This document summarizes Matt Tesauro's presentation "Taking AppSec to 11" given at Bsidess Austin 2016. The presentation discusses implementing application security (AppSec) pipelines to improve workflows and optimize critical resources like AppSec personnel. Key points include automating repetitive tasks, driving consistency, increasing visibility and metrics, and reducing friction between development and AppSec teams. An AppSec pipeline provides a reusable and consistent process for security activities to follow through intake, testing, and reporting stages. The goal is to optimize people's time spent on customization and analysis rather than setup and configuration.
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
Slide deck from AppSec California 2016 + some additional slides.
Abstract:
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.
The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
DevOps - its all about doing the right thing, much like the teachings in the Bible. A quick overview of DevOps, how many of the tenants of DevOps are shared with Christianity and how Pearson is putting DevOps into AppSec with an AppSec Pipeline.
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
Presented at AppSec USA 2016 - Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
Slide deck from AppSec California 2016 + some additional slides.
Abstract:
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.
The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
DevOps - its all about doing the right thing, much like the teachings in the Bible. A quick overview of DevOps, how many of the tenants of DevOps are shared with Christianity and how Pearson is putting DevOps into AppSec with an AppSec Pipeline.
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
Presented at AppSec USA 2016 - Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
AppSec Pipelines and Event based SecurityMatt Tesauro
Presented at AppSec California 2017, this is a continuation of earlier talks about AppSec Pipelines and demonstrates 1st and 2nd Gen Pipelines, how OWASP is creating a pipeline for its projects and how several companies have benefited from combining DevOps, Agile, CI/CD and Security into an AppSec Pipeline to move beyond traditional AppSec testing.
Building an Open Source AppSec PipelineMatt Tesauro
Take the concepts of DevOps and apply them to AppSec and you have an AppSec Pipeline. Allow automation, orchestration and some ChatOps to expand the flow of your AppSec team since its not likely to get any bigger.
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
Practical methodology and example for building out an application security program using DevOps principles. Need to scale out your program but don't have the resources? Find out how we quadrupled our output in one year without adding more security resources. #rugged #devops #appsec
Traditional application security cannot keep pace with pace of change in applicaiton development - that model is dead. Move beyond the 5 stages of grief and get your agile security on. This talk covers practices that helped the product security team at Rackspace keep up with the rate of change facing modern day application security teams.
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
What an AppSec Pipeline is, why it's going to change AppSec, how to take good ideas from DevOps and Agile into AppSec Programs and various stages of maturity for AppSec Pipelines. All done with the hope that others will start on their AppSec Pipeline journey.
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmNETWAYS
When Spotify started in 2006, with just 20 people, they were more worried about selling the idea of music streaming than of setting up monitoring systems. Fast forward to 2015 and
more than 400 engineers are collecting more than 30 million time series from more than 10000 hosts; so how did we get here? The journey has been a long one, with plenty of false starts and growing pains, from scaling systems to scaling teams to scaling the business itself; challenging what we thought we knew about operational monitoring at every step.
This talk is about some of the more interesting challenges we've faced along the way, and about what we've learned so far; covering some of the technical details but primarily focusing on the human aspects, and how our monitoring solutions have both shaped and been shaped by organizational structures and changing engineering practices.
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible?
The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
Organizations continue to adopt container orchestration to drive efficiencies in their CI/CD pipelines. Given the current business climate with more employees working from home and consumers transacting more online, how can development and operations teams release at increasing velocity with protection baked in?
Connecting operations and security teams have not always been a smooth process: developers and operations staff are charged with site reliability, availability, and uptime while security staff is held responsible for securing an organization’s always-moving perimeter and valuable web layer assets. But the lines have started to blur between DevOps teams and security: you can’t guarantee uptime without baking effective application security tooling into your processes and infrastructure configurations.
A true next-generation, holistic web application and API protection platform does just that: operations teams can integrate security into their workflows and ensure new infrastructure and app code released to production is both effective and secure. Join application security experts Aneel Dadani and Orlando Barerra II from Signal Sciences to learn how your team can deploy at scale safely while gaining layer 7 visibility in production environments. Attendees will learn:
How to inspect web traffic in containers, at the API gateway, or the ingress
How DevOps teams can scale their application footprint to meet demand while securing your codebase in production
How development teams can gain visibility into how their apps and APIs are being used in production and what vulnerabilities may exist that they overlooked
Demo these application security concepts with Ansible, a simple yet powerful IT automation engine that companies use to accelerate DevOps initiatives, including baking application security into their infrastructure.
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Slides from presentation delivered at InfoSecWeek in London (Oct 2016) about making developers more productive, embedding security practices into the SDL and ensuring that security risks are accepted and understood.
The focus is on the Dev part of SecDevOps, and on the challenges of creating Security Champions for all DevOps stages.
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
Waterfall is based on the concept of sequential software development—from conception to ongoing maintenance—where each of the many steps flowed logically into the next.
Join this webinar presentation to learn:
- Why DevOps cannot effectively work in waterfall
- How to use DevOps tools to optimize processes in either development or operations through automation
We will also discuss what is needed to support full DevOps
we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle.
Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
Di Indonesia, 19,4% perusahaan sudah mulai menggunakan layanan cloud publik. Stapi sering kali saat perusahan sudah mengadopsi cloud, mereka baru menyadari betapa rumitnya penerapan cloud. Akibatnya, banyak perusahaan yang stuck dalam operasional aplikasi yang baru ini.
Hadirlah DevOps yang memberi layanan lebih cepat dan mendorong inovasi sekaligus meningkatkan produktivitas, komunikasi, dan keterlibatan karyawan. Tapi hadirnya layanan yang lebih cepat membuat risiko dalam penerapan aplikasi meningkat sebesar 53% upaya pencurian data menyasar aplikasi itu sendiri. Oleh karena itu, sangat penting bagi perusahaan untuk mengubah mindset dari menerapkan keamanan untuk kepatuhan ke metode yang lebih proaktif dengan memanfaatkan prinsip-prinsip DevOps dalam tool dan proses keamanan mereka.
Hmm jadi penasaran bagaimana sih memaksimalkan peran keamanan dalam penerapan Devops supaya berjalan dengan lacar? Hal ini akan kita bahas bersama 2 orang pembicara yang expert dibidangnya, yaitu Rei Munisati (Head of IT Security & Risk Compliance, Home Credit Indonesia) dan Taro Lay (Co-Founder Kalama Cyber Security) pada Tech Talk 2021 Live dengan tema "Peran IT Security dalam Penerapan DevOps."
Building a Modern Security Engineering OrganizationZane Lackey
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:
- Practical advice for building and scaling modern AppSec and NetSec programs
- Lessons learned for organizations seeking to launch a bug bounty program
- How to run realistic attack simulations and learn the signals of compromise in your environment
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
To watch this webinar replay, please join us here:
https://info.dynatrace.com/apm_wc_devops_journey_series_tips_around_the_world_na_registration.html
DevOps: Cultural and Tooling Tips Around the World
DevOps! One of the most abused terms in the software industry over the last few years. One of the reasons for this is that the term can mean something totally different, depending on what your role is, and what kind of business you are in. Yet, it is a very real practice with solid benefits that allow companies to build better quality software faster, and with lower cost and risk.
In this 30-minute “secret sauce” session, Andreas Grabner, DevOps Activist at Dynatrace, shares customer learnings and best practices from DevOps adopters around the world. You’ll gain insights from questions like:
• What does DevOps really mean for developers, testers and operators?
• How do companies like Facebook deploy twice a day without big issues?
• How does DevOps work in industries like finance, government, and healthcare where tight regulations exist?
• Is Dev responsible for Ops? Or only if you are working in a Cloud environment?
• What is different and unique as we move from old-fashioned on-prem software to hybrid and Cloud apps?
• Why is talking to people the forgotten DevOps tool?
SecDevOps is a set of business methodologies, operational procedures, & cultural practices proven to increase security, improve software quality, improve release frequency, & provide immediate insight into organizational exposures.
This presentation was accepted to the ASIA 2018 conference, authored by Thomas Cappetta.
ContainerCon - Test Driven InfrastructureYury Tsarev
Great external coverage of this presentation can be found at https://www.cedric-meury.ch/2016/10/test-driven-infrastructure-with-puppet-docker-test-kitchen-and-serverspec-yury-tsarev-gooddata/
AppSec Pipelines and Event based SecurityMatt Tesauro
Presented at AppSec California 2017, this is a continuation of earlier talks about AppSec Pipelines and demonstrates 1st and 2nd Gen Pipelines, how OWASP is creating a pipeline for its projects and how several companies have benefited from combining DevOps, Agile, CI/CD and Security into an AppSec Pipeline to move beyond traditional AppSec testing.
Building an Open Source AppSec PipelineMatt Tesauro
Take the concepts of DevOps and apply them to AppSec and you have an AppSec Pipeline. Allow automation, orchestration and some ChatOps to expand the flow of your AppSec team since its not likely to get any bigger.
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
Practical methodology and example for building out an application security program using DevOps principles. Need to scale out your program but don't have the resources? Find out how we quadrupled our output in one year without adding more security resources. #rugged #devops #appsec
Traditional application security cannot keep pace with pace of change in applicaiton development - that model is dead. Move beyond the 5 stages of grief and get your agile security on. This talk covers practices that helped the product security team at Rackspace keep up with the rate of change facing modern day application security teams.
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
What an AppSec Pipeline is, why it's going to change AppSec, how to take good ideas from DevOps and Agile into AppSec Programs and various stages of maturity for AppSec Pipelines. All done with the hope that others will start on their AppSec Pipeline journey.
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmNETWAYS
When Spotify started in 2006, with just 20 people, they were more worried about selling the idea of music streaming than of setting up monitoring systems. Fast forward to 2015 and
more than 400 engineers are collecting more than 30 million time series from more than 10000 hosts; so how did we get here? The journey has been a long one, with plenty of false starts and growing pains, from scaling systems to scaling teams to scaling the business itself; challenging what we thought we knew about operational monitoring at every step.
This talk is about some of the more interesting challenges we've faced along the way, and about what we've learned so far; covering some of the technical details but primarily focusing on the human aspects, and how our monitoring solutions have both shaped and been shaped by organizational structures and changing engineering practices.
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible?
The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
Organizations continue to adopt container orchestration to drive efficiencies in their CI/CD pipelines. Given the current business climate with more employees working from home and consumers transacting more online, how can development and operations teams release at increasing velocity with protection baked in?
Connecting operations and security teams have not always been a smooth process: developers and operations staff are charged with site reliability, availability, and uptime while security staff is held responsible for securing an organization’s always-moving perimeter and valuable web layer assets. But the lines have started to blur between DevOps teams and security: you can’t guarantee uptime without baking effective application security tooling into your processes and infrastructure configurations.
A true next-generation, holistic web application and API protection platform does just that: operations teams can integrate security into their workflows and ensure new infrastructure and app code released to production is both effective and secure. Join application security experts Aneel Dadani and Orlando Barerra II from Signal Sciences to learn how your team can deploy at scale safely while gaining layer 7 visibility in production environments. Attendees will learn:
How to inspect web traffic in containers, at the API gateway, or the ingress
How DevOps teams can scale their application footprint to meet demand while securing your codebase in production
How development teams can gain visibility into how their apps and APIs are being used in production and what vulnerabilities may exist that they overlooked
Demo these application security concepts with Ansible, a simple yet powerful IT automation engine that companies use to accelerate DevOps initiatives, including baking application security into their infrastructure.
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Slides from presentation delivered at InfoSecWeek in London (Oct 2016) about making developers more productive, embedding security practices into the SDL and ensuring that security risks are accepted and understood.
The focus is on the Dev part of SecDevOps, and on the challenges of creating Security Champions for all DevOps stages.
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
Waterfall is based on the concept of sequential software development—from conception to ongoing maintenance—where each of the many steps flowed logically into the next.
Join this webinar presentation to learn:
- Why DevOps cannot effectively work in waterfall
- How to use DevOps tools to optimize processes in either development or operations through automation
We will also discuss what is needed to support full DevOps
we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle.
Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
Di Indonesia, 19,4% perusahaan sudah mulai menggunakan layanan cloud publik. Stapi sering kali saat perusahan sudah mengadopsi cloud, mereka baru menyadari betapa rumitnya penerapan cloud. Akibatnya, banyak perusahaan yang stuck dalam operasional aplikasi yang baru ini.
Hadirlah DevOps yang memberi layanan lebih cepat dan mendorong inovasi sekaligus meningkatkan produktivitas, komunikasi, dan keterlibatan karyawan. Tapi hadirnya layanan yang lebih cepat membuat risiko dalam penerapan aplikasi meningkat sebesar 53% upaya pencurian data menyasar aplikasi itu sendiri. Oleh karena itu, sangat penting bagi perusahaan untuk mengubah mindset dari menerapkan keamanan untuk kepatuhan ke metode yang lebih proaktif dengan memanfaatkan prinsip-prinsip DevOps dalam tool dan proses keamanan mereka.
Hmm jadi penasaran bagaimana sih memaksimalkan peran keamanan dalam penerapan Devops supaya berjalan dengan lacar? Hal ini akan kita bahas bersama 2 orang pembicara yang expert dibidangnya, yaitu Rei Munisati (Head of IT Security & Risk Compliance, Home Credit Indonesia) dan Taro Lay (Co-Founder Kalama Cyber Security) pada Tech Talk 2021 Live dengan tema "Peran IT Security dalam Penerapan DevOps."
Building a Modern Security Engineering OrganizationZane Lackey
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:
- Practical advice for building and scaling modern AppSec and NetSec programs
- Lessons learned for organizations seeking to launch a bug bounty program
- How to run realistic attack simulations and learn the signals of compromise in your environment
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
To watch this webinar replay, please join us here:
https://info.dynatrace.com/apm_wc_devops_journey_series_tips_around_the_world_na_registration.html
DevOps: Cultural and Tooling Tips Around the World
DevOps! One of the most abused terms in the software industry over the last few years. One of the reasons for this is that the term can mean something totally different, depending on what your role is, and what kind of business you are in. Yet, it is a very real practice with solid benefits that allow companies to build better quality software faster, and with lower cost and risk.
In this 30-minute “secret sauce” session, Andreas Grabner, DevOps Activist at Dynatrace, shares customer learnings and best practices from DevOps adopters around the world. You’ll gain insights from questions like:
• What does DevOps really mean for developers, testers and operators?
• How do companies like Facebook deploy twice a day without big issues?
• How does DevOps work in industries like finance, government, and healthcare where tight regulations exist?
• Is Dev responsible for Ops? Or only if you are working in a Cloud environment?
• What is different and unique as we move from old-fashioned on-prem software to hybrid and Cloud apps?
• Why is talking to people the forgotten DevOps tool?
SecDevOps is a set of business methodologies, operational procedures, & cultural practices proven to increase security, improve software quality, improve release frequency, & provide immediate insight into organizational exposures.
This presentation was accepted to the ASIA 2018 conference, authored by Thomas Cappetta.
ContainerCon - Test Driven InfrastructureYury Tsarev
Great external coverage of this presentation can be found at https://www.cedric-meury.ch/2016/10/test-driven-infrastructure-with-puppet-docker-test-kitchen-and-serverspec-yury-tsarev-gooddata/
SREcon 2016 Performance Checklists for SREsBrendan Gregg
Talk from SREcon2016 by Brendan Gregg. Video: https://www.usenix.org/conference/srecon16/program/presentation/gregg . "There's limited time for performance analysis in the emergency room. When there is a performance-related site outage, the SRE team must analyze and solve complex performance issues as quickly as possible, and under pressure. Many performance tools and techniques are designed for a different environment: an engineer analyzing their system over the course of hours or days, and given time to try dozens of tools: profilers, tracers, monitoring tools, benchmarks, as well as different tunings and configurations. But when Netflix is down, minutes matter, and there's little time for such traditional systems analysis. As with aviation emergencies, short checklists and quick procedures can be applied by the on-call SRE staff to help solve performance issues as quickly as possible.
In this talk, I'll cover a checklist for Linux performance analysis in 60 seconds, as well as other methodology-derived checklists and procedures for cloud computing, with examples of performance issues for context. Whether you are solving crises in the SRE war room, or just have limited time for performance engineering, these checklists and approaches should help you find some quick performance wins. Safe flying."
The talk from DevOps Days Silicon Valley 2015 conference which describes the signs of having or being a single point of failure expert on your system, and the ways to solve the problem
Chaos patterns - architecting for failure in distributed systemsJos Boumans
As we architect our systems for greater demands, scale, uptime, and performance, the hardest thing to control becomes the environment in which we deploy and the subtle but crucial interactions between complicated systems. Chaos Patterns help us establish and implement a virtuous cycle that let’s us both prove & improve our system along each of these dimensions before the inevitable happens.
While it may seem reckless or counter-intuitive, our experience has proven that it’s a matter of how and when (not if) we will learn about the limitations and failure modes of the system.
This is the story of the pitfalls we encountered, and how, through architecture, convention and common sense, we managed to build an infrastructure that is "Always Up" from the end user perspective and incredibly economical to build, scale & operate; using chaos testing, we learn more about how our system fails from a 10 second controlled failure than a multi-hour uncontrolled outage.
In this session we will cover various implementation techniques, available to any developer & operator, which will vastly increase the resilience of your systems and provide a superior end user experience; from optimizing your use of DNS for failure, to configuring your CDN to have your back, to synthetic responses and expected database outages.
But why stop there? Netflix has pioneered a culture and suite of tools that actively injects ‘once in a blue moon’ failures into its production systems, which lets you battle test your resilience design and let developers & operators sleep comfortably at night knowing their systems are able to handle even the worst of worst case scenarios.
The way in which many (most?) software teams use logging needs a re-think as we move into a world of microservices and remote sensors. Instead of using logging merely to dump out stack traces, our logs become a continuous trace of application state, with unique-enough identifiers for every interesting point of execution. We also use transaction identifiers to trace calls across components, services, and queues, so that we can reconstruct distributed calls after the fact. Logging becomes a rich source of insight for developers and operations people alike, as we 'listen to the logs' and tighten feedback cycles to improve our software systems.
Our monitoring team works in a cycle of 4 phases: Definition, Collection, Visualization and Action. We've found it effective to be clear about what phase we are in to help communicate our needs as well as our progress. This talk was presented as a lightning talk at Monitorama 2015 by Melanie Cey
Devops and Immutable infrastructure - Cloud Expo 2015 NYCJohn Willis
You often hear the two titles of "DevOps" and "Immutable Infrastructure" used independently.
In his session at DevOps Summit, John Willis, Technical Evangelist for Docker, will cover the union between the two topics and why this is important. He will cover an overview of Immutable Infrastructure then show how an Immutable Continuous Delivery pipeline can be applied as a best practice for "DevOps." He will end the session with some interesting case study examples.
Time to say goodbye to your Nagios based setup. Discover all the new cool tools out there to do some more efficient monitoring. A talk made at OSMC 2014.
https://www.youtube.com/watch?v=_BAWi9Zhmic
Identifying and fixing issues in new code before deploying it to production is important for every software development cycle. However, relying on traditional testing methods in the age of Internet-scale data driven problems may prove to be incomplete. Identifying and fixing the issues in production quickly is crucial, but it requires insight into usage patterns and trends across the whole architecture and application logic. In this talk I touch on inefficiencies of some of the most common testing methods, provide real world examples of discovering odd edge cases with monitoring and offer recommendations on top-down metric instrumentation to help DevOps organizations with identifying and acting on business-effecting problems.
Presentation given at QCon London on 4th March 2015
Tools, Collaboration, and Conway's Law: how to choose and use tools effectively for Continuous Delivery and DevOps
With an ever-increasing array of tools and technologies claiming to 'enable DevOps' or 'implement Continuous Delivery', how do we know which tools to try or to choose? In-house, open source, or commercial? Ruby or shell? Dedicated or plugins? It transpires that highly collaborative practices such as DevOps and Continuous Delivery require new ways of assessing tools and technologies in order to avoid creating new silos.
Matthew Skelton shares his recent experience of helping many different organisations to evaluate and select tools to facilitate DevOps and Continuous Delivery, including version control, log aggregation, deployment pipelines, monitoring and metrics, and infrastructure automation tools; the recommendations may surprise you.
Tech Mahindra and CollabNet have worked together on a number of mission-critical projects, and over the course of their partnership have developed unique expertise in lifecycle, development-to-production metrics. Gain an understanding not only of what metrics are important, but also practical approaches to building reports and dashboards that deliver a single-pane view of all your delivery pipelines across the enterprise.
Participants will learn:
KPI’s of end-to-end dashboard driven development and delivery
Best practices for metrics in Agile / DevOps environments
Role of technology frameworks for integrated planning and reporting
AWS re:Invent 2016: Fraud Detection with Amazon Machine Learning on AWS (FIN301)Amazon Web Services
In this session, we provide programmatic guidance on building tools and applications to detect and manage fraud and unusual activity specific to financial services institutions. Payment fraud is an ongoing concern for merchants and credit card issuers alike and these activities impact all industries, but are specifically detrimental to Financial Services. We provide a step-by-step walkthrough of a reference solution to detect and address credit card fraud in real time by using Apache Apex and Amazon Machine Learning capabilities. We also outline different resource and performance optimization options and how to work data security into the fraud detection workflow.
Presents the current state and proposed state for Application lifecycle of Liferay Applications. Introduces DevOps concepts and explains how they can be applied to Liferay application. Also includes Ansible scripts for deployment Automation.
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeSteve Mercier
Slides from my talk at ConFoo Montreal, February 2016. A presentation on how to apply configuration management (CM) principles for your various environments, to control changes made to them. You apply CM on your code, why not on your environments content? This presentation will present the infrastructure as code principles using Chef and/or Ansible. Topics discussed include Continuous Integration, Continuous Delivery/Deployment principles, Infrastructure As Code and DevOps.
DevOps is an often abused and frequently misunderstood term. This presentation breaks DevOps down to its essence and then goes through a practical example of how organizational design, scheduling, and dependency management work in the DevOps world, modeled on real examples from Amazon and Netflix.
Exercising and Scaling Up Mobile DevOps in the EnterpriseBitbar
Adopting the mobile devops culture, processes and practices in any organization may not happen overnight. The transformation from agile to true mobile devops requires identification of inefficiencies and understanding of how process, practice and infrastructure can be scaled up.
Stay tuned and join our upcoming webinars at bitbar.com/testing/webinars/
- Introduction to DevOps.
- Glossary.
- Continuous testing.
- The DevOps lifecycle.
- Where does QA fit in DevOps.
- Test-Driven Development (TDD).
- References.
This presentation provides an overview of the Rapise automated testing tool from Inflectra. It provides an background on why you need to use automated testing as part of your development process and the features and differentiators that make Rapise your best choice for testing web, mobile, desktop, mainframe and api applications.
Pay pal paypal continuous performance as a self-service with fully-automated...Dynatrace
PayPal's ongoing leadership as an industry innovator requires faster development cycles and increased adoption of continuous testing practices. For special efforts, the development teams needed more frequent feedback about application performance, scalability limitations and variances between builds. Accelerating the frequency of performance simulations would help increase the rate of innovation and improve the quality of code delivered to production.
In this session we'll review some the automation techniques that helped PayPal Credit increase testing feedback from a monthly effort to a nearly-continuous daily activity. We'll spend time looking at the benefits of a fully-automated, actionable performance feedback loop that delivers performance feedback to developers in hours rather than weeks or months. Additionally, we will take a closer look at how these changes impacted the culture of development and operations, improving both the quality of critical thinking about performance and the value delivered back to the business.
This "Secret Sauce" session will include conceptual learnings and hands-on demonstration:
- What a continuous performance environment looks like and the benefits it brings to your DevOps team
- How to create a parallel pipeline for on-demand performance feedback using JIRA, Rundeck, JMeter and Dynatrace
- Where and how to leverage performance feedback to optimize flow
- How to get engineers on-board and excited about building better performant code
AWS18 Startup Day Toronto- Launching your Application the Amazon WayAmazon Web Services
We'll show you how to take your application and launch it quickly on a variety of AWS infrastructure. You'll learn how to leverage CodeStar, CodeBuild, CodeDeploy, and Cloud9 to provide your startup with reliable, flexible, and cost efficient build pipelines in minutes. This will set your technical teams up for faster deploys and consistent development environments allowing you to focus on your product, not your deployment process. This is a key pain point for early stage startups, learn how to solve it before it starts to impact your team's productivity.
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree AnikeyRoy
Mindtree's DevOps service helps clients build an in-house DevOps model platforms within an organisation using open-source DevOps tools. Click here to know more.
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021William Caban
The adoption of cloud-native principles brings new challenges. Scaling and evolving operations teams and staying up to date requires the adoption of new operational models and paradigms.
This deck presents how modern paradigms map to GitOps principles and the charactersitics that must be supported by any software used for GitOps.
Harman deepak v - agile on steriod - dev ops led transformationXebia India
Focusing on faster development cycles packed with features…
Documentation to working software each iteration
Waterfall releases to Incremental high value feature releases
Dev + Test – one agile team with cross functional skills
Similar to Taking AppSec to 11 - BSides Austin 2016 (20)
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
You’re tasked with ‘doing DevSecOps’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tool outputs for all your different apps let alone shrink the pile of work already on your plate? In this talk, we’ll discuss the key decision points and requirements to set up a program that moves as fast as it needs to without your team burning out. Learn how to keep moving forward while keeping your sanity.
After learning to be nimble from dealing with teams that are doing 75 production deployments per week, the surviving ideas have been distilled into a collection of tenants. We’ll cover: How to handle CI/CD tests versus traditional security assessments? How to best manage SLAs? How to keep data for auditors and regulatory requirements while also doing continuous testing? Understanding health checks versus continuous testing versus manual testing. How to deal with false positives, risk acceptances and the lifecycle of a security issue? By using these tenants, security assessments at one company grew from 44 to 414 in 2 years or 9.4 times all while losing some headcount. Time to turn chaos into calm and distress into success.
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
From LASCON 2022:
APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
From ONUG Fall 2022:
"Shift Left'' and automation have turned from ideals to meaningless buzzwords. Instead of riding the hype train, let's get real and cover practical and real-world examples taken from actual product security successes. Not every business is the same, neither will their DevSecOps program.
In this talk, I'll cover the fundamentals of common to successful DevSecOps programs as well as a grab bag of useful techniques to consider. These are lessons learned doing AppSec at a wide variety of companies including Rackspace, Pearson, a fortune 500 financial, Duo Security and Cognizant Healthcare. Bruce Lee said "Research your own experience. Absorb what is useful, reject what is useless, add what is essentially your own". The goal of this talk is to provide you with enough examples to build your own pragmatic and practical DevSecOps program or maybe absorb a new technique or two into your existing program.
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.
APIs seem simple. It's just one program talking to another program over a network. However, behind that seeming simplicity lies a
complex landscape full of landmines, foot guns and sharp edges.
How do you navigate the API terrain without exposing yourself to
attack? This talk will cover the API landscape and point out where
'there be dragons'. If you don't have a large number of APIs, you will soon enough so do yourself a favor and follow the map provided in this talk.
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
APIs are everywhere. Any business with a mobile app, modern web apps (SPAs), using the cloud, doing a digital transformation, integrating with business partners, running microservices or using kubernetes has APIs. There's a good foundation of AppSec knowledge out there - thanks in part to OWASP but API Security isn't exactly the same as AppSec. Additional complexity is part of the landscape with multiple competing API technologies like REST, gRPC and GraphQL plus stakeholders spread across multiple parts of the business. How to do you make sense of API Security landscape? This talk will cover the three fundamental areas to consider, the various chess pieces and the many ways those pieces can be put on your API chessboard. The goal is for you to leave knowing how to map out your API Security landscape and reach a state of solid API Security.
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
This is not your normal DevSecOps presentation. We’re going to take on the most difficult aspect of security automation, the dreaded and pitfall prone, dynamic testing. You want to shift left and automate all the things, but DAST specifically has many thorns. How do you ensure what you’re testing matches production? Do devs own the environment? On metal, docker, kubernetes, or docker-compose? Test coverage? Balancing all these elements and more is not easy. Especially if you want to create a single, scalable, standard for your entire org. In this talk, we’ll cover what is needed to start automating your dynamic security testing, how to navigate the trade-offs you’ll have to consider, and finally how best to fit automated DAST testing into your software delivery pipelines. We’ll discuss simple and easy steps to gain efficiency and how to scale to mature pipelines that require little to no human intervention.
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
You’re tasked with ‘doing AppSec’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo can be your one source of truth and become the heart of your AppSec automation program.
DefectDojo grew out of a Product Security program 8 years ago and was created by AppSec people for AppSec people. In this talk, you’ll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your one source of truth for discovered security vulnerabilities, report generation, aggregation of over 80 different security tools, inventory of applications, tracking testing efforts and metrics on the AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo.
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls.
My talk from Secure Coding Virtual Summit (2021-03-24)
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give the audience a leg up on starting a DevSecOps program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of DevSecOps quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a DevSecOps journey.
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
Serverless is here so why not use it to make your life better. This talk discussing ways to use serverless to add automation to your application and cybersecurity work.
Originally presented at Global AppSec DC 2019
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work. Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started.
The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided. Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline. The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them. If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
An overview of how to change security from a reactive part of the org to a collaborative part of the agile development process. Using concepts from agile and DevOps, how can applicaton security get as nimble as product development has become.
OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.
This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.
As the world of system and application deployment continues to change, the sys admin and security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional sys admin and security processes just don’t work. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. Rackspace has been developing a tool to help them design, deploy and security assess complex configurations for customers called Checkmate. This talk will cover the concepts behind and the architecture of Checkmate and how it helps minimize the time to deploy systems and verify they have been created to spec and in a secure state. A discussion of how Checkmate has inspired the concept of Test Driven Security based on the Test Driven Development model familiar to the development world.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
13. Key Features of
AppSec Pipelines
◇ Designed for iterative improvement
◇ Provides a reusable path for AppSec activities to
follow
◇ Provides a consistent process for both the team and
our constituency
◇ One way flow with well-defined states
◇ Relies heavily on automation
◇ Grow in functionality organically over time
◇ Gracefully interconnects with the development
process
17. Key Goals of
AppSec Pipelines
◇ Optimize the critical resource - AppSec personnel
■ Automate all the things that don’t require a
human brain
■ Drive up consistency
■ Increase tracking of work status
■ Increase flow through the system
■ Increase visibility and metrics
■ Reduce any dev team friction with application
security
18. Pipeline - Intake
◇ “First Impression”
◇ Major categories of Intake
■ Existing App
■ New App
■ Previously tested App
■ App to re-test findings
◇ Key Concepts
■ Ask for data about Apps only once
■ Have data reviewed when an App
returns
■ Adapt data collected based on broad
categories of Apps
19. Pipeline - Testing
◇ Inbound request triage
◇ Ala Carte App Sec
■ Dynamic Testing
■ Static Testing
■ Re-Testing mitigated findings
■ Mix and match based on risk
◇ Key Concepts
■ Activities can be run in
parallel
■ Automation on setup,
configuration, data export
◇ People focus on customization
rather than setup
20. Pipeline - Testing
◇ Results from your CI/CD could flow into Threadfix from
build Pipeline
◇ Gauntlt runs results could also flow into the AppSec
Pipeline
◇ Choose the tools that make sense for you organization
21. Pipeline - Deliver
◇ Source of truth for all AppSec
activities
◇ ThreadFix is used to
■ Dedup / Consolidate findings
■ Normalize scanner data
■ Generate Metrics
■ Push issues to bug trackers
◇ Report and metrics automation
■ REST + tfclient
◇ Source of many touch points with
external teams
22. ◇ Allow us to have visibility into WIP
◇ Better understand/track/optimize flow of
engagements
◇ Average static test takes ...
◇ Great increase in consistency
◇ Easier re-allocation of engagements between staff
◇ Each step has a well defined interface
◇ Knowing who has what allows for more informed
“cost of switching” conversations
◇ Flexible enough for a range of skills and
app maturity
Why we like AppSec
Pipelines
23. ~5x increase
2014
44 assessments
2015
~200 assessments
Changes from 2014 to 2015:
- Created the AppSec Pipeline - initial launch in March 2015
- AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs
- Two of the AppSec team members went meta for most of 2015
25. ◇ Manages the Application Security Program
◇ Application Repository
◇ Engagement Tracking
◇ Report Repository
◇ Comments on any application, engagement or activity
◇ Data Classification and PII data
◇ Time taken on secure software activities
◇ Historical knowledge of past assessments
◇ Credential repository
◇ Environment details
What does BoH do?
29. Defect Dojo
◇ DefectDojo is a tool created by the Security
Engineering team at Rackspace to track testing
efforts.
◇ Streamlines the testing process by offering features
such as templating, report generation, metrics, and
baseline self-service tools.
◇ Though it was designed with security folks in mind,
there is nothing keeping QA/QE testers, or any other
testers for that matter, from using it productively.
◇ https://github.com/rackerlabs/django-DefectDojo
40. Create a culture of innovation and
experimentation
#3 - Continual
Experimentation &
Learning
41.
42. “I fear not the man
who has practiced
ten thousand kicks
once,
but I fear the man
who has practiced
one kick ten thousand
times.”
43.
44. Dev & AppSec Tool Integration
OWASP ZAP
Proxy
BuildManageCode Store
RAPTOR
Deploy
OWASP ZAP
Proxy
*Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.
48. Key Take Aways
◇ Automate, automate, automate
■ Look for “paper cuts” and fix those first
◇ Finding workflow – your AppSec Pipeline
■ Figure this out and standardize / optimize
◇ Create systems which can grow organically
■ App is never done, it’s just created to easily be
added to over time
■ e.g. Finding blocks become templates for next
report
◇ Learn to talk “dev”
51. Orchestration
◇ Integrate Security Tools and Workflow
Example:
◇ Generic API for dynamic scanning
■ URL
■ Credentials
■ Profile
■ Call any Dynamic Scanner:
○ OWASP ZAP
○ BurpSuite
○ AppScan
52. Gauntlt
◇ Open source, MIT License
◇ Gauntlt comes with pre-canned steps that hook
security testing tools
◇ Gauntlt does not install tools
◇ Gauntlt wants to be part of the CI/CD pipeline
◇ Be a good citizen of exit status and stdout/stderr
53. Tiaga
◇ Project Management Software
■ Focused on usability and speed
■ Kanban / Scrum
■ Backlog
■ Tasks
■ Sprints
■ Issues
■ Wiki
◇ Open Source – Python / Django app
■ Entire functionality is driven by a REST API !!
■ https://taiga.io/
54.
55.
56. Defect Dojo
◇ DefectDojo is a tool created by the Security
Engineering team at Rackspace to track testing
efforts.
◇ Streamlines the testing process by offering features
such as templating, report generation, metrics, and
baseline self-service tools.
◇ Though it was designed with security folks in mind,
there is nothing keeping QA/QE testers, or any other
testers for that matter, from using it productively.
◇ https://github.com/rackerlabs/django-DefectDojo
59. Findings directly to
bug trackers
◇ PDFs are great, bugs are better
◇ Security issues are now part of the normal work flow
◇ ThreadFix is nice for pumping issues into defect
trackers - http://code.google.com/p/threadfix/
60. For the reticent: nag,
nag, nag
◇ Attach a SLA to each severity level for findings
◇ Walk up the Org chart as things get older
◇ Bonus points for dashboards and defect tracker APIs
◇ Get management sold first
61. Agent – one mole to
rule them all
◇ Add an agent to the standard deploy
◇ Add a dashboard to visualize state of infrastructure
◇ Roll your own or find a vendor
Mozilla MIG
62. Turn Vuln Scanning on
its Head
◇ Add value for your Ops teams
◇ Roll your own or find a vendor
◇ Reverse the scan then report standard
63. Related Presentations
AppSec EU 2015 – Ops Track Keynote
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu
https://www.youtube.com/watch?v=tDnyFitE0y4
AppSec EU 2015 – Building an AppSec Pipeline
http://www.slideshare.net/weaveraaaron/building-an-appsec-
pipeline-keeping-your-program-and-your-life-sane
https://www.youtube.com/watch?v=1CDSOSl4DQU
65. #1 Workflow
Each Step Repeatable
◇ Remove all haphazard and ad hoc work from the
process
◇ Scripting languages are your friends
◇ Config Mgmt – Puppet, Chef, Salt, Ansible, CFEngine
◇ Make sure what you do can be done on 1 server or
10,000 servers
66. #1 Workflow
Never Pass on Defects
◇ Test early and often
◇ Increase the rigor of testing as you work left to right
◇ When a failure occurs end that flow and start a new
one after corrections
◇ The further right you are, the more expensive failure is
so concentrate your early work on left side (intake)
◇ In AppSec, defects are false positives
67. #1 Workflow
Local optimizations with a global view
◇ Ensure no single-step optimizations degrade the
overall performance of the workflow
◇ Find the bottleneck in your workflow and start there
■ Upstream changes will just back things up
■ Downstream changes won't manifest since input
is limited
◇ Each new optimization creates a new bottleneck
■ Iterate on this!
71. Henry Ford in a field:
http://henryfordgiantdifferenceaward.weebly.com/works-cited.html
Assembly Lines:
http://www.pictofcar.website/henry-ford-assembly-line-diagram/
http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html
http://en.wikipedia.org/wiki/Assembly_line
http://actionspeaksradio.org/tag/henry-ford/
http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the-assembly-line-
ransom-e-olds-did/index.html
W. Edward Deming
http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html
Japan's Post War Miracle
http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm
http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/
http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle
Image References
73. What’s this?
This is a free presentation template
for Google Slides designed by
SlidesCarnival.
We believe that good design serves
to better communicate ideas, so we
create free quality presentation
templates for you to focus on the
content.
Enjoy them at will and share with us
your results at:
twitter.com/SlidesCarnival
facebook.com/slidescarnival
About this template
How can I use it?
Open this document in Google Slides (if you are at slidescarnival.
com use the button below this presentation)
You have to be signed in to your Google account
◇ Edit in Google Slides
Go to the File menu and select Make a copy. You will get
a copy of this document on your Google Drive and will be
able to edit, add or delete slides.
◇ Edit in Microsoft PowerPoint®
Go to the File menu and select Download as Microsoft
PowerPoint. You will get a .pptx file that you can edit in
PowerPoint. Remember to download and install the fonts
used in this presentation (you’ll find the links to the font
files needed in the Presentation design slide)
This template is free to use under Creative Commons Attribution license. If you use the graphic assets (photos,
icons and typographies) provided with this presentation you must keep the Credits slide.