SlideShare a Scribd company logo

The Science of Compliance

J
judy (fink) johnson

The document discusses integrating compliance into the DevOps process. It recommends starting with a hardened operating system, ensuring development systems are compliant, and including compliance testing at all stages of continuous integration and delivery. Compliance should be automated and tested continuously to ensure security and consistency across development, testing, and production environments. Various tools can help with compliance testing, monitoring, and issue remediation at each stage.

Technology
1 of 41
Download to read offline
The Science of Compliance Early Code to Secure your Node judy johnson Software Engineer Onyx Point @miz_j
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Today’s Agenda ● A little about DevOps and a little about baking ● Compliance vs Security ● Why We need Compliance ● Why We need Automation ● How you know you are Compliant ● My ideal DevSecOps Process ● Compliance In Dev, Test, and Production ● Tools ● Recipe! 2
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Programming since middle school when my Dad brought home a PDP-8 ● Software engineer for [many] years ● Various job titles: Software Engineer, Systems Engineer, Project Manager, ScrumMaster, and a CD Store Clerk ● Working at Onyx Point since 2015 (note: opinions here are my own) ● Interests - baking, hockey, rock concerts, reading, volunteering (especially in events that promote diversity in tech) ● Greatest Accomplishment - two amazing daughters - both engineers About the Speaker 3
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit So… why is DevOps so important to me? ● Cooperation ● Communication ● Retrospection ● Repeatability/Consistency ● Efficiency ● Automation © 123RF 4
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Fun activity with family and friends ● Stress relief ● Enables creativity ● Makes people happy ● “Practice makes perfect” ● Makes a great analogy to continue through this talk... ...and why is baking so important to me? 5
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit The DevOps Cycle 6
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit The Baking Cycle 7
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit “DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. However, effective DevOps security requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.” (from Red Hat) What is DevSecOps? 8
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ...what does the “Sec” in the middle mean to me? ● “In high-performing organizations, everyone within the team shares a common goal - quality, availability, and security aren’t the responsibility of individual departments, but are a part of everyone’s job, every day.” - Gene Kim ● Of course security should be part of continuous improvement ● But is the “Sec” necessary, or implied? DevSecCodeTestRunDeployMLEtcOps 9
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Security vs Compliance (wiki) Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) caused by others. Beneficiaries (technically referents) of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change. In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations.[1] Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls.[2] This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources. 10
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit PROVABLE DISPROVABLE SECURITY X ✔ COMPLIANCE ✔ ✔ ● Compliance - enforcing a defined/testable set of rules ● Security - ensuring that your system is not vulnerable ● Both are attempts to minimize risk Security vs Compliance 11
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit © NIST Risk Management Framework 12
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Compliance is following the recipe ● Correct controls (temperature, measurement, etc), create consistent, predictable product ● A “typo” or incident could ruin your product ● Substitutions - are they valid? ● Mistake? Learn and document ● Minimizing Risk - Follow instructions, Document anomalies Baking and Compliance 13
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Improve Security ● Implement security concepts in a provable way ● Maintain Trust/Integrity ● Add transparency ● Maintain Consistency (process management) ● Maintain Control ● Risk Management Why do we need compliance? 14
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Reasons we need to start compliance earlier ● Doing work up-front saves time later ● Awareness of compliance early-on ● Creates a culture of security ● Early insertion of tools allows for continuous monitoring even during development, shortening the feedback loop ● Compliance resources are available earlier in the process ● Fixes and updates can be made earlier and cheaper ● Reduces the risk of problems when adding new code/tools ● Have you ever tried to put the chocolate chips in the cookies when they were done? 15
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ...and baking… ● Know the requirements ○ Read the recipe first ○ Ensure you have all the ingredients before you start ● Consistent infrastructure ○ Preheated oven ensures temperature stability ○ Ensure you have appropriate measuring devices 16
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Reasons we need to Automate Compliance ● An compliant infrastructure allows for simpler development and maintenance ● Compliance is consistently applied ● Modularizing code increases ability and speed of updating ● Code is easily shareable - tools can be put into CM (Git, etc) and reused in multiple places (with access to the most current tools) ● Reporting is more accurate and more timely (audit trail) ● Open collaboration creates continued transparency ● “Simplify and Optimize” 17
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Reasons people are hesitant (and replies) ● People believe that it is a huge time investment (it is, but will be worth it later) ● Making large changes in processes is risky (no more risky than using a non-compliant system) ● People feel that it is not necessary to train application developers on security and compliance (of course it is!) ● “We’ve always done it that way…” (sigh.) 18
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Typical Process - Old School ● Requirements Created ● Code Written ● Code Reviewed and Tested ● Security Team runs Tests ● An action plan may be written ● Code is rewritten/re-reviewed/re-tested ● New requirements - do we learn from mistakes? © 123RF 19
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Ideal Process ● Code and Compliance Requirements Created ● Compliance & Code Written simultaneously ● Compliance code shared/reused ● Compliance tickets reside with target (application) code tickets ● ALL Code Reviewed and Tested Continuously ● ALL Code is rewritten/re-reviewed/re-tested 20
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit How do you know you are Compliant? ● Out-of-the-box testing tools based on a specific set of rules (e.g.Nessus, OpenScap, OVAL) ● Toolkits to test compliance status - more flexible (e.g. InSpec, ServerSpec) ● Manual tests ● Compliance tests from scratch ● Logs! 21
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Did your cake rise? ● Were your cookies the right consistency? ● Were your “auditors” - (friends, family, co-workers) satisfied with the product? ● Is the kitchen on fire? How do you know you are Recipe Compliant? © 123RF 22
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit How we bake it in... 23
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Hardening your O/S ● Hardening begins with O/S ● Non-compliant code will be exposed early ● Dev/Test platforms have the same rules as target platforms ● Compliance issues and fixes are found early and shared early ● Using an automated provisioning system such as Puppet, Ansible, Chef, or SaltStack will allow you to start immediately ● Items such as disk and data encryption, which are hard to add later, are set early ● Customize and standardize features such as open ports, ciphers, allowable tools 24
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Ensuring your Dev systems are Compliant ● Eliminate some of the threats immediately via O/S ○ e.g. ports, encryption ○ Keep up with O/S patches ● Ensure development and test tools are known to be compliant ● Do not change O/S settings as you develop (or clean up after yourself) ● Create a compliance baseline 25
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Ensuring Compliance is part of Testing ● Testing framework and platform (CI) ○ Test under varying conditions ○ Test all components together ● Last chance to catch issues before code goes live ● Read Logs! 26
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Adding Compliance to Testing ● Acceptance tests - Beaker (Litmus)/VM/Container tests ● Chef’s Inspec ● Manual testing ● Static code analysis tools ● Dynamic code analysis tools ● Use the tools you have! 27
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Passing once is not enough ● Ensure that your automated tests (spec, acceptance, integration) run with every check-in and/or periodically Compliance Testing in CI © 123RF 28
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Check out this video - applies to both CI and cooking! ( https://www.youtube.com/watch?v=rfROcNPsb3w ) 29 Continuous testing of your recipe
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit 30
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Ensuring your Production Systems Stay Compliant ● Your production environment is open to threats ● “Chaos Monkey”-like tools randomly test for various issues ● Canary deployments and feature flags (start with a small sample) ● Logs! Logs! Logs! 31
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit What to look out for ● Ensure that the “definition of done” or goals of the compliance code are defined up front (a “single source of truth”) ● Ensure developers/security/sysadmins are communicating goals and practices to avoid redundancy and allow for reuse 32
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Tools ● Many tools are available, and it is important that your organization evaluates the tools they already have, and do thorough “analysis of alternatives” to ensure that tools are selected and used appropriately 33
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Tools for Consistency / Correction Compliance ● Puppet, Salt, Ansible, Chef ● Any programming language, script ● CI ● Manual fix Ensure fixes are documented and remain in the process Recipe ● Cake mix (customize within constraints) ● Pre-mixed spices ● Frosting to cover up any goofs ● Salt ;-) Ensure the fix is noted for next time © 123RF © Paul Prudhomme 34
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Sample Commercial Tools - Development Stages ● SCA – Software Composition Analysis - Dependency Check, Blackduck, NexusIQ, SourceClear, Whitesource ● SAST - Static Application Security Testing (White Box Testing) [Source Code Check] – SonarQube, Veracode, Checkmarx, Coverity, Fortify, and language-specific tools Brakeman (Ruby), Bandit (Python) ● DAST - Dynamic Application Security Testing (Black Box Testing) [running app] - Burp, Zap, Sn1per, Nikto, WebInspect, AppScan, Acunetix, Netsparker (thanks, Thaddeus @thaddeuswalsh) 35
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Other types of tools ● Infrastructure Vulnerability Management – Tenable, Qualys, Rapid7, OpenVAS ● Container – Clair, Trivy, Aqua, Twistlock ● Cloud - Prowler (AWS assessment tool) ● Database scanner - SQLmap (open source SQL Injection and db takeover tool), (tool listings thanks to Thaddeus @thaddeuswalsh) 36
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Puppet ○ Ensures your setup remains solid by running every 30 minutes (or predetermined) ● Cron job or CI tool ○ Can recheck and reset if there is an issue ● Ensure that reoccurring issues are documented and addressed OK, it’s passed all the tests, and I’ve deployed... 37
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit My baking slide (1) Carrot Cake ● 1 1/2 cups corn oil ● 2 cups sugar (not salt :) ) ● 3 eggs ● 2 cups flour ● 1 1/2 teaspoons cinnamon ● 2 teaspoons baking soda ● 2 teaspoons vanilla ● 1/2 teaspoon salt (not sugar :) ) ● 2 cups grated carrots ● 1 cup chopped walnuts Combine all ingredients. Pour in greased 13" x 9" pan. Bake at 350 for 45 minutes. Cool, frost. ● Carrot cake is one of my favorites! ● Vegetables and security - necessary evils to some ● Carrot - a vegetable and unexpected - are baked in, yet the cake is sweet and moist 38
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Imagine the frosting as your app. ● Solid base - add your personal touch ● Ensure that you do not alter the foundation that the cake has created when you personalize it Cream Cheese Frosting ● 3 oz cream cheese ● 1 2/3 cups confectioners sugar ● 1/8 teaspoon salt ● 1 teaspoon vanilla Combine all ingredients. Beat until creamy. Spread on cake. My baking slide (2) 39
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● A secure O/S on development and all other platforms allows you to start with an advantage ● Compliance testing can - and should - be done at all stages of your CI ● Watch your test tool - there can be false positives as well as false negatives ● A tool such as Puppet or Cron can run (or run scripts) at regular time increments to check your compliance, and alert you if something needs correction ● Correction can be done with an automated tool or manually ● Ensure that security is integrated into your team and process ● Create a Culture of Security ● No matter what you are creating, remember to bake in the goodness! Summary... 40
The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Thanks! To co-workers who teach me every day, and peer review my code, documents, and cookies… to family and friends who inspire me daily… to the friends who helped me put this together and make it pretty Never stop learning – and make sure you have time to spend on things you enjoy! https://unsplash.com/ and https://www.123rf.com/ (for photos) Thanks! 41

Recommended

The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Extending Agile to Suite Big Projects
Extending Agile to Suite Big ProjectsExtending Agile to Suite Big Projects
Extending Agile to Suite Big ProjectsAmin Bandeali
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
Pacific Northwest Software Quality Conference
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
James Wickett
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOps
Mike Long
 
(Ignite) OPEN SOURCE - OPEN CHOICE: HOW TO CHOOSE AN OPEN-SOURCE PROJECT, HIL...
(Ignite) OPEN SOURCE - OPEN CHOICE: HOW TO CHOOSE AN OPEN-SOURCE PROJECT, HIL...(Ignite) OPEN SOURCE - OPEN CHOICE: HOW TO CHOOSE AN OPEN-SOURCE PROJECT, HIL...
(Ignite) OPEN SOURCE - OPEN CHOICE: HOW TO CHOOSE AN OPEN-SOURCE PROJECT, HIL...
DevOpsDays Tel Aviv
 
DSC UTeM DevOps Session#1: Intro to DevOps Presentation Slides
DSC UTeM DevOps Session#1: Intro to DevOps Presentation SlidesDSC UTeM DevOps Session#1: Intro to DevOps Presentation Slides
DSC UTeM DevOps Session#1: Intro to DevOps Presentation Slides
DSC UTeM
 
Jen Dante, Director, Product Innovation, Netflix
Jen Dante, Director, Product Innovation, NetflixJen Dante, Director, Product Innovation, Netflix
Jen Dante, Director, Product Innovation, Netflix
World_Forum_Disrupt
 

Recommended

The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Extending Agile to Suite Big Projects
Extending Agile to Suite Big ProjectsExtending Agile to Suite Big Projects
Extending Agile to Suite Big ProjectsAmin Bandeali
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
Pacific Northwest Software Quality Conference
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
James Wickett
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOps
Mike Long
 
(Ignite) OPEN SOURCE - OPEN CHOICE: HOW TO CHOOSE AN OPEN-SOURCE PROJECT, HIL...
(Ignite) OPEN SOURCE - OPEN CHOICE: HOW TO CHOOSE AN OPEN-SOURCE PROJECT, HIL...(Ignite) OPEN SOURCE - OPEN CHOICE: HOW TO CHOOSE AN OPEN-SOURCE PROJECT, HIL...
(Ignite) OPEN SOURCE - OPEN CHOICE: HOW TO CHOOSE AN OPEN-SOURCE PROJECT, HIL...
DevOpsDays Tel Aviv
 
DSC UTeM DevOps Session#1: Intro to DevOps Presentation Slides
DSC UTeM DevOps Session#1: Intro to DevOps Presentation SlidesDSC UTeM DevOps Session#1: Intro to DevOps Presentation Slides
DSC UTeM DevOps Session#1: Intro to DevOps Presentation Slides
DSC UTeM
 
Jen Dante, Director, Product Innovation, Netflix
Jen Dante, Director, Product Innovation, NetflixJen Dante, Director, Product Innovation, Netflix
Jen Dante, Director, Product Innovation, Netflix
World_Forum_Disrupt
 
DevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesDevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation Slides
Fab L
 
DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...
DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...
DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...
Gene Kim
 
How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)
Ebru Cucen Çüçen
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Nick Galbreath
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
Essentials of Open Source Documentation
Essentials of Open Source DocumentationEssentials of Open Source Documentation
Essentials of Open Source Documentation
Moi Borah
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
 
AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...
AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...
AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...
AIPMM Administration
 
DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"
DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"
DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"
Daniel Bryant
 
Continuous Delivery e-book
Continuous Delivery e-bookContinuous Delivery e-book
Continuous Delivery e-book
Zend by Rogue Wave Software
 
Everyone wants (someone else) to do it: writing documentation for open source...
Everyone wants (someone else) to do it: writing documentation for open source...Everyone wants (someone else) to do it: writing documentation for open source...
Everyone wants (someone else) to do it: writing documentation for open source...
Jody Garnett
 
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce
 
From Monolith to Microservices - What Could Go Wrong?
From Monolith to Microservices - What Could Go Wrong?From Monolith to Microservices - What Could Go Wrong?
From Monolith to Microservices - What Could Go Wrong?
Phuong Mai Nguyen
 
The Agony and the Ecstasy of being Agile when the Schedule is Not
The Agony and the Ecstasy of being Agile when the Schedule is NotThe Agony and the Ecstasy of being Agile when the Schedule is Not
The Agony and the Ecstasy of being Agile when the Schedule is Not
Aidan Casey
 
Markings of a Healthy OSS Project
Markings of a Healthy OSS ProjectMarkings of a Healthy OSS Project
Markings of a Healthy OSS Project
Clement Ho
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Perforce
 
MERGE 2016 Opening Remarks
MERGE 2016 Opening RemarksMERGE 2016 Opening Remarks
MERGE 2016 Opening Remarks
Perforce
 
Automation Justification
Automation JustificationAutomation Justification
Automation Justification
judy (fink) johnson
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
Microsoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and AzureMicrosoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and Azure
Davide Benvegnù
 
Data Engineer's Lunch #68: DevOps Fundamentals
Data Engineer's Lunch #68: DevOps FundamentalsData Engineer's Lunch #68: DevOps Fundamentals
Data Engineer's Lunch #68: DevOps Fundamentals
Anant Corporation
 
Rapid Solutions with Salesforce Flows
Rapid Solutions with Salesforce FlowsRapid Solutions with Salesforce Flows
Rapid Solutions with Salesforce Flows
theCodery
 

More Related Content

What's hot

DevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesDevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation Slides
Fab L
 
DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...
DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...
DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...
Gene Kim
 
How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)
Ebru Cucen Çüçen
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Nick Galbreath
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
Essentials of Open Source Documentation
Essentials of Open Source DocumentationEssentials of Open Source Documentation
Essentials of Open Source Documentation
Moi Borah
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
 
AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...
AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...
AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...
AIPMM Administration
 
DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"
DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"
DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"
Daniel Bryant
 
Continuous Delivery e-book
Continuous Delivery e-bookContinuous Delivery e-book
Continuous Delivery e-book
Zend by Rogue Wave Software
 
Everyone wants (someone else) to do it: writing documentation for open source...
Everyone wants (someone else) to do it: writing documentation for open source...Everyone wants (someone else) to do it: writing documentation for open source...
Everyone wants (someone else) to do it: writing documentation for open source...
Jody Garnett
 
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce
 
From Monolith to Microservices - What Could Go Wrong?
From Monolith to Microservices - What Could Go Wrong?From Monolith to Microservices - What Could Go Wrong?
From Monolith to Microservices - What Could Go Wrong?
Phuong Mai Nguyen
 
The Agony and the Ecstasy of being Agile when the Schedule is Not
The Agony and the Ecstasy of being Agile when the Schedule is NotThe Agony and the Ecstasy of being Agile when the Schedule is Not
The Agony and the Ecstasy of being Agile when the Schedule is Not
Aidan Casey
 
Markings of a Healthy OSS Project
Markings of a Healthy OSS ProjectMarkings of a Healthy OSS Project
Markings of a Healthy OSS Project
Clement Ho
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Perforce
 
MERGE 2016 Opening Remarks
MERGE 2016 Opening RemarksMERGE 2016 Opening Remarks
MERGE 2016 Opening Remarks
Perforce
 

What's hot (17)

DevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesDevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation Slides
 
DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...
DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...
DOES SFO 2016 - Sam Guckenheimer & Ed Blankenship "Moving to One Engineering ...
 
How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
 
Essentials of Open Source Documentation
Essentials of Open Source DocumentationEssentials of Open Source Documentation
Essentials of Open Source Documentation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...
AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...
AIPMM Webcast: Lean Product Innovation: How To Use Agile Ideas For Discovery ...
 
DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"
DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"
DevOpsNorth 2017 "Seven (More) Deadly Sins of Microservices"
 
Continuous Delivery e-book
Continuous Delivery e-bookContinuous Delivery e-book
Continuous Delivery e-book
 
Everyone wants (someone else) to do it: writing documentation for open source...
Everyone wants (someone else) to do it: writing documentation for open source...Everyone wants (someone else) to do it: writing documentation for open source...
Everyone wants (someone else) to do it: writing documentation for open source...
 
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
 
From Monolith to Microservices - What Could Go Wrong?
From Monolith to Microservices - What Could Go Wrong?From Monolith to Microservices - What Could Go Wrong?
From Monolith to Microservices - What Could Go Wrong?
 
The Agony and the Ecstasy of being Agile when the Schedule is Not
The Agony and the Ecstasy of being Agile when the Schedule is NotThe Agony and the Ecstasy of being Agile when the Schedule is Not
The Agony and the Ecstasy of being Agile when the Schedule is Not
 
Markings of a Healthy OSS Project
Markings of a Healthy OSS ProjectMarkings of a Healthy OSS Project
Markings of a Healthy OSS Project
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
 
MERGE 2016 Opening Remarks
MERGE 2016 Opening RemarksMERGE 2016 Opening Remarks
MERGE 2016 Opening Remarks
 

Similar to The Science of Compliance

Automation Justification
Automation JustificationAutomation Justification
Automation Justification
judy (fink) johnson
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
Microsoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and AzureMicrosoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and Azure
Davide Benvegnù
 
Data Engineer's Lunch #68: DevOps Fundamentals
Data Engineer's Lunch #68: DevOps FundamentalsData Engineer's Lunch #68: DevOps Fundamentals
Data Engineer's Lunch #68: DevOps Fundamentals
Anant Corporation
 
Rapid Solutions with Salesforce Flows
Rapid Solutions with Salesforce FlowsRapid Solutions with Salesforce Flows
Rapid Solutions with Salesforce Flows
theCodery
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
Reuven Harrison
 
Test driven development
Test driven developmentTest driven development
Test driven developmentSunil Prasad
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
PMI Thailand: DevOps / Roles of Project Manager (20-May-2020)
PMI Thailand: DevOps / Roles of Project Manager (20-May-2020)PMI Thailand: DevOps / Roles of Project Manager (20-May-2020)
PMI Thailand: DevOps / Roles of Project Manager (20-May-2020)
Gonzague PATINIER
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
Steven Carlson
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released
Gene Kim
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
Sergio Andrés Rodríguez Galeano
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
kunwaratul hax0r
 
Java DevOps at Enterprise Scale
Java DevOps at Enterprise ScaleJava DevOps at Enterprise Scale
Java DevOps at Enterprise Scale
Ryan McGuinness
 
Emerging Trends of Software Engineering
Emerging Trends of Software Engineering Emerging Trends of Software Engineering
Emerging Trends of Software Engineering
DR. Ram Kumar Pathak
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
Weaveworks
 
Introduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptxIntroduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptx
aasssss1
 
Delivering the Dude: Continuous X
Delivering the Dude: Continuous XDelivering the Dude: Continuous X
Delivering the Dude: Continuous X
Brent Pabst
 
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsDevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
CA Technologies
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 

Similar to The Science of Compliance (20)

Automation Justification
Automation JustificationAutomation Justification
Automation Justification
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
Microsoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and AzureMicrosoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and Azure
 
Data Engineer's Lunch #68: DevOps Fundamentals
Data Engineer's Lunch #68: DevOps FundamentalsData Engineer's Lunch #68: DevOps Fundamentals
Data Engineer's Lunch #68: DevOps Fundamentals
 
Rapid Solutions with Salesforce Flows
Rapid Solutions with Salesforce FlowsRapid Solutions with Salesforce Flows
Rapid Solutions with Salesforce Flows
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
 
Test driven development
Test driven developmentTest driven development
Test driven development
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
PMI Thailand: DevOps / Roles of Project Manager (20-May-2020)
PMI Thailand: DevOps / Roles of Project Manager (20-May-2020)PMI Thailand: DevOps / Roles of Project Manager (20-May-2020)
PMI Thailand: DevOps / Roles of Project Manager (20-May-2020)
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
Java DevOps at Enterprise Scale
Java DevOps at Enterprise ScaleJava DevOps at Enterprise Scale
Java DevOps at Enterprise Scale
 
Emerging Trends of Software Engineering
Emerging Trends of Software Engineering Emerging Trends of Software Engineering
Emerging Trends of Software Engineering
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
 
Introduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptxIntroduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptx
 
Delivering the Dude: Continuous X
Delivering the Dude: Continuous XDelivering the Dude: Continuous X
Delivering the Dude: Continuous X
 
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsDevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
 

Recently uploaded

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 

Recently uploaded (20)

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 

The Science of Compliance

  • 1. The Science of Compliance Early Code to Secure your Node judy johnson Software Engineer Onyx Point @miz_j
  • 2. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Today’s Agenda ● A little about DevOps and a little about baking ● Compliance vs Security ● Why We need Compliance ● Why We need Automation ● How you know you are Compliant ● My ideal DevSecOps Process ● Compliance In Dev, Test, and Production ● Tools ● Recipe! 2
  • 3. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Programming since middle school when my Dad brought home a PDP-8 ● Software engineer for [many] years ● Various job titles: Software Engineer, Systems Engineer, Project Manager, ScrumMaster, and a CD Store Clerk ● Working at Onyx Point since 2015 (note: opinions here are my own) ● Interests - baking, hockey, rock concerts, reading, volunteering (especially in events that promote diversity in tech) ● Greatest Accomplishment - two amazing daughters - both engineers About the Speaker 3
  • 4. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit So… why is DevOps so important to me? ● Cooperation ● Communication ● Retrospection ● Repeatability/Consistency ● Efficiency ● Automation © 123RF 4
  • 5. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Fun activity with family and friends ● Stress relief ● Enables creativity ● Makes people happy ● “Practice makes perfect” ● Makes a great analogy to continue through this talk... ...and why is baking so important to me? 5
  • 6. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit The DevOps Cycle 6
  • 7. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit The Baking Cycle 7
  • 8. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit “DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. However, effective DevOps security requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.” (from Red Hat) What is DevSecOps? 8
  • 9. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ...what does the “Sec” in the middle mean to me? ● “In high-performing organizations, everyone within the team shares a common goal - quality, availability, and security aren’t the responsibility of individual departments, but are a part of everyone’s job, every day.” - Gene Kim ● Of course security should be part of continuous improvement ● But is the “Sec” necessary, or implied? DevSecCodeTestRunDeployMLEtcOps 9
  • 10. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Security vs Compliance (wiki) Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) caused by others. Beneficiaries (technically referents) of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change. In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations.[1] Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls.[2] This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources. 10
  • 11. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit PROVABLE DISPROVABLE SECURITY X ✔ COMPLIANCE ✔ ✔ ● Compliance - enforcing a defined/testable set of rules ● Security - ensuring that your system is not vulnerable ● Both are attempts to minimize risk Security vs Compliance 11
  • 12. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit © NIST Risk Management Framework 12
  • 13. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Compliance is following the recipe ● Correct controls (temperature, measurement, etc), create consistent, predictable product ● A “typo” or incident could ruin your product ● Substitutions - are they valid? ● Mistake? Learn and document ● Minimizing Risk - Follow instructions, Document anomalies Baking and Compliance 13
  • 14. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Improve Security ● Implement security concepts in a provable way ● Maintain Trust/Integrity ● Add transparency ● Maintain Consistency (process management) ● Maintain Control ● Risk Management Why do we need compliance? 14
  • 15. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Reasons we need to start compliance earlier ● Doing work up-front saves time later ● Awareness of compliance early-on ● Creates a culture of security ● Early insertion of tools allows for continuous monitoring even during development, shortening the feedback loop ● Compliance resources are available earlier in the process ● Fixes and updates can be made earlier and cheaper ● Reduces the risk of problems when adding new code/tools ● Have you ever tried to put the chocolate chips in the cookies when they were done? 15
  • 16. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ...and baking… ● Know the requirements ○ Read the recipe first ○ Ensure you have all the ingredients before you start ● Consistent infrastructure ○ Preheated oven ensures temperature stability ○ Ensure you have appropriate measuring devices 16
  • 17. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Reasons we need to Automate Compliance ● An compliant infrastructure allows for simpler development and maintenance ● Compliance is consistently applied ● Modularizing code increases ability and speed of updating ● Code is easily shareable - tools can be put into CM (Git, etc) and reused in multiple places (with access to the most current tools) ● Reporting is more accurate and more timely (audit trail) ● Open collaboration creates continued transparency ● “Simplify and Optimize” 17
  • 18. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Reasons people are hesitant (and replies) ● People believe that it is a huge time investment (it is, but will be worth it later) ● Making large changes in processes is risky (no more risky than using a non-compliant system) ● People feel that it is not necessary to train application developers on security and compliance (of course it is!) ● “We’ve always done it that way…” (sigh.) 18
  • 19. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Typical Process - Old School ● Requirements Created ● Code Written ● Code Reviewed and Tested ● Security Team runs Tests ● An action plan may be written ● Code is rewritten/re-reviewed/re-tested ● New requirements - do we learn from mistakes? © 123RF 19
  • 20. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Ideal Process ● Code and Compliance Requirements Created ● Compliance & Code Written simultaneously ● Compliance code shared/reused ● Compliance tickets reside with target (application) code tickets ● ALL Code Reviewed and Tested Continuously ● ALL Code is rewritten/re-reviewed/re-tested 20
  • 21. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit How do you know you are Compliant? ● Out-of-the-box testing tools based on a specific set of rules (e.g.Nessus, OpenScap, OVAL) ● Toolkits to test compliance status - more flexible (e.g. InSpec, ServerSpec) ● Manual tests ● Compliance tests from scratch ● Logs! 21
  • 22. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Did your cake rise? ● Were your cookies the right consistency? ● Were your “auditors” - (friends, family, co-workers) satisfied with the product? ● Is the kitchen on fire? How do you know you are Recipe Compliant? © 123RF 22
  • 23. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit How we bake it in... 23
  • 24. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Hardening your O/S ● Hardening begins with O/S ● Non-compliant code will be exposed early ● Dev/Test platforms have the same rules as target platforms ● Compliance issues and fixes are found early and shared early ● Using an automated provisioning system such as Puppet, Ansible, Chef, or SaltStack will allow you to start immediately ● Items such as disk and data encryption, which are hard to add later, are set early ● Customize and standardize features such as open ports, ciphers, allowable tools 24
  • 25. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Ensuring your Dev systems are Compliant ● Eliminate some of the threats immediately via O/S ○ e.g. ports, encryption ○ Keep up with O/S patches ● Ensure development and test tools are known to be compliant ● Do not change O/S settings as you develop (or clean up after yourself) ● Create a compliance baseline 25
  • 26. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Ensuring Compliance is part of Testing ● Testing framework and platform (CI) ○ Test under varying conditions ○ Test all components together ● Last chance to catch issues before code goes live ● Read Logs! 26
  • 27. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Adding Compliance to Testing ● Acceptance tests - Beaker (Litmus)/VM/Container tests ● Chef’s Inspec ● Manual testing ● Static code analysis tools ● Dynamic code analysis tools ● Use the tools you have! 27
  • 28. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Passing once is not enough ● Ensure that your automated tests (spec, acceptance, integration) run with every check-in and/or periodically Compliance Testing in CI © 123RF 28
  • 29. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Check out this video - applies to both CI and cooking! ( https://www.youtube.com/watch?v=rfROcNPsb3w ) 29 Continuous testing of your recipe
  • 30. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit 30
  • 31. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Ensuring your Production Systems Stay Compliant ● Your production environment is open to threats ● “Chaos Monkey”-like tools randomly test for various issues ● Canary deployments and feature flags (start with a small sample) ● Logs! Logs! Logs! 31
  • 32. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit What to look out for ● Ensure that the “definition of done” or goals of the compliance code are defined up front (a “single source of truth”) ● Ensure developers/security/sysadmins are communicating goals and practices to avoid redundancy and allow for reuse 32
  • 33. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Tools ● Many tools are available, and it is important that your organization evaluates the tools they already have, and do thorough “analysis of alternatives” to ensure that tools are selected and used appropriately 33
  • 34. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Tools for Consistency / Correction Compliance ● Puppet, Salt, Ansible, Chef ● Any programming language, script ● CI ● Manual fix Ensure fixes are documented and remain in the process Recipe ● Cake mix (customize within constraints) ● Pre-mixed spices ● Frosting to cover up any goofs ● Salt ;-) Ensure the fix is noted for next time © 123RF © Paul Prudhomme 34
  • 35. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Sample Commercial Tools - Development Stages ● SCA – Software Composition Analysis - Dependency Check, Blackduck, NexusIQ, SourceClear, Whitesource ● SAST - Static Application Security Testing (White Box Testing) [Source Code Check] – SonarQube, Veracode, Checkmarx, Coverity, Fortify, and language-specific tools Brakeman (Ruby), Bandit (Python) ● DAST - Dynamic Application Security Testing (Black Box Testing) [running app] - Burp, Zap, Sn1per, Nikto, WebInspect, AppScan, Acunetix, Netsparker (thanks, Thaddeus @thaddeuswalsh) 35
  • 36. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Other types of tools ● Infrastructure Vulnerability Management – Tenable, Qualys, Rapid7, OpenVAS ● Container – Clair, Trivy, Aqua, Twistlock ● Cloud - Prowler (AWS assessment tool) ● Database scanner - SQLmap (open source SQL Injection and db takeover tool), (tool listings thanks to Thaddeus @thaddeuswalsh) 36
  • 37. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Puppet ○ Ensures your setup remains solid by running every 30 minutes (or predetermined) ● Cron job or CI tool ○ Can recheck and reset if there is an issue ● Ensure that reoccurring issues are documented and addressed OK, it’s passed all the tests, and I’ve deployed... 37
  • 38. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit My baking slide (1) Carrot Cake ● 1 1/2 cups corn oil ● 2 cups sugar (not salt :) ) ● 3 eggs ● 2 cups flour ● 1 1/2 teaspoons cinnamon ● 2 teaspoons baking soda ● 2 teaspoons vanilla ● 1/2 teaspoon salt (not sugar :) ) ● 2 cups grated carrots ● 1 cup chopped walnuts Combine all ingredients. Pour in greased 13" x 9" pan. Bake at 350 for 45 minutes. Cool, frost. ● Carrot cake is one of my favorites! ● Vegetables and security - necessary evils to some ● Carrot - a vegetable and unexpected - are baked in, yet the cake is sweet and moist 38
  • 39. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● Imagine the frosting as your app. ● Solid base - add your personal touch ● Ensure that you do not alter the foundation that the cake has created when you personalize it Cream Cheese Frosting ● 3 oz cream cheese ● 1 2/3 cups confectioners sugar ● 1/8 teaspoon salt ● 1 teaspoon vanilla Combine all ingredients. Beat until creamy. Spread on cake. My baking slide (2) 39
  • 40. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit ● A secure O/S on development and all other platforms allows you to start with an advantage ● Compliance testing can - and should - be done at all stages of your CI ● Watch your test tool - there can be false positives as well as false negatives ● A tool such as Puppet or Cron can run (or run scripts) at regular time increments to check your compliance, and alert you if something needs correction ● Correction can be done with an automated tool or manually ● Ensure that security is integrated into your team and process ● Create a Culture of Security ● No matter what you are creating, remember to bake in the goodness! Summary... 40
  • 41. The Science of Compliance judy johnson Twitter: @miz_j GitHub: judyj Agile + DevOps Virtual Summit Thanks! To co-workers who teach me every day, and peer review my code, documents, and cookies… to family and friends who inspire me daily… to the friends who helped me put this together and make it pretty Never stop learning – and make sure you have time to spend on things you enjoy! https://unsplash.com/ and https://www.123rf.com/ (for photos) Thanks! 41