VMware Thought Leadership Series: The New Ways of Chaos, Security, and DevOps
Abstract:
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and DevOps closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
The Seven Habits of the Highly Effective DevSecOpJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp?
This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops, and security to work together.
The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This talk will highlight security’s place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
A Way to Think about DevSecOps: MEASUREJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in history to learn how engineering decisions affect the lives of those around us, with an eye on how to make meaningful progress today.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce MEASURE, a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
----
thanks to Verica https://verica.io and techstrongcon.com
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
James Wickett and Karthik Gaekwad talk about Serverless Security at DevOps Days Austin.
Security in FaaS isn't what we are used to, but this talk shows you how what we learned in appsec still applies. Using LambHack, which is a vulnerable serverless application written in Go on AWS Lambda using Sparta, we will evaluate how to do security in serverless.
In this talk, we will talk about security strategies and pitfalls in the serverless world. You'll leave with an understanding of how to approach security conversations about serverel
Talk goals:
- How to approach the security concerns in a serverless world.
- Talk about the 'WIP' methodology for serverless security.
- Understand current serverless attacks for things to defend against.
- Learn what different cloud providers (AWS/GKE/Azure/Oracle Cloud) do to protect you in a serverless world.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Learn what devsecops really means! See why security is in crisis and how it can find a new path forward.
Talk from DevSecOps Leadership Forum in Dallas, Texas, April 22nd, 2018.
The Seven Habits of the Highly Effective DevSecOpJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp?
This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops, and security to work together.
The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This talk will highlight security’s place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
A Way to Think about DevSecOps: MEASUREJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in history to learn how engineering decisions affect the lives of those around us, with an eye on how to make meaningful progress today.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce MEASURE, a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
----
thanks to Verica https://verica.io and techstrongcon.com
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
James Wickett and Karthik Gaekwad talk about Serverless Security at DevOps Days Austin.
Security in FaaS isn't what we are used to, but this talk shows you how what we learned in appsec still applies. Using LambHack, which is a vulnerable serverless application written in Go on AWS Lambda using Sparta, we will evaluate how to do security in serverless.
In this talk, we will talk about security strategies and pitfalls in the serverless world. You'll leave with an understanding of how to approach security conversations about serverel
Talk goals:
- How to approach the security concerns in a serverless world.
- Talk about the 'WIP' methodology for serverless security.
- Understand current serverless attacks for things to defend against.
- Learn what different cloud providers (AWS/GKE/Azure/Oracle Cloud) do to protect you in a serverless world.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Learn what devsecops really means! See why security is in crisis and how it can find a new path forward.
Talk from DevSecOps Leadership Forum in Dallas, Texas, April 22nd, 2018.
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
From Innotech Austin 2019 and Cloud Austin Nov 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice.
Shannon Lietz, Intuit
James WIckett, Signal Sciences
RSA Conference 2019
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
OWASP AppSec California 2018
How to Effect Change in the Epistemological Wasteland of Application SecurityJames Wickett
From GOTO London 2015
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
Epistemological Problem of Application SecurityJames Wickett
Over the years, AppSec has made progress but it has also made some mis-steps. We focus almost solely on development practices and training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches to Application Security.
The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
From DevOps Days KC 2017
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
Navigating the Unknowable: Resilience through Security Chaos Engineering
When applied to Cyber Security, Chaos Engineering is advancing our ability to reveal objective information about the effectiveness of operational security measures proactively through empirical experimentation. In this session we will introduce the core concepts behind this new technique and how you can get started in building and applying it.
Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett
Presentation from SpringOne Platform 2017 conference by Pivotal.
DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed.
Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps:
Treat all systems and infrastructure as code
Change the engineering culture to orient around delivery
Favor a fast delivery cadence
Create feedback loops across the organization
With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas.
Pragmatic Security and Rugged DevOps - SXSW 2015James Wickett
From SXSW Interactive 2015
Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.
This workshop brings in some of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system.
Three Takeaways:
1. You will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines.
2. Armed with tools and ideas for monitoring your operational and runtime security.
3. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://schedule.sxsw.com/2015/events/event_IAP35935
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
Security today is customarily a reactive and chaotic exercise.
In this session, we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.
Defense-Oriented DevOps for Modern Software DevelopmentVMware Tanzu
SpringOne Platform 2017
James Wickett, Signal Sciences
"DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed.
Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps:
Treat all systems and infrastructure as code
Change the engineering culture to orient around delivery
Favor a fast delivery cadence
Create feedback loops across the organization
With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas."
Application Security Epistemology in a Continuous Delivery WorldJames Wickett
CD Summit - Austin, from DevOps Connect
Desc:
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn’t sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here.
http://www.devopsconnect.com/events/cd-summit-austin/
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
From Innotech Austin 2019 and Cloud Austin Nov 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice.
Shannon Lietz, Intuit
James WIckett, Signal Sciences
RSA Conference 2019
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
OWASP AppSec California 2018
How to Effect Change in the Epistemological Wasteland of Application SecurityJames Wickett
From GOTO London 2015
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
Epistemological Problem of Application SecurityJames Wickett
Over the years, AppSec has made progress but it has also made some mis-steps. We focus almost solely on development practices and training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches to Application Security.
The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
From DevOps Days KC 2017
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
Navigating the Unknowable: Resilience through Security Chaos Engineering
When applied to Cyber Security, Chaos Engineering is advancing our ability to reveal objective information about the effectiveness of operational security measures proactively through empirical experimentation. In this session we will introduce the core concepts behind this new technique and how you can get started in building and applying it.
Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett
Presentation from SpringOne Platform 2017 conference by Pivotal.
DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed.
Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps:
Treat all systems and infrastructure as code
Change the engineering culture to orient around delivery
Favor a fast delivery cadence
Create feedback loops across the organization
With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas.
Pragmatic Security and Rugged DevOps - SXSW 2015James Wickett
From SXSW Interactive 2015
Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.
This workshop brings in some of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system.
Three Takeaways:
1. You will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines.
2. Armed with tools and ideas for monitoring your operational and runtime security.
3. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://schedule.sxsw.com/2015/events/event_IAP35935
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
Security today is customarily a reactive and chaotic exercise.
In this session, we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.
Defense-Oriented DevOps for Modern Software DevelopmentVMware Tanzu
SpringOne Platform 2017
James Wickett, Signal Sciences
"DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed.
Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps:
Treat all systems and infrastructure as code
Change the engineering culture to orient around delivery
Favor a fast delivery cadence
Create feedback loops across the organization
With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas."
Application Security Epistemology in a Continuous Delivery WorldJames Wickett
CD Summit - Austin, from DevOps Connect
Desc:
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn’t sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here.
http://www.devopsconnect.com/events/cd-summit-austin/
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://lascon.org
http://lascon2015.sched.org/event/175e3c828095386b2fa0fc660b2502a3
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
With everything going on in DevOps, I think we can safely say that building pipelines is the way to deploy your applications to production. But knowing what you deploy to production and whether it is actually okay needs more data, like security checks, performance checks, and budget checks. We’ve come up with a process for that, which we call Continuous Verification “A process of querying external systems and using information from the response to make decisions to improve the development and deployment process.” In this session, we’ll look at extending an existing CI/CD pipeline with checks for security, performance, and cost to make a decision on whether we want to deploy our app or not.
Understanding Technical Debt: A Primer for Product Owners and FoundersAndrea Goulet
As presented at ProductCamp Boston June 2017.
Technical debt gets accrued when you move fast and break things, which is awesome in the early stages of a startup. Left unchecked, technical debt can slow a development team to a grinding halt, frustrating founders and product owners. In this session, we'll demystify technical debt. You'll leave with a good understanding of what it is, when to accrue it, and how to pay it down.
Presenter: Andrea Goulet
Technical debt gets accrued when you move fast and break things, which is awesome in the early stages of a startup. Left unchecked, technical debt can slow a development team to a grinding halt, frustrating founders and product owners. In this session, we'll demystify technical debt. You'll leave with a good understanding of what it is, when to accrue it, and how to pay it down.
Andrea Goulet is the CEO of Corgibytes, a software development shop dedicated to maintaining and modernizing software applications and has been named by LinkedIn as one of the top 10 professionals in software under 35. She’s the founder of LegacyCode.Rocks and hosts a podcast dedicated to changing the way we think about legacy code. She speaks frequently about building a business based on balance, empathy, and trust; the perils of the technical/non-technical divide; and the technical philosophies around working with legacy code.
In her spare time, Andrea enjoys hosting Free Code Camp events at her local co-working space and blogging at Empathy Driven Development. She loves watching her kids explore the world and is a sucker for a good physics documentary. You can recognize her by the JavaScript tattoo on her wrist.
This hands on workshop explores implementing various microservices patterns using 1) Pure Netflix OSS 2) Docker with Netflix and Prometheus 3) Docker & Kubernetes with Prometheus
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSecJames Wickett
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
Microsoft, Citrix and SCOM: EOL or a New Beginning ?eG Innovations
The SCOM management packs for Citrix are reaching End Of Life this month. You can move to a standalone monitoring solution like Citrix Director, but this means you will no longer be able to use Microsoft SCOM as the single unified monitoring console for your organization.
You now have a chance to convert the EOL into a new beginning. The eG Universal management pack for SCOM provides you with the best Citrix monitoring solution integrated tightly with your SCOM environment. What is more, you can also monitor other non-Microsoft technologies without needing additional management packs.
Learn more on, how you can make End Of Life for your Citrix SCOM management packs bring new life into your SCOM environment:
•Learn how to augment SCOM with logon simulation and deep Citrix domain expertise
•Leverage patented analytics for all your applications, Azure cloud services, and infrastructure
•Get code-level correlation for .NET applications and quickly isolate performance issues
DevOps has landed and many organizations are now enjoying the promised benefits such as shorter times to market, more efficient delivery processes, great levels of innovation, and happier teams. But that isn’t the whole story. Sometimes these achievements are confined to limited numbers of perhaps digital or systems of engagement teams. Bringing the benefits to more challenging areas in the enterprise may be still pending. Growing pains may also be starting to emerge for example achieving the right balance between autonomous teams free to choose their own tools and ending up with too much sprawl and having missed the benefits of enterprise standards. Here are my own perspectives based on scaling DevOps adoption in Accenture and with our clients.
Strong Security Elements for IoT Manufacturing GlobalSign
GlobalSign’s Vice President of IoT Identity Solutions, Lancen LaChance, presented a session on Strong Security Elements for IoT Manufacturing at the Internet of Things Expo in New York.
Lancen will run through some ideas and perspectives around incorporating strong information security elements into your IoT devices during the manufacturing process. Within this context we'll look at how we are examining the risks associated with IoT Products, Then we'll discuss some of the approaches for implementing these technologies in the manufacturing cycle. And finally we'll cover some example IoT use cases which are well aligned with the application of these technologies
As we look at the evolving IoT space, one bet we're willing to make is that the privacy and security of IoT products will continue to become more distinguishing features and differentiators. In this vein, Lancen address' how products can be built to achieve these goals through security by design, leveraging past technology successes, as well as the nuances and requirements of implementing within the manufacturing process
If you didn’t get a chance to make it to the conference and see Lancen live, we wanted to share the recorded presentation with you.
Watch the whole talk here: https://www.youtube.com/watch?v=fycAaOkpMrs
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Weaveworks
Cloud-native applications are increasingly spanning across hybrid and multi-cloud environments such as on-premise data centers, in the cloud (Amazon EKS, Azure AKS, Google Cloud GKE) and at the edge. Customers need to ensure security and resiliency for their cloud-native applications while managing releases through reliable, consistent deployment and runtime policies.
In this session, we’ve partnered with Tetrate to showcase how to effectively manage advanced deployments using Weave GitOps. Managing application configurations by different teams across multiple Kubernetes clusters is made possible with Weave GitOps and Tetrate Service Bridge. Using familiar Git workflows, Weave Policy-as-Code enables application engineers to quickly deliver new features safely.
Join us as we demonstrate the scenarios where:
- All changes to application configuration are managed through Git workflows.
- GitOps provides an extra layer of security by removing the need for direct access to Kubernetes clusters.
- Policy-as-Code guarantees security, resilience and coding standards compliance.
- Tetrate Service Bridge provides dynamic configuration of application workloads and failover across multiple Kubernetes clusters.
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolSylvain Martinez
What is an IDS? What is required for a successful implementation and utilisation? IDS can also be used for penetration testing activities, not just for defence purposes. See how!
This was presented as part of the FIRST Technical Colloquium 2017 Conference in Mauritius on the 30th of November 2017.
Feel free to contact us for more information.
If you are reusing some of the slides or their content, can you please reference our website as the source: https://www.elysiumsecurity.com
With the advent of microservices , containers and on demand computing and the rate at which code is getting churned out every single day we need to automate or perish. DevOps or Build at Scale and how to have a hands free approach like autonomous cars is what companies need the most today. It is no longer OK to say we build it someone will test it and certify it , it needs to happen in real time and all at once the Build, Automate and Test in a continuous pipeline. How can companies stay on top by effectively making use of Automation shall be looked at in this talk.
Citrix XenMobile and ShareFile Performance - 5 Steps for a Better BYOD Experi...eG Innovations
Citrix XenMobile and ShareFile are at the heart of the mobility strategies for many enterprises and service providers. As you embark on your mobility initiatives, you will need to ensure that users receive reliable and high performing service. Performance monitoring, diagnosis and reporting is a key to ensuring the success of your Citrix mobility initiatives. Watch this webinar "Performance Monitoring and Analytics for Citrix XenMobile and ShareFile" and see first-hand how to address performance-related challenges of Citrix mobile infrastructures.
During this webinar Citrix virtualization expert Bala Vaidinathan (CTO, eG Innovations) will demonstrate how eG Innovations' new performance monitoring solution for Citrix XenMobile and ShareFile allows you to:
• Monitor every layer, every tier of your Citrix mobile infrastructure
• Be alerted to performance problems proactively before your users notice and complain
• Identify exactly where the root-cause of any problems in the Citrix mobile infrastructure lie, so you can initiate remedial action quickly
• Gain a holistic end-to-end view of the Citrix infrastructure (including XenApp and XenDesktop), understand usage trends and bottlenecks and plan effectively for growth
• Customize real-time dashboards and create targeted reports to deliver timely, concise information that is relevant and valuable to each technical and management team member
General overview of what is "Chaos Engineering", the current
"perturbation models" available and the benefits of Chaos Engineering to Customers, Business and Tech.
Security in a Site Reliability Engineering (SRE) context with a focus on being pragmatic just makes sense. In this talk, we will look at 4 key areas where SRE and Security tribes can join forces and influence the overall business. This is a lab/discussion session.
Talk from Serverless Days Austin with @iteration1 and @wickett. This talk covers serverless basics and the Secure WIP model as a way to bring security to the conversation.
Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
This talk is half discussion of the DevSecOps 2018 community survey report and half conversation with the crowd in attendance on what they want the future to look like. This was prepared for the July 2018 meetup of DevOps Austin.
The talk was created by @wickett of Signal Sciences and @ernestmueller of AlienVault.
Call it what you will - DevSecOps, DevOpsSec, Rugged, Agile Application Security, Shift Left Unicorn Dust AppSec,... The face of security is changing. We'll go through the results of the DevSecOps Community Survey and examine the trends. Then we'll lead a group discussion on the topic. How have you tried to make security part of your SDLC? What have you seen work? What hasn't? What's important to you?
From Austin OWASP meetup in June 2018
LambHack: A Vulnerable Serverless ApplicationJames Wickett
LambHack is a vulnerable serverless application written in golang in AWS Lambda running on the Go Sparta Serverless Framework. This talk focuses on how application security still has tons of meaning in serverless.
Talk from 12 Clouds of Christmas at Cloud Austin.
Serverless Security: A Pragmatic Primer for builders and defenders
Covers an intro to serverless, security ideas, and an open source vulnerable lambda application called lambhack.
From LASCON 2017, Austin, Texas.
The Path of DevOps Enlightenment for InfoSecJames Wickett
Presentation at All Day DevOps on the path for infosec and security engineers in the modern software development flow and their place in DevOps. The journey is important but the destination is critical.
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
2. JAMES WICKETT
Sr. Sec Eng & Dev Advocate @ Verica
Author, LinkedIn Learning
Organizer, DevOps Days Austin, Serverless Days ATX, DevSecOps Days
Austin
Author, DevSecOps Handbook (In progress)
@wickett
5. VERICA.IO
An enterprise platform for Continuous Verification,
using Chaos Engineering principles, to take a
proactive and measured approach to preventing
availability and security incidents.
@wickett
32. Security, like ops struggles to provide
value in most organizations
@wickett
33. Companies are spending a great
deal on security, but we read of
massive computer-related
attacks. Clearly something is
wrong. The root of the problem is
twofold: we’re protecting the
wrong things, and we’re hurting
productivity in the process.
@wickett
34. [Security by risk assessment]
introduces a dangerous fallacy:
that structured inadequacy is
almost as good as adequacy and
that underfunded security
efforts plus risk management are
about as good as properly funded
security work
@wickett
35. While engineering teams are busy deploying
leading-edge technologies, security teams
are still focused on fighting yesterday’s
battles.
SANS 2018 DevSecOps Survey
@wickett
68. INSTEAD, FOCUS ON METHODS DEVELOPERS USE
▸ TDD/BDD/ATDD
▸ Meaningful comments/commits
▸ Code Smells, Refactoring
▸ Instrumentation
@wickett
69. The goal should be to come up
with a set of automated tests
that probe and check security
configurations and runtime
system behavior for security
features that will execute
every time the system is built
and every time it is deployed.
73. MAKER DRIVEN means
▸ See security as part of engineering
▸ View quality as a way to bring security in
▸ Use code, not vendors to solve problems
@wickett
78. DETECT WHAT MATTERS
▸ Account takeover attempts
▸ Areas of the site under attack
▸ Most likely vectors of attack
▸ Business logic flows
▸ Abuse and Misuse
@wickett
79. We can't cede home
field advantage
— Zane Lackey
@wickett
91. SECURITY IN THE PIPELINE
▸ Software composition analysis
▸ Lang linters, git-hound, ...
▸ Scanners, gauntlt
▸ Monitoring and telemetry
@wickett
92. [Deploys] can be treated as
standard or routine
changes that have been
pre-approved by
management, and that
don’t require a heavyweight
change review meeting.
104. ROOT CAUSE IS A MYTH
▸ Lacks full picture
▸ Blame culture
▸ Forgets organizational decisions
▸ Puts the focus on the event over situation
▸ Complex systems are not linear
@wickett
105. Drifting into failure is a gradual,
incremental decline into
disaster driven by
environmental pressure, unruly
technology and social
proccesses that normalize
growing risk. No organization is
exempt from drifting into failure
106. BOEING 737MAX
▸ Maneuvering Characteristics Augmentation System (MCAS)
keeps the bigger plane from stalling
▸ The MCAS is automation software
▸ In certain situations, MCAS commands the trim in this
condition without notifying the pilots
@wickett
107. These events unfolded in minutes, at low
altitudes right after takeoff, asking pilots
to realize, understand, and respond to why
their aircraft was silently fighting their
inputs
108. in a context of being told that the
“system” they were operating was pretty
much like every other 737 they’d been
likely to operate in their careers, ever.
@jpaulreed
109. This new safety automation is capable of
overriding operator input in silence and in
ways that were poorly documented by
designers, unclear to operators, and
promised by developers
110. that nobody had to get new training on — a
selling point — and this safety automation
proved to cause the system to become
critically unrecoverable in, at least, one case.
-- @jpaulreed
117. Failures are a systems
problem because there is
not enough safety margin.
— @adrianco
118. Failure is an inevitable by-
product of a complex
system's normal
functioning
119. WHERE SECURITY FITS
▸ Add safety margin
▸ Telemetry and instrumentation
▸ Blameless retros
▸ ...more to explore in this area
@wickett
120. RESOURCES
▸ Drift into Failure by Dekker
▸ Understanding Human Error Video Series youtu.be/Fw3SwEXc3PU
▸ @jpaulreed coverage of Boeing medium.com/@jpaulreed
▸ Richard Cook paper bit.ly/2ydDQS2
@wickett
132. SECURITY SHARES THROUGH
▸ Making invisible as visible
▸ Security Observability
▸ APIs, webhooks, dev tooling
@wickett
133. Security Observability gives
applications the ability to
expose the attacks that are
happening below the
surface with feedback to
devs, ops, and security.
@wickett
134. A PAVED ROAD APPROACH
▸ Security as normal
▸ Security is "free"
▸ Jason Chan and Netflix
146. We’re moving from disaster
recovery to chaos
engineering to resiliency
— @adrianco
@wickett
147. [Chaos Engineering is] empirical rather
than formal. We don’t use models to
understand what the system should do.
We run experiments to learn what it does.
— Michael Nygard, Release It 2nd Ed.
@wickett
148. CHAOS ENGINEERING
▸ Experiments that span eng and security
▸ Manual opt-out
▸ Valuable Learning
▸ ChaosSlingr, CHAP, ChaosMonkey
@wickett