managers is essential. Together, they can craft the ideal strategy to deliver digital products on a grand scale. Join us in this session as we shed light on the critical interactions and activities that foster synergy between Enterprise Architects and Digital Product Managers. Discover how this collaboration paves the way for effective product-centric management, enabling enterprises to harness the full potential of their digital offerings.
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...NUS-ISS
We find ourselves in an era of exponential growth and transformation. The relentless pace of technological advancement is reshaping our world at a rate never seen before, making it increasingly challenging to stay abreast of these rapid developments. Join us for an insightful talk where we embark on a journey to explore the most significant technology trends set to unfold over the next decade. These trends promise to be nothing short of seismic, with the power to reshape every facet of our lives, from the way we work and learn to how we forge relationships and structure our society. Prepare to be enlightened as we delve into a future where the very fabric of our existence is on the brink of transformation. This talk is your compass to navigate the uncharted territory of tomorrow's world, and it's an opportunity you won't want to miss.
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...NUS-ISS
The hottest topic in the tech world right now is generative AI. In this session, we go beyond the hype to delve into honest answers about how generative AI is impacting the future of work. This is an important topic for all digital leaders to have a thorough understanding of when driving digital transformation.
The future is always uncertain. To be truly future-ready, companies need the ability to quickly learn and adapt and to foster a culture of continuous curiosity and experimentation. But how can we facilitate rapid learning throughout the organisation? What will the future of learning look like for you? How can we ensure our organisations become engines of growth through learning?
The future is always uncertain. To be truly future-ready, companies need the ability to quickly learn and adapt and to foster a culture of continuous curiosity and experimentation. But how can we facilitate rapid learning throughout the organisation? What will the future of learning look like for you? How can we ensure our organisations become engines of growth through learning?
Site Reliability Engineer (SRE), We Keep The Lights On 24/7NUS-ISS
There are many phases in the software development cycle, from requirements to development and testing, but at the tail of the process, is an often overlooked aspect: deployment and delivery. With the paradigm shift of delivering on-site software to offering software-as-a-service, Site Reliability Engineering is beginning to take a greater role in product delivery.
This session aims to give a glimpse of the work that goes into site reliability engineering (SRE) and effort that goes into keeping a service going 24/7.
Product Management in The Trenches for a Cloud ServiceNUS-ISS
More often than not, people’s perception of Product Management is usually centred around the definition, management and prioritisation of software features and functionality. While that is largely true, it is also one of many things that a Product Manager needs to focus on, given limited time and resources.
This session aims to provide an unfiltered view of how Product Management looks like in the context of Enterprise Cloud Applications development, the challenges confronting Product Managers, and the tradeoff decisions to be made in order to overcome these challenges.
All this, while shipping a working product with each release that will surprise and delight the end user.
Overview of Data and Analytics Essentials and FoundationsNUS-ISS
As companies increasingly integrate data across functions, the boundaries between marketing, sales and operations have been blurring. This allows them to find new opportunities that arise by aligning and integrating the activities of supply and demand to improve commercial effectiveness. Instead of conducting post-hoc analyses that allow them to correct future actions, companies generate and analyze data in near real-time and adjust their operations processes dynamically. Transitioning from static analytics outputs to more dynamic contextualized insights means analytics can be delivered with increased relevance closer to the point of decision.
This talk will cover the analytics journey from descriptive, predictive and prescriptive analytics to derive actionable and timely insights to improve customer experience to drive marketing, salesforce and operations excellence.
With the use of Predictive Analytics, companies are able to predict future trends based on existing available data. The actionable business predictions can help companies achieve cost savings, higher revenue, better resource allocation and efficiency. Predictive analytics has been used in various sectors such as banking & finance, sales & marketing, logistics, retail, healthcare, F&B, etc. for various purposes.
Get set to learn more about the different stages of predictive analytics modelling such as data collection & preparation, model development & evaluation metrics, and model deployment considerations will be discussed.
In this digital transformation era, we have seen the rise of digital platforms and increased usages of devices particularly in the area of wearables and the Internet of Things (IoT). Given the fast pace change to the IoT landscape and devices, data has become one of the important source of truth for analytics and continuous streaming of data from sensors have also emerged as one of the fuel that revolutionise the emergence of IoT. These includes health telematics, vehicle telematics, predictive maintenance of equipment, manufacturing quality management, consumer behaviour, and more. With this, we will give you an introduction on how to leverage the power of data science and machine learning to understand and explore feature engineering of IoT and sensor data.
Diagnosing Complex Problems Using System ArchetypesNUS-ISS
In today’s VUCA world, we are faced with problems coming in fast and furious. In order to resolve such problems quickly, we need to first understand the problems. One of the techniques to understand complex problem is through the use of system archetypes. System archetypes are patterns of behaviour of a system. Let’s us explore some of the system archetypes in this session as well as tips on how to resolve them.
Satisfying the ‘-ilities’ of an Enterprise Cloud ServiceNUS-ISS
‘Feature is DONE !’ A regular statement that is typically shared by an overjoyed engineer who is declaring the completion of a feature that he/she has implemented and has been approved by a test engineer. BUT is it ‘Done, Done ?!!’ Engineering an enterprise cloud services would require teams to satisfy the ‘ilities’ requirements. If you are wondering what they are, how engineering teams tackle them and satisfy these requirements, this session will give you an insight of the work and investment needed for a feature to be ‘Done’ in the enterprise cloud world.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
7. https://bit.ly/supply_chain_security_for_containers
What is Docker (and other container tools)?
A set of tools and engine for
- Packaging applications into a standard format, referred to as an ‘image’
- Deploying images as containers into Linux namespaces
- Manages the containers, networking, volumes, resources, etc
Used the following core Linux technologies
- Network namespace
- CGroups
- Union filesystem
A write once deploy anywhere
- Anywhere that Docker is installed or on anywhere with OCI compliant runtime installed
10. https://bit.ly/supply_chain_security_for_containers
Software Supply Chain Security
Modern cloud native application relies and uses
- Platform
- Code generators
- Libraries and dependencies
Attackers insert malicious code into platform, compilers and code generators,
libraries, etc
- Use these as the attack vector rather than attacking your application directly
Containerised applications supply chain
- Libraries and dependencies
- Pulling unverified images or from dubious image registries
- Badly written Dockerfile
14. https://bit.ly/supply_chain_security_for_containers
Scanning Image and Filesystem
trivy - tool to scan vulnerabilities in filesystem, repository, image
- Scan secrets, config, vulnerability for CVE listings
- Produces report in JSON, table, SARIF
- Generate SBOM (later)
trivy filesystem --format=json --output=scan.json
--severity=HIGH,CRITICAL <src path>
trivy image --scanners=vuln --exit-code=1
-s HIGH,CRITICAL node:20
trivy filesystem -s CRITICAL --secret-config policy.yaml .
Scan report format
Severity Exit code, eg. using
in CI pipeline
Only scan for
vulnerabilities
Custom rules
15. https://bit.ly/supply_chain_security_for_containers
Infrastructure as Code
Servers Networking
Storage and
databases
Monitoring Security
Iac Script
Virtualized infrastructure
Provision
● Process of provisioning and
managing IT resources through
machine readable files
● Scripts describe the required setup,
configurations and dependencies
between resources
● IaC tools provision the resources
PaaS
17. https://bit.ly/supply_chain_security_for_containers
Docker Image Tag
Tagging image
- Never - no tag when building image, default to :latest
- Good - give meaningful names to tags, eg v1.0.0
- Better - use the tag to associate the image to a commit eg a release branch
- git rev-parse --short HEAD
Using image
- Never - use the :latest tag
- Good - use a tag
- Best - use the image digest instead of tag
- The image’s hash
- docker image -f ‘{{.RepoDigests}}’ <image>
18. https://bit.ly/supply_chain_security_for_containers
About Image Tags
docker build -t fred/myapp:v1 .
docker build -t fred/myapp:v1 .
Overwritten the previous image
with the same tag
FROM fred/myapp:v1
Might be using the incorrect image
sha256:b24cde…
sha256:3fbc6…
Each image produce a
different hash after pushing to
container registry
FROM fred/myapp@sha256:3fbc6…
No ambiguity
19. https://bit.ly/supply_chain_security_for_containers
Enforce Policy
conftest - evaluate Dockerfile against as set of rules
- https://www.conftest.dev/
- Scan results can be output as JUnit, Github
Rules are written with Rego, a Prolog like language
- https://www.openpolicyagent.org/docs/latest/#rego
- Free course available - https://academy.styra.com/courses/opa-rego
Open Policy Agent is general purpose tool to enforce policy
- https://www.openpolicyagent.org/docs/latest/
- Decouple policies from application
conftest test Dockerfile --output github --policy policy
20. https://bit.ly/supply_chain_security_for_containers
Example of Policy File
deny[msg] {
input[i].Cmd = “from”
val = input[i].Value
contains(val[_], “:latest”)
msg = sprintf(“Cannot use :latest tag %s”, val)
}
deny[msg] {
input[i].Cmd = “from”
val = input[i].Value
count(split(val, “:”)) < 2
msg = sprintf(“Please add an image tag to %s”, val)
}
More examples https://www.conftest.dev/examples
Policy
Prevent pulling images
with the ‘latest’ tag
22. https://bit.ly/supply_chain_security_for_containers
Signing Images
cosign is tool for signing and verify container images and artifacts
- Generate public/private key pair for signing
- Signing and verify image signature
- Attaching and signing container artifacts like SBOM
Generate a key pair
- Produces cosign.key and cosign.pub
cosign generate-key-pair
23. https://bit.ly/supply_chain_security_for_containers
Signing and Verifying Images
cosign sign --key=path/to/cosign.key myimage@sha256:12345…
cosign verify --key=path/to/cosign.pub myimage@sha256:12345…
Use the image digest when you sign the
image. Then the signature is related to an
immutable image reference
Verify the image using the image digest
25. https://bit.ly/supply_chain_security_for_containers
Validating Image - 2
cosign triangulate myimage@sha256:12345…
crane manifest <cosign signature>
rekor-cli get --log-index <index>
Extract co-located cosign
signature from image
Get the signature’s manifest
Get the entry from Rekor
26. https://bit.ly/supply_chain_security_for_containers
Software Bill of Materials
List of inventories and dependencies that make up an
application
- Identifies the software components within larger pieces of
software and the licenses associated with their components
- In the context of containers, these will be the contents of the
image, its dependencies, licenses, etc
Purpose
- Track updates and known security vulnerabilities for each
component in the software project’s dependencies
- Auditing purposes as it ensures that only authorized
dependencies are included in a software project
Standards
- SPDX (Software Packet Data Exchange) - https://spdx.dev/
- CycloneDX - https://cyclonedx.org/
Image from https://spdx.github.io/spdx-spec/v2.2.2/composition-of-an-SPDX-document/
27. https://bit.ly/supply_chain_security_for_containers
Container Image Integrity
Sign
Analysis
Image SBOM
Policy
Build Produce
Sign
Image’s signature Attestation
Verify Verify
Ensure that code
and IaC conforms
to best practices
Validate that the
image has not
been tempered
Tracks dependencies
for security, licensing,
etc
Confirmation of
the provenance of
the image
Scan code base,
dependences,
configurations for
exposed secrets
28. https://bit.ly/supply_chain_security_for_containers
Image SBOM and Attestation
trivy image --format=spdx --output=sbom.spdx
myimage@sha256:12345…
cosign attach sbom --type=spdx --sbom=sbom.spdx
myimage@sha256:12345…
cosign attest --key=path/to/cosign.key
--type=spdx --predicate=sbom.spdx
myimage@sha256:12345…
cosign verify-attestation --key=path/to/cosign.pub
--type=spdx myimage@sha256:12345…
Generate SBOM
in SPDX format
Attach SBOM to
the image
Create an attestation
by signing the SBOM
Verify the attestation