Taking the Best of Agile, DevOps and CI/CD into security
•
0 likes•78 views
Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls. My talk from Secure Coding Virtual Summit (2021-03-24)
Report
Share
Report
Share
Download to read offline
Recommended
Building a Secure DevOps Pipeline - for your AppSec Program
What an AppSec Pipeline is, why it's going to change AppSec, how to take good ideas from DevOps and Agile into AppSec Programs and various stages of maturity for AppSec Pipelines. All done with the hope that others will start on their AppSec Pipeline journey.
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work. Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started.
The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided. Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline. The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them. If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.
Continuous Security: Using Automation to Expand Security's Reach
Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.
OWASP DefectDojo - Open Source Security Sanity
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
AppSec Pipelines and Event based Security
Matt Tesauro discusses moving application security (AppSec) beyond traditional security testing towards event-based security using continuous integration/continuous delivery (CI/CD) pipelines and automation. Key points include:
- Implementing AppSec pipelines that automate security tasks using tools like Docker to increase efficiency and consistency while reducing friction between AppSec and development teams.
- Treating individual security findings as tests that are run continuously via tools like Jenkins to quickly determine when issues are fixed.
- With increased automation and efficiency, one company increased the number of application assessments from 44 in 2014 to over 400 in 2016 while reducing AppSec staffing levels.
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
This document summarizes Matt Tesauro's presentation on improving application security (AppSec) through the use of AppSec pipelines and DevOps strategies. The key points are:
1. AppSec pipelines are designed to optimize AppSec personnel by automating tasks and increasing consistency, tracking, flow and visibility of work. This allows AppSec teams to focus on custom work rather than setup.
2. Integrating AppSec tools and workflows into development pipelines can help drive up consistency, reduce friction with developers, and increase the number of assessments an AppSec team can complete without increasing headcount.
3. Continual experimentation and optimizing the critical resource - in this case AppSec personnel - is important for
Building an Open Source AppSec Pipeline
Take the concepts of DevOps and apply them to AppSec and you have an AppSec Pipeline. Allow automation, orchestration and some ChatOps to expand the flow of your AppSec team since its not likely to get any bigger.
Recommended
Building a Secure DevOps Pipeline - for your AppSec Program
What an AppSec Pipeline is, why it's going to change AppSec, how to take good ideas from DevOps and Agile into AppSec Programs and various stages of maturity for AppSec Pipelines. All done with the hope that others will start on their AppSec Pipeline journey.
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work. Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started.
The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided. Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline. The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them. If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.
Continuous Security: Using Automation to Expand Security's Reach
Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.
OWASP DefectDojo - Open Source Security Sanity
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
AppSec Pipelines and Event based Security
Matt Tesauro discusses moving application security (AppSec) beyond traditional security testing towards event-based security using continuous integration/continuous delivery (CI/CD) pipelines and automation. Key points include:
- Implementing AppSec pipelines that automate security tasks using tools like Docker to increase efficiency and consistency while reducing friction between AppSec and development teams.
- Treating individual security findings as tests that are run continuously via tools like Jenkins to quickly determine when issues are fixed.
- With increased automation and efficiency, one company increased the number of application assessments from 44 in 2014 to over 400 in 2016 while reducing AppSec staffing levels.
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
This document summarizes Matt Tesauro's presentation on improving application security (AppSec) through the use of AppSec pipelines and DevOps strategies. The key points are:
1. AppSec pipelines are designed to optimize AppSec personnel by automating tasks and increasing consistency, tracking, flow and visibility of work. This allows AppSec teams to focus on custom work rather than setup.
2. Integrating AppSec tools and workflows into development pipelines can help drive up consistency, reduce friction with developers, and increase the number of assessments an AppSec team can complete without increasing headcount.
3. Continual experimentation and optimizing the critical resource - in this case AppSec personnel - is important for
Building an Open Source AppSec Pipeline
Take the concepts of DevOps and apply them to AppSec and you have an AppSec Pipeline. Allow automation, orchestration and some ChatOps to expand the flow of your AppSec team since its not likely to get any bigger.
AppSec Pipeline - Velcocity NY 2015
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
DevSecOps Fundamentals and the Scars to Prove it.
This document discusses the fundamentals and evolution of DevSecOps. It begins by introducing the author and their background. It then outlines key DevSecOps concepts like reducing complexity, managing dependencies, shared understanding, enabling default security controls, fully utilizing frameworks, embracing cloud-native principles, codifying processes, treating servers as cattle, and automating workflows. The document also discusses the importance of DefectDojo and generating AppSec pipelines to integrate security testing into development pipelines in order to scale efforts and increase visibility, consistency, and flow. It emphasizes automating non-human tasks to optimize security personnel.
Peeling the Onion: Making Sense of the Layers of API Security
This document provides an overview of API security from multiple perspectives: API security posture, runtime security, and security testing. It discusses the complex API ecosystem involving various stakeholders. The document also outlines common API attack classes like DDoS, data breaches, and abuse of functionality. Finally, it provides key takeaways that APIs have complex interconnected systems, require coordination across teams, and need to be evaluated from different security perspectives.
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Elise Carmichael and Corey Pyle walk you through real-life test automation stories and use cases including: How to decide which tests to automate, how to write XCUITests for IOS, demo how Amazon Alexa can be automated and how to publish automated results to qTest using a node package.
The recording from Quality Jam 2017 can be found at: www.qasymphony.com/blog/quality-jam-2017-presentations/
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Testers can’t live without their beloved tools, and the landscape of testing and development tools is changing rapidly. While testers were previously limited to a few expensive and difficult to use tools, the market is now filling with many more affordable, powerful, and easy to use products. In this presentation, Kevin will discuss 5 of the most important macro trends in test tools: 1) Specialization 2) Cloud hosting 3) Architectural Shifts 4) Collaboration 5) Ease of Use/Deployment. Kevin will also provide examples of popular tools that are capitalizing on these trends and gaining popularity in the market.
Watch the Quality Jam presentation at www.qasymphony.com/blog/quality-jam-2017-presentations/
Security as Code: DOES15
This document discusses applying security automation principles through a SecDevOps approach. It begins by highlighting lessons from other companies that deployed features in a disabled state using feature flags and integrated security testing in continuous integration. The document then outlines how Kenna applies SecDevOps principles through automation, with examples like using Chef for configuration management and testing security at each code check. It also presents a use case where Kenna loads security scanning results from various tools into its platform via API to enable continuous security testing.
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
Slides used for https://www.devopsdays.org/events/2017-toronto/program/andreas-grabner/
In 2011 we delivered 2 major releases of our on premise enterprise software. Market, technology and customer requirements forced us to change that in order to remain competitive.
Now – in 2017 - we are deploying and providing feature releases every 2 weeks for both our on premise and SaaS-based offering. We deploy 170 SaaS production changes per day and have a DevOps pipeline that allows us to deploy a code change within 1h if necessary.
To increase quality, we built and provide a DevOps pipeline that currently executes 31000 Unit & Integration Tests per Hour as well as 60h UI Tests per Build. Our application teams are responsible end-to-end for their features and use production monitoring to validate their deployments which allows them to find 93% of bugs in production before it impacts our end users.
In this session I explain how this transformation worked from both “Top Down” as well as “Bottom Up” in our organization. A key component was the 4 people strong DevOps Team who developed and “sell” their DevOps Pipeline to the globally distributed application teams. I will give insights into how our pipeline enables application teams to design, code, test and run a new feature for our user base.
I will also talk about the “dark moments” as change is never without friction. Both internally as well as with our customers who also had to get used to more rapid changes.
DevOps: Cultural and Tooling Tips Around the World
To watch this webinar replay, please join us here:
https://info.dynatrace.com/apm_wc_devops_journey_series_tips_around_the_world_na_registration.html
DevOps: Cultural and Tooling Tips Around the World
DevOps! One of the most abused terms in the software industry over the last few years. One of the reasons for this is that the term can mean something totally different, depending on what your role is, and what kind of business you are in. Yet, it is a very real practice with solid benefits that allow companies to build better quality software faster, and with lower cost and risk.
In this 30-minute “secret sauce” session, Andreas Grabner, DevOps Activist at Dynatrace, shares customer learnings and best practices from DevOps adopters around the world. You’ll gain insights from questions like:
• What does DevOps really mean for developers, testers and operators?
• How do companies like Facebook deploy twice a day without big issues?
• How does DevOps work in industries like finance, government, and healthcare where tight regulations exist?
• Is Dev responsible for Ops? Or only if you are working in a Cloud environment?
• What is different and unique as we move from old-fashioned on-prem software to hybrid and Cloud apps?
• Why is talking to people the forgotten DevOps tool?
Performance Metrics Driven CI/CD - Introduction to Continuous Innovation and ...
Deck used for my talk at the 2016 Spring User Conference in Toronto. Deck was followed up by a walkthrough of a Jenkins workflow that deployed to Cloud Foundry based on jmeter test results
AppSec is Eating Security
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
This document outlines the top 10 ways to fail at DevOps. It discusses failing to include management buy-in, becoming too reliant on open source software, and failing to consider IT history. It also notes that DevOps should not mean "DevNo-Ops" and that the same automation used in development and testing environments should also be applied to production, with the production environment in mind from the beginning. Centralizing DevOps and thinking failures in production are acceptable are also outlined as ways to fail at DevOps. The document provides context and examples for each of the top 10 ways.
DevOps Pipelines and Metrics Driven Feedback Loops
The goal behind devops is Faster Lead Times
What this really means for Software Delivery -> my Kodak/Smart Phone Analogy
How and Which Metrics to use along the Delivery Pipeline to make better decisions along the way.
OOP 2016 - Building Software That Eats The World
According to VC and web pioneer Marc Andreessen software is eating the world. Evidence proves he is right. Uber, the biggest taxi company, has no cars, AirBnB, the biggest hotel service, has no rooms and there are many more examples. Looking at these success stories there is a clear blueprint how to build software that eats the world. Just a quick heads up: It is not about building your typical web application any more.
Continuous Delivery, Continuous Integration
Today’s cutting edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share best practices (including ones followed internally at Amazon) and how you can bring them to your company by using open source and AWS services.
Speaker: Raghuraman Balachandran, Solutions Architect, Amazon India
Devops, Secops, Opsec, DevSec *ops *.* ?
This document discusses the DevOps movement and related concepts. It provides background on how development and operations teams historically worked separately ("Devs vs Ops") and the problems that caused. DevOps aims to break down barriers between teams through practices like automation, continuous integration/delivery, infrastructure as code, and collaboration between teams from the beginning of a project. The document outlines problems DevOps aims to solve and gives examples of tools and approaches for bringing development and operations cultures together.
DevOps Transformation at Dynatrace and with Dynatrace
Presentation given at CMG Boston - April 20th 2017
#1: How to explain DevOps Transformation?
#2: How Dynatrace transformed from 6months waterfall to 1h code deploy
#3: The role of Monitoring in DevOps / CI/CD
#4: Using Dynatrace for your DevOps Transformation
The Key to DevOps? Testing Early in the Pipeline
As teams embrace DevOps, quality becomes a bottleneck for rapid development and delivery. Traditional QA practices of functional testing release candidates are not cutting it in this new era of lightning fast development. Teams are finding that they need to test early and often to rapidly surface error during development to reach continuous delivery.
Learn how to implement E2E testing at the earliest stages of development: from initial code commit, to pull requests with ephemeral environments, and high confidence merges. This practice optimizes DevOps software development by enabling developers to solve issues earlier, proactively update tests (so they don’t break later) and become even more productive.
Join mabl software engineer Joe Lust to hear how the mabl team puts these ideas into practice daily and how it has benefited their team and product. Additionally, you will learn about:
Impact of DevOps on testing
Benefits of testing earlier in development
Best practices of how mabl does this at mabl
Dan Cuellar
This document discusses how Dan Cuellar accidentally created the wildly popular open source mobile testing framework Appium. It describes how Appium works and its philosophy of being inclusive, free, and open source. It provides code examples for setting up tests on iOS and Android. It also outlines how Cuellar grew the project from 0 to over 100,000 users through conferences, forums, and being very inclusive. It discusses challenges like conflict, loss of control, and rewriting the codebase, and looks towards the future of Appium.
DevOps and All the Continuouses w/ Helen Beal
DevOps promises to make better software faster and more safely and many organizations begin by practicing Continuous Integration and moving on to Continuous Delivery and sometimes even extending as far as Continuous Deployment - but this is only the tip of the iceberg.
DevOps demands a fundamental shift in the way we work and requires all participants in an organization to live its principles. It’s much more than a tool chain.
When you are delivering software in an Agile manner in fortnightly sprints, are you still funding in an annual manner? Are you adhering to The Third Way? I.e. are you practicing Continuous Experimentation? Continuous Learning? How are you doing Continuous Testing? Are you including security in that? Have you have Continuous Improvement in your organization for years? When does Continuous Everything turn into Continuous Apathy?
Intro to DefectDojo at OWASP Switzerland
This document introduces Fred Blaise and provides information about OWASP DefectDojo. DefectDojo is an open-source application vulnerability correlation and security orchestration tool that consolidates findings from multiple tools, tracks vulnerabilities, and enables automation through its REST API. It can ingest reports from many common security tools and helps automate previously manual processes to improve security and allow small teams to manage large application security programs. The document demonstrates how DefectDojo can be deployed in various environments and discusses its features, community, and recent improvements.
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
What DevOps Isn't
This is a presentation I gave to 100+ people at Rev1 Ventures in Columbus, OH. The presentation was about how to define DevOps. Like any new concept, there are multiple and sometimes competing definitions. I've found that implementations of DevOps can change but there are some very common anti-patterns. Lastly, I talk about how we implement DevOps at Bold Penguin.
More Related Content
What's hot
AppSec Pipeline - Velcocity NY 2015
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
DevSecOps Fundamentals and the Scars to Prove it.
This document discusses the fundamentals and evolution of DevSecOps. It begins by introducing the author and their background. It then outlines key DevSecOps concepts like reducing complexity, managing dependencies, shared understanding, enabling default security controls, fully utilizing frameworks, embracing cloud-native principles, codifying processes, treating servers as cattle, and automating workflows. The document also discusses the importance of DefectDojo and generating AppSec pipelines to integrate security testing into development pipelines in order to scale efforts and increase visibility, consistency, and flow. It emphasizes automating non-human tasks to optimize security personnel.
Peeling the Onion: Making Sense of the Layers of API Security
This document provides an overview of API security from multiple perspectives: API security posture, runtime security, and security testing. It discusses the complex API ecosystem involving various stakeholders. The document also outlines common API attack classes like DDoS, data breaches, and abuse of functionality. Finally, it provides key takeaways that APIs have complex interconnected systems, require coordination across teams, and need to be evaluated from different security perspectives.
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Elise Carmichael and Corey Pyle walk you through real-life test automation stories and use cases including: How to decide which tests to automate, how to write XCUITests for IOS, demo how Amazon Alexa can be automated and how to publish automated results to qTest using a node package.
The recording from Quality Jam 2017 can be found at: www.qasymphony.com/blog/quality-jam-2017-presentations/
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Testers can’t live without their beloved tools, and the landscape of testing and development tools is changing rapidly. While testers were previously limited to a few expensive and difficult to use tools, the market is now filling with many more affordable, powerful, and easy to use products. In this presentation, Kevin will discuss 5 of the most important macro trends in test tools: 1) Specialization 2) Cloud hosting 3) Architectural Shifts 4) Collaboration 5) Ease of Use/Deployment. Kevin will also provide examples of popular tools that are capitalizing on these trends and gaining popularity in the market.
Watch the Quality Jam presentation at www.qasymphony.com/blog/quality-jam-2017-presentations/
Security as Code: DOES15
This document discusses applying security automation principles through a SecDevOps approach. It begins by highlighting lessons from other companies that deployed features in a disabled state using feature flags and integrated security testing in continuous integration. The document then outlines how Kenna applies SecDevOps principles through automation, with examples like using Chef for configuration management and testing security at each code check. It also presents a use case where Kenna loads security scanning results from various tools into its platform via API to enable continuous security testing.
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
Slides used for https://www.devopsdays.org/events/2017-toronto/program/andreas-grabner/
In 2011 we delivered 2 major releases of our on premise enterprise software. Market, technology and customer requirements forced us to change that in order to remain competitive.
Now – in 2017 - we are deploying and providing feature releases every 2 weeks for both our on premise and SaaS-based offering. We deploy 170 SaaS production changes per day and have a DevOps pipeline that allows us to deploy a code change within 1h if necessary.
To increase quality, we built and provide a DevOps pipeline that currently executes 31000 Unit & Integration Tests per Hour as well as 60h UI Tests per Build. Our application teams are responsible end-to-end for their features and use production monitoring to validate their deployments which allows them to find 93% of bugs in production before it impacts our end users.
In this session I explain how this transformation worked from both “Top Down” as well as “Bottom Up” in our organization. A key component was the 4 people strong DevOps Team who developed and “sell” their DevOps Pipeline to the globally distributed application teams. I will give insights into how our pipeline enables application teams to design, code, test and run a new feature for our user base.
I will also talk about the “dark moments” as change is never without friction. Both internally as well as with our customers who also had to get used to more rapid changes.
DevOps: Cultural and Tooling Tips Around the World
To watch this webinar replay, please join us here:
https://info.dynatrace.com/apm_wc_devops_journey_series_tips_around_the_world_na_registration.html
DevOps: Cultural and Tooling Tips Around the World
DevOps! One of the most abused terms in the software industry over the last few years. One of the reasons for this is that the term can mean something totally different, depending on what your role is, and what kind of business you are in. Yet, it is a very real practice with solid benefits that allow companies to build better quality software faster, and with lower cost and risk.
In this 30-minute “secret sauce” session, Andreas Grabner, DevOps Activist at Dynatrace, shares customer learnings and best practices from DevOps adopters around the world. You’ll gain insights from questions like:
• What does DevOps really mean for developers, testers and operators?
• How do companies like Facebook deploy twice a day without big issues?
• How does DevOps work in industries like finance, government, and healthcare where tight regulations exist?
• Is Dev responsible for Ops? Or only if you are working in a Cloud environment?
• What is different and unique as we move from old-fashioned on-prem software to hybrid and Cloud apps?
• Why is talking to people the forgotten DevOps tool?
Performance Metrics Driven CI/CD - Introduction to Continuous Innovation and ...
Deck used for my talk at the 2016 Spring User Conference in Toronto. Deck was followed up by a walkthrough of a Jenkins workflow that deployed to Cloud Foundry based on jmeter test results
AppSec is Eating Security
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
This document outlines the top 10 ways to fail at DevOps. It discusses failing to include management buy-in, becoming too reliant on open source software, and failing to consider IT history. It also notes that DevOps should not mean "DevNo-Ops" and that the same automation used in development and testing environments should also be applied to production, with the production environment in mind from the beginning. Centralizing DevOps and thinking failures in production are acceptable are also outlined as ways to fail at DevOps. The document provides context and examples for each of the top 10 ways.
DevOps Pipelines and Metrics Driven Feedback Loops
The goal behind devops is Faster Lead Times
What this really means for Software Delivery -> my Kodak/Smart Phone Analogy
How and Which Metrics to use along the Delivery Pipeline to make better decisions along the way.
OOP 2016 - Building Software That Eats The World
According to VC and web pioneer Marc Andreessen software is eating the world. Evidence proves he is right. Uber, the biggest taxi company, has no cars, AirBnB, the biggest hotel service, has no rooms and there are many more examples. Looking at these success stories there is a clear blueprint how to build software that eats the world. Just a quick heads up: It is not about building your typical web application any more.
Continuous Delivery, Continuous Integration
Today’s cutting edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share best practices (including ones followed internally at Amazon) and how you can bring them to your company by using open source and AWS services.
Speaker: Raghuraman Balachandran, Solutions Architect, Amazon India
Devops, Secops, Opsec, DevSec *ops *.* ?
This document discusses the DevOps movement and related concepts. It provides background on how development and operations teams historically worked separately ("Devs vs Ops") and the problems that caused. DevOps aims to break down barriers between teams through practices like automation, continuous integration/delivery, infrastructure as code, and collaboration between teams from the beginning of a project. The document outlines problems DevOps aims to solve and gives examples of tools and approaches for bringing development and operations cultures together.
DevOps Transformation at Dynatrace and with Dynatrace
Presentation given at CMG Boston - April 20th 2017
#1: How to explain DevOps Transformation?
#2: How Dynatrace transformed from 6months waterfall to 1h code deploy
#3: The role of Monitoring in DevOps / CI/CD
#4: Using Dynatrace for your DevOps Transformation
The Key to DevOps? Testing Early in the Pipeline
As teams embrace DevOps, quality becomes a bottleneck for rapid development and delivery. Traditional QA practices of functional testing release candidates are not cutting it in this new era of lightning fast development. Teams are finding that they need to test early and often to rapidly surface error during development to reach continuous delivery.
Learn how to implement E2E testing at the earliest stages of development: from initial code commit, to pull requests with ephemeral environments, and high confidence merges. This practice optimizes DevOps software development by enabling developers to solve issues earlier, proactively update tests (so they don’t break later) and become even more productive.
Join mabl software engineer Joe Lust to hear how the mabl team puts these ideas into practice daily and how it has benefited their team and product. Additionally, you will learn about:
Impact of DevOps on testing
Benefits of testing earlier in development
Best practices of how mabl does this at mabl
Dan Cuellar
This document discusses how Dan Cuellar accidentally created the wildly popular open source mobile testing framework Appium. It describes how Appium works and its philosophy of being inclusive, free, and open source. It provides code examples for setting up tests on iOS and Android. It also outlines how Cuellar grew the project from 0 to over 100,000 users through conferences, forums, and being very inclusive. It discusses challenges like conflict, loss of control, and rewriting the codebase, and looks towards the future of Appium.
DevOps and All the Continuouses w/ Helen Beal
DevOps promises to make better software faster and more safely and many organizations begin by practicing Continuous Integration and moving on to Continuous Delivery and sometimes even extending as far as Continuous Deployment - but this is only the tip of the iceberg.
DevOps demands a fundamental shift in the way we work and requires all participants in an organization to live its principles. It’s much more than a tool chain.
When you are delivering software in an Agile manner in fortnightly sprints, are you still funding in an annual manner? Are you adhering to The Third Way? I.e. are you practicing Continuous Experimentation? Continuous Learning? How are you doing Continuous Testing? Are you including security in that? Have you have Continuous Improvement in your organization for years? When does Continuous Everything turn into Continuous Apathy?
Intro to DefectDojo at OWASP Switzerland
This document introduces Fred Blaise and provides information about OWASP DefectDojo. DefectDojo is an open-source application vulnerability correlation and security orchestration tool that consolidates findings from multiple tools, tracks vulnerabilities, and enables automation through its REST API. It can ingest reports from many common security tools and helps automate previously manual processes to improve security and allow small teams to manage large application security programs. The document demonstrates how DefectDojo can be deployed in various environments and discusses its features, community, and recent improvements.
What's hot (20)
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
Performance Metrics Driven CI/CD - Introduction to Continuous Innovation and ...
Performance Metrics Driven CI/CD - Introduction to Continuous Innovation and ...
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DevOps Pipelines and Metrics Driven Feedback Loops
DevOps Pipelines and Metrics Driven Feedback Loops
DevOps Transformation at Dynatrace and with Dynatrace
DevOps Transformation at Dynatrace and with Dynatrace
Similar to Taking the Best of Agile, DevOps and CI/CD into security
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
What DevOps Isn't
This is a presentation I gave to 100+ people at Rev1 Ventures in Columbus, OH. The presentation was about how to define DevOps. Like any new concept, there are multiple and sometimes competing definitions. I've found that implementations of DevOps can change but there are some very common anti-patterns. Lastly, I talk about how we implement DevOps at Bold Penguin.
DevOps on AWS
The document discusses DevOps practices at Amazon Web Services (AWS). It begins with an overview of DevOps and how it has helped Amazon deploy code faster and more frequently. It then discusses specific DevOps tools and services offered by AWS, including AWS CodeCommit for source control, AWS CodeBuild for builds, AWS CodeDeploy for deployments, AWS CodePipeline for release orchestration, and AWS CodeStar for application development. The document explains how these services work together to enable continuous integration and continuous delivery workflows. It also discusses how AWS has implemented DevOps practices like infrastructure as code and monitoring within its own systems to deploy millions of times per day while maintaining quality, security and reliability.
Simplified DevOps Bliss -with OpenAI API
Are you tired of the ever-increasing complexity in the world of DevOps? Do Docker and Kubernetes scripts, Ansible configurations, and networking woes make your head spin? It's time for a breath of fresh air.
Join us on a transformative journey where we shatter the myth that DevOps has to be overly complicated. Say goodbye to the days of struggling with incomplete scripts and tangled configurations. In this enlightening talk, we'll guide you through the process of rapidly onboarding your new standard microservice into the DevOps and Cloud universe.
We'll unveil the power of GitHub Actions, AWS, OpenAI API, and MS Teams Incoming Web hooks in a way that's both enlightening and entertaining. Additionally, we'll explore how Language Model APIs (LLMs) can be leveraged to enhance and streamline your DevOps workflows. You'll discover that DevOps doesn't have to be a labyrinth of complexity; it can be a streamlined and enjoyable experience.
So, if you're ready to simplify your DevOps journey and embrace a world where AWS, the OpenAI API, and GitHub Actions collaborate seamlessly while harnessing the potential of LLMs, join us and let's make DevOps a breeze!
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
More details here - https://www.practical-devsecops.com/
DevOps, Common use cases, Architectures, Best Practices
This document discusses DevOps concepts and best practices. It recommends breaking down barriers between development and operations, treating infrastructure as code, automating processes, implementing continuous integration and deployment, and monitoring systems. The key aspects are adopting a collaborative culture, implementing automation tools, and establishing practices like infrastructure as code, configuration management, and continuous integration, delivery and deployment.
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
More details here - https://www.practical-devsecops.com/
Scale security for a dollar or less
Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free.
More details here - https://www.practical-devsecops.com/
Global DevOps BootCamp
This document announces a Global DevOps Bootcamp event with hands-on challenges related to DevOps. It will take place at 73 venues worldwide with 8,000 tickets available. The agenda includes introductions to DevOps, Azure CLI, continuous integration, and demonstrations. DevOps is presented as an approach combining development, testing, and operations to enable continuous delivery. Traditional and modern IT approaches are compared. The document also outlines DevOps principles, practices, automation, containers, and serverless computing.
Understanding DevOps
This document provides an overview of DevOps and what is needed to succeed as a DevOps engineer. It discusses the DevOps ideology of collaboration between development, QA, and operations teams. It also outlines skills needed like infrastructure design, monitoring, automation, and an emphasis on continuous learning. The document recommends gaining experience in cloud platforms, databases, tools, CI/CD, development languages, and provisioning to get started in DevOps.
Application Delivery Patterns
This document discusses application delivery patterns used by REA. It begins with an agenda and mission statement. It then provides examples of "Hello World" programs in various languages. It discusses development and delivery lifecycles, including the use of pipelines. It describes characteristics of good pipelines and pipeline design considerations. It outlines REA's journey with application delivery on AWS and lessons learned, including the use of multiple accounts and decoupling deployment tools from applications. Key recommendations include deploying fully resolved artifacts, keeping metrics, and giving deployment teams response powers.
DevOps Tooling - Pop-up Loft TLV 2017
Learn how to use AWS services to automate manual tasks, help teams manage complex environments at scale, and keep engineers in control of the high velocity that is enabled by DevOps. In this session, we will provide an overview of the various AWS development and deployment services and when best to use them. We will show how to build a fully automated infrastructure and software delivery pipeline with AWS CodePipeline, AWS CodeBuild, AWS CloudFormation and AWS CodeDeploy. At the end of the session, a GitHub repository of AWS CloudFormation templates will be provided so you can quickly deploy the same pipeline to your AWS account(s).
Application Delivery Patterns for Developers - Technical 401
Every developer has gone through the frustration of creating new features, fixing bugs, or refactoring beautiful code, and then wait for it to reach the promise land of production. Come and learn how to get your changes in the hands of your customers with more speed, reliability, security and quality.
We will dive deep into architectures for continuous delivery pipelines, apply lean principles, and build intelligence into your pipeline.
Speaker: Shiva Narayanaswamy, Solutions Architect, Amazon Web Services
Featured Customer - REA Group
Automating Security in Cloud Workloads with DevSecOps
This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.
AWS Summit Auckland - Application Delivery Patterns for Developers
This document provides an overview of application delivery patterns presented by Shiva Narayanaswamy of Amazon Web Services and Nick Walker of Vend. It discusses why certain patterns are used, what the patterns are, and how they can be implemented. Specific patterns covered include blue/green deployments, canary releases, feature flags, and environment promotion. The document also summarizes Vend's experience migrating to a container-based deployment pipeline with standardized practices.
Agile & DevOps - It's all about project success
The document provides information on DevOps practices and tools from Microsoft. It discusses how DevOps enables continuous delivery of value through integrating people, processes, and tools. Benefits of DevOps include more frequent and stable releases, lower change failure rates, and empowered development teams. The document provides examples of DevOps scenarios and recommends discussing solutions and migration plans with Microsoft.
Implementing DevSecOps
Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture.
Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services
Agile Secure Cloud Application Development Management
IT Security Symposium 2011 talk. A discussion of leveraging Agile Development + Cloud Computing, and various tools which have worked for us.
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
Matt Tesauro presented on applying DevOps practices to application security. He discussed how traditional software development left little time for security testing. DevOps, Agile, and continuous delivery further squeeze testing windows. The solution is automated security testing integrated into software pipelines. Tesauro outlined key features of application security pipelines like iterative improvement, reusable processes, and a focus on automation to optimize security resources. Pipelines improve visibility, consistency, and flow of security work.
Similar to Taking the Best of Agile, DevOps and CI/CD into security (20)
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
DevOps, Common use cases, Architectures, Best Practices
DevOps, Common use cases, Architectures, Best Practices
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Application Delivery Patterns for Developers - Technical 401
Application Delivery Patterns for Developers - Technical 401
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development Management
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
More from Matt Tesauro
Tenants for Going at DevSecOps Speed - LASCON 2023
You’re tasked with ‘doing DevSecOps’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tool outputs for all your different apps let alone shrink the pile of work already on your plate? In this talk, we’ll discuss the key decision points and requirements to set up a program that moves as fast as it needs to without your team burning out. Learn how to keep moving forward while keeping your sanity.
After learning to be nimble from dealing with teams that are doing 75 production deployments per week, the surviving ideas have been distilled into a collection of tenants. We’ll cover: How to handle CI/CD tests versus traditional security assessments? How to best manage SLAs? How to keep data for auditors and regulatory requirements while also doing continuous testing? Understanding health checks versus continuous testing versus manual testing. How to deal with false positives, risk acceptances and the lifecycle of a security issue? By using these tenants, security assessments at one company grew from 44 to 414 in 2 years or 9.4 times all while losing some headcount. Time to turn chaos into calm and distress into success.
Hacking and Defending APIs - Red and Blue make Purple.pdf
The document provides an overview of attacking and defending APIs. It discusses why APIs are attractive targets for attackers, such as the valuable data they provide. It then covers various techniques attackers use to discover, learn about, and exploit APIs, such as reconnaissance, discovery, and different types of active attacks. The document also discusses defenses, noting the importance of having visibility into API traffic and understanding normal behavior to detect attacks. It focuses on the OWASP API Top 10 risks and provides examples of how attackers may exploit each risk.
Practical DevSecOps: Fundamentals of Successful Programs
From ONUG Fall 2022:
"Shift Left'' and automation have turned from ideals to meaningless buzzwords. Instead of riding the hype train, let's get real and cover practical and real-world examples taken from actual product security successes. Not every business is the same, neither will their DevSecOps program.
In this talk, I'll cover the fundamentals of common to successful DevSecOps programs as well as a grab bag of useful techniques to consider. These are lessons learned doing AppSec at a wide variety of companies including Rackspace, Pearson, a fortune 500 financial, Duo Security and Cognizant Healthcare. Bruce Lee said "Research your own experience. Absorb what is useful, reject what is useless, add what is essentially your own". The goal of this talk is to provide you with enough examples to build your own pragmatic and practical DevSecOps program or maybe absorb a new technique or two into your existing program.
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.
Landmines in the API Landscape
APIs seem simple. It's just one program talking to another program over a network. However, behind that seeming simplicity lies a
complex landscape full of landmines, foot guns and sharp edges.
How do you navigate the API terrain without exposing yourself to
attack? This talk will cover the API landscape and point out where
'there be dragons'. If you don't have a large number of APIs, you will soon enough so do yourself a favor and follow the map provided in this talk.
The Final Frontier, Automating Dynamic Security Testing
This is not your normal DevSecOps presentation. We’re going to take on the most difficult aspect of security automation, the dreaded and pitfall prone, dynamic testing. You want to shift left and automate all the things, but DAST specifically has many thorns. How do you ensure what you’re testing matches production? Do devs own the environment? On metal, docker, kubernetes, or docker-compose? Test coverage? Balancing all these elements and more is not easy. Especially if you want to create a single, scalable, standard for your entire org. In this talk, we’ll cover what is needed to start automating your dynamic security testing, how to navigate the trade-offs you’ll have to consider, and finally how best to fit automated DAST testing into your software delivery pipelines. We’ll discuss simple and easy steps to gain efficiency and how to scale to mature pipelines that require little to no human intervention.
Running FaaS with Scissors
Serverless is here so why not use it to make your life better. This talk discussing ways to use serverless to add automation to your application and cybersecurity work.
Originally presented at Global AppSec DC 2019
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
This document discusses how to incorporate Agile, DevOps, and CI/CD principles into an application security (AppSec) program through the use of AppSec pipelines. It describes how Pearson created an AppSec pipeline to help optimize their AppSec team's resources, drive consistency, increase visibility, and reduce friction between development and security teams. The document advocates experimenting with AppSec pipelines to continuously improve processes through techniques like integrating Docker containers and writing security tests.
Taking AppSec to 11 - BSides Austin 2016
This document summarizes Matt Tesauro's presentation "Taking AppSec to 11" given at Bsidess Austin 2016. The presentation discusses implementing application security (AppSec) pipelines to improve workflows and optimize critical resources like AppSec personnel. Key points include automating repetitive tasks, driving consistency, increasing visibility and metrics, and reducing friction between development and AppSec teams. An AppSec pipeline provides a reusable and consistent process for security activities to follow through intake, testing, and reporting stages. The goal is to optimize people's time spent on customization and analysis rather than setup and configuration.
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
Dev ops hackformers-matt-tesauro
DevOps - its all about doing the right thing, much like the teachings in the Bible. A quick overview of DevOps, how many of the tenants of DevOps are shared with Christianity and how Pearson is putting DevOps into AppSec with an AppSec Pipeline.
Making security-agile matt-tesauro
Software development is happening faster then ever. Can your AppSec program keep up? This talk shows how an AppSec pipeline can help speed things up.
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
An overview of how to change security from a reactive part of the org to a collaborative part of the agile development process. Using concepts from agile and DevOps, how can applicaton security get as nimble as product development has become.
OWASP WTE - Now in the Cloud!
This document provides information about the OWASP Web Testing Environment (WTE) project and its leader Matt Tesauro. It discusses the history and goals of the WTE project, which provides a collection of web application security testing tools in an easy-to-use environment. It also outlines ideas for the future of the project, such as providing automated cloud-based instances of the WTE and aligning its tools with the OWASP Testing Guide.
DevOps, CLI, APIs, Oh My! Security Gone Agile
Traditional application security cannot keep pace with pace of change in applicaiton development - that model is dead. Move beyond the 5 stages of grief and get your agile security on. This talk covers practices that helped the product security team at Rackspace keep up with the rate of change facing modern day application security teams.
Testing at-cloud-speed sans-app-sec-austin-2013
Matt Tesauro gave a presentation on testing applications at cloud speed in a DevOps environment. He discussed how the DevOps model emphasizes rapid development and release cycles, leaving little time for traditional testing. The solution is to automate software testing, infrastructure testing, and security testing so they can keep pace with continuous delivery. He provided examples of automating infrastructure configuration with tools like Chef, integrating security testing into the development lifecycle by submitting findings as bugs, and leveraging code review automation while avoiding false positives. The overall message was that security testing needs to become agile, automated, and integrate with developer workflows to be effective in a DevOps model.
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
As the world of system and application deployment continues to change, the sys admin and security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional sys admin and security processes just don’t work. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. Rackspace has been developing a tool to help them design, deploy and security assess complex configurations for customers called Checkmate. This talk will cover the concepts behind and the architecture of Checkmate and how it helps minimize the time to deploy systems and verify they have been created to spec and in a secure state. A discussion of how Checkmate has inspired the concept of Test Driven Security based on the Test Driven Development model familiar to the development world.
More from Matt Tesauro (17)
Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Recently uploaded
HijackLoader Evolution: Interactive Process Hollowing
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
原版办【微信号:95270640】【新西兰林肯大学毕业证(Lincoln毕业证书)】【微信号:95270640】《成绩单、外壳、雅思、offer、真实留信官方学历认证(永久存档/真实可查)》采用学校原版纸张、特殊工艺完全按照原版一比一制作(包括:隐形水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠,文字图案浮雕,激光镭射,紫外荧光,温感,复印防伪)行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备,十五年致力于帮助留学生解决难题,业务范围有加拿大、英国、澳洲、韩国、美国、新加坡,新西兰等学历材料,包您满意。
【我们承诺采用的是学校原版纸张(纸质、底色、纹路)我们拥有全套进口原装设备,特殊工艺都是采用不同机器制作,仿真度基本可以达到100%,所有工艺效果都可提前给客户展示,不满意可以根据客户要求进行调整,直到满意为止!】
【业务选择办理准则】
一、工作未确定,回国需先给父母、亲戚朋友看下文凭的情况,办理一份就读学校的毕业证【微信号95270640】文凭即可
二、回国进私企、外企、自己做生意的情况,这些单位是不查询毕业证真伪的,而且国内没有渠道去查询国外文凭的真假,也不需要提供真实教育部认证。鉴于此,办理一份毕业证【微信号95270640】即可
三、进国企,银行,事业单位,考公务员等等,这些单位是必需要提供真实教育部认证的,办理教育部认证所需资料众多且烦琐,所有材料您都必须提供原件,我们凭借丰富的经验,快捷的绿色通道帮您快速整合材料,让您少走弯路。
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
留信网服务项目:
1、留学生专业人才库服务(留信分析)
2、国(境)学习人员提供就业推荐信服务
3、留学人员区块链存储服务
【关于价格问题(保证一手价格)】
我们所定的价格是非常合理的,而且我们现在做得单子大多数都是代理和回头客户介绍的所以一般现在有新的单子 我给客户的都是第一手的代理价格,因为我想坦诚对待大家 不想跟大家在价格方面浪费时间
对于老客户或者被老客户介绍过来的朋友,我们都会适当给一些优惠。
选择实体注册公司办理,更放心,更安全!我们的承诺:客户在留信官方认证查询网站查询到认证通过结果后付款,不成功不收费!
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
学校原件一模一样【微信:741003700 】《(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书》【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
原版一模一样【微信:741003700 】【(uc毕业证书)加拿大卡尔加里大学毕业证成绩单】【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
办理(uc毕业证书)加拿大卡尔加里大学毕业证【微信:741003700 】外观非常简单,由纸质材料制成,上面印有校徽、校名、毕业生姓名、专业等信息。
办理(uc毕业证书)加拿大卡尔加里大学毕业证【微信:741003700 】格式相对统一,各专业都有相应的模板。通常包括以下部分:
校徽:象征着学校的荣誉和传承。
校名:学校英文全称
授予学位:本部分将注明获得的具体学位名称。
毕业生姓名:这是最重要的信息之一,标志着该证书是由特定人员获得的。
颁发日期:这是毕业正式生效的时间,也代表着毕业生学业的结束。
其他信息:根据不同的专业和学位,可能会有一些特定的信息或章节。
办理(uc毕业证书)加拿大卡尔加里大学毕业证【微信:741003700 】价值很高,需要妥善保管。一般来说,应放置在安全、干燥、防潮的地方,避免长时间暴露在阳光下。如需使用,最好使用复印件而不是原件,以免丢失。
综上所述,办理(uc毕业证书)加拿大卡尔加里大学毕业证【微信:741003700 】是证明身份和学历的高价值文件。外观简单庄重,格式统一,包括重要的个人信息和发布日期。对持有人来说,妥善保管是非常重要的。
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
学校原件一模一样【微信:741003700 】《(Vic毕业证书)惠灵顿维多利亚大学毕业证》【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
原版定制【微信:bwp0011】《(umiami毕业证书)美国迈阿密大学毕业证文凭证书》【微信:bwp0011】成绩单 、雅思、外壳、留信学历认证永久存档查询,采用学校原版纸张、特殊工艺完全按照原版一比一制作(包括:隐形水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠,文字图案浮雕,激光镭射,紫外荧光,温感,复印防伪)行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备,十五年致力于帮助留学生解决难题,业务范围有加拿大、英国、澳洲、韩国、美国、新加坡,新西兰等学历材料,包您满意。
【业务选择办理准则】
一、工作未确定,回国需先给父母、亲戚朋友看下文凭的情况,办理一份就读学校的毕业证【微信bwp0011】文凭即可
二、回国进私企、外企、自己做生意的情况,这些单位是不查询毕业证真伪的,而且国内没有渠道去查询国外文凭的真假,也不需要提供真实教育部认证。鉴于此,办理一份毕业证【微信bwp0011】即可
三、进国企,银行,事业单位,考公务员等等,这些单位是必需要提供真实教育部认证的,办理教育部认证所需资料众多且烦琐,所有材料您都必须提供原件,我们凭借丰富的经验,快捷的绿色通道帮您快速整合材料,让您少走弯路。
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
【关于价格问题(保证一手价格)】
我们所定的价格是非常合理的,而且我们现在做得单子大多数都是代理和回头客户介绍的所以一般现在有新的单子 我给客户的都是第一手的代理价格,因为我想坦诚对待大家 不想跟大家在价格方面浪费时间
对于老客户或者被老客户介绍过来的朋友,我们都会适当给一些优惠。
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Bengaluru Dreamin' 24 - Personal Branding
Session on Personal Branding presented at Bengaluru Dreamin
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Recently uploaded (11)
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Taking the Best of Agile, DevOps and CI/CD into security
- 1. Taking the Best of Agile, DevOps and CI/CD Into Security Matt Tesauro matt.tesauro@10Security.com
- 2. Hello! I am Matt Tesauro I think AppSec needs to evolve And I am going to tell you how You can find me at @matt_tesauro
- 3. Custom Coachwork and Bespoke AppSec 0
- 4. Who is this guy?
- 5. The Phoenix Project 3 Ways of DevOps
- 6. #1 Workflow Look at your purpose and those processes which aid it 1
- 7. AppSec Pipelines Using CI/CD as inspiration, figure out your AppSec workflow.
- 8. Custom Made (with finite options)
- 9. Custom Made (with finite options)
- 10. Key Features of AppSec Pipelines ▪ Designed for iterative improvement ▪ Provides a reusable path for AppSec activities to follow ▪ Provides a consistent process for both the team and our constituency ▪ One way flow with well-defined states ▪ Relies heavily on automation ▪ Grows organically over time ▪ Gracefully interconnects with the development process
- 13. “Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
- 14. Optimize the critical resource - AppSec Personnel ▪ Automate the things that don’t require a human brain ▪ Drive up consistency ▪ Increase tracking of work status ▪ Increase flow through the system ▪ Increase visibility and metrics ▪ Reduce dev team friction Key Goals of AppSec Pipelines
- 15. Why choose an AppSec Pipeline? Allows us to have visibility into WIP ▪ Better understand/track/optimize flow ▪ Average SAST engagement takes… Great increase in consistency ▪ Each step has a well defined interface Easier moving activities between staff ▪ Informed for “switching costs” convos Flexible enough for a range of skills and DevOps maturity
- 16. What can an AppSec Pipeline do for you?
- 17. Real world AppSec Pipeline Stats
- 18. AppSec Pipeline + DefectDojo
- 19. 840.91% Percentage Increase from 2014 to 2016
- 20. #2 Improve Feedback Open yourself up to upstream and downstream information 2
- 21. A call to action
- 22. AppSec Chat Ops Making chat the way you do security
- 23. Developer Advice - 24 x 7
- 24. Or let you know you’re being attacke
- 25. Get notifications when you want and how you want
- 26. CAMS / CALMS Culture, Automation, Measurement, Sharing ▪ CALMS = CAMS + Lean Measurement = Metrics => Visibility Automate the drudgery ▪ Allows meaningful personal interactions What would you want if you were the dev you’re talking to?
- 27. #3 Continual Experimentation and Learning Create a culture of innovation and experimentation 3
- 28. Weaponizing Jenkins / CICD Zero false positives ▪ Anaphylactic shock Health Checks vs Scanning ▪ Run these all the time Home of specific issue tests ▪ Find a vuln, write a test Cadence for longer running tests ▪ These NEVER break the build ▪ Every X builds or every Y days
- 29. Another AppSec Pipeline experiment
- 30. Scaling with Docker Containers
- 31. Containers turn tools into an “Easy Button”
- 32. No reason to not start small docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
- 33. Then get a bit more fancy Pull in and run containers in your CICD Scale out with container orchestration
- 34. Benefits of Containers Effectively scales, can fix configurations Build security tools once, run anywhere Dev teams can run locally what their code will face in CICD runs Easy of deployment, laptop to cloud
- 35. Key Takeaways The Three Ways of DevOps 1. Workflow 2. Improve Feedback 3. Continual Experimentation and Learning The journey will be iterative Get a single source of truth for findings
- 36. ▪ AppSec Pipeline https://github.com/appsecpipeline https://owasp.org/www-project-appsec-pipeline/ ▪ DefectDojo https://www.defectdojo.org/ https://github.com/DefectDojo ▪ DefectDojo Demo https://demo.defectdojo.org/ Log in admin / defectdojo@demo#appsec ▪ Youtube - search for “matt tesauro” & https://www.slideshare.net/mtesauro Resources
- 37. Thanks! Any questions? You can find me at: @matt_tesauro matt.tesauro@10Security.com /in/matttesauro https://10security.com/
- 38. Credits Special thanks to all the people who made and released these awesome resources for free: ▪ Presentation template by SlidesCarnival ▪ Photographs by Unsplash & Death to the Stock Photo (license)