Watch on-demand webinar: https://info.avinetworks.com/webinars/web-application-security-continuous-delivery-pipelines
Applications today have evolved into containers and microservices deployed in fully automated and distributed environments across data centers and clouds. Application services such as load balancing, security, and analytics become critical for continuous delivery.
To secure modern web applications, security policies including SSL/TLS, ACLs, IP Reputation, and WAF need to be applied quickly. We will share a reference implementation from Avi Networks.
Join this webinar to learn:
- CI/CD in the web application security context
- Challenges and solutions integrating a modern web application firewall (WAF) into the application development pipeline
- How to create processes that support both security and development requirements
Multi-Cloud Load Balancing and Application ServicesAvi Networks
Watch the on-demand webinar here https://info.avinetworks.com/webinars/multicloud-load-balancing-and-app-services
81% of enterprises have a multi-cloud strategy and on average, operating 5 clouds. This reality imposes demanding requirements on automation and operational consistency across heterogeneous environments. In this webinar, we will explore what is required for application services, and how Avi Networks builds a single platform for load balancing, security and analytics. We will walk through live demos on how applications can be delivered consistently regardless of the underlying infrastructures.
You will learn how to:
- Integrate into private and public cloud ecosystems including AWS, Azure, Cisco and VMware.
- Deliver applications using a software-defined and policy-driven platform.
- Apply DevOps principles to application delivery and accelerate multi-cloud deployments.
Monitor & Manage Citrix App Performance Using Microsoft SCOMeG Innovations
Citrix application infrastructures are very performance sensitive. “Citrix is slow” or “Citrix is not working” is a common complaint heard at the help desk from frustrated users. These complaints could be caused from a small problem anywhere in your infrastructure and you have to spend hours finding out where the real problem lies before you can resolve it and restore a positive user experience. Is it really a Citrix issue, or is the issue actually originating somewhere else in the infrastructure – i.e., the network, application, virtual platform, storage, etc.?
View these slides and discover how you can extend Microsoft System Operations Center (SCOM) – using the Microsoft SCOM Citrix Universal Management Pack - to monitor and manage Citrix infrastructures end to end, so when a user complains that Citrix is slow, you can pinpoint exactly where the cause of the problem lies — in just one click.
Learn how to:
• Monitor all of your Citrix tiers – XenApp, XenDesktop, XenServer, NetScaler, XenMobile, etc. directly from the Microsoft SCOM console
• Get deep visibility into every aspect of Citrix performance
• Pinpoint in just one click where the real cause of a problem lies
• Proactively detect and fix performance issues before users complain
• Publish real-time dashboards in Microsoft SCOM to provide key insights for the different stakeholders in your organization
• Generate powerful, end-to-end historical and trend reports that help you optimize and right-size your Citrix infrastructure for maximum ROI
Day 3: Security Auditing and ComplianceVMware Tanzu
SpringOne Platform 2019
Session Title: Day 3: Security Auditing and Compliance
Speakers: David Zendzian, Field CISO, Pivotal and Steve White, Field CISO, Pivotal
Youtube: https://youtu.be/O_noXhQ16Yk
Multi-Cloud Load Balancing and Application ServicesAvi Networks
Watch the on-demand webinar here https://info.avinetworks.com/webinars/multicloud-load-balancing-and-app-services
81% of enterprises have a multi-cloud strategy and on average, operating 5 clouds. This reality imposes demanding requirements on automation and operational consistency across heterogeneous environments. In this webinar, we will explore what is required for application services, and how Avi Networks builds a single platform for load balancing, security and analytics. We will walk through live demos on how applications can be delivered consistently regardless of the underlying infrastructures.
You will learn how to:
- Integrate into private and public cloud ecosystems including AWS, Azure, Cisco and VMware.
- Deliver applications using a software-defined and policy-driven platform.
- Apply DevOps principles to application delivery and accelerate multi-cloud deployments.
Monitor & Manage Citrix App Performance Using Microsoft SCOMeG Innovations
Citrix application infrastructures are very performance sensitive. “Citrix is slow” or “Citrix is not working” is a common complaint heard at the help desk from frustrated users. These complaints could be caused from a small problem anywhere in your infrastructure and you have to spend hours finding out where the real problem lies before you can resolve it and restore a positive user experience. Is it really a Citrix issue, or is the issue actually originating somewhere else in the infrastructure – i.e., the network, application, virtual platform, storage, etc.?
View these slides and discover how you can extend Microsoft System Operations Center (SCOM) – using the Microsoft SCOM Citrix Universal Management Pack - to monitor and manage Citrix infrastructures end to end, so when a user complains that Citrix is slow, you can pinpoint exactly where the cause of the problem lies — in just one click.
Learn how to:
• Monitor all of your Citrix tiers – XenApp, XenDesktop, XenServer, NetScaler, XenMobile, etc. directly from the Microsoft SCOM console
• Get deep visibility into every aspect of Citrix performance
• Pinpoint in just one click where the real cause of a problem lies
• Proactively detect and fix performance issues before users complain
• Publish real-time dashboards in Microsoft SCOM to provide key insights for the different stakeholders in your organization
• Generate powerful, end-to-end historical and trend reports that help you optimize and right-size your Citrix infrastructure for maximum ROI
Day 3: Security Auditing and ComplianceVMware Tanzu
SpringOne Platform 2019
Session Title: Day 3: Security Auditing and Compliance
Speakers: David Zendzian, Field CISO, Pivotal and Steve White, Field CISO, Pivotal
Youtube: https://youtu.be/O_noXhQ16Yk
Virtual Desktop Infrastructure with Novell Endpoint Management SolutionsNovell
With the adoption of virtualization in the end-user computing space, organizations require solutions that go beyond device management and embrace the dynamic nature of end-user environments. This session will introduce you to the Novell VDI solution, enhanced by Novell ZENworks Configuration Management, and its ability to provide a secure, automated and personalized hosted desktop environment. This session will also focus on the Novell endpoint management technologies that enhance virtual desktop infrastructure.
Best Practices for Monitoring Your Cloud Environment and ApplicationsProlifics
Abstract: You have completed the heavy lifting of migrating applications to the cloud. But you are not done yet. What is your monitoring strategy for the cloud? What are the best practices to monitor the cloud infrastructure, deployed applications and end user experience? In this session, we will be answering these questions and explore the various IBM APM and Analytics offerings that will help you in your decision making process. Having a comprehensive monitoring strategy is critical as most customers use a combination of public and private cloud environments and being able to monitor these using a fully integrated and customizable solution is essential to the health, availability and performance of the cloud deployed applications and services.
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...eG Innovations
One of the most challenging tasks for a Citrix administrator is when a user calls in complaining of a Citrix problem: logon is slow, session is getting disconnected, application launch is slow, session itself is slow, etc. So, how does a Citrix admin go about solving these issues? A Citrix infrastructure has many tiers and dependencies. Where do you start looking, what do you analyze, and how do you triage?
Watch this webinar by George Spiers, Citrix CTP and EUC Architect, who shares his real-world experience to help you learn the art of Citrix troubleshooting. You will find out how to:
• Methodically go about finding the scope, magnitude of impact, and source of the problem
• Troubleshoot common Citrix problems like slow logons, slow app/desktop launch, disconnecting sessions, frozen sessions, etc.
• Investigate issues in the supporting infrastructure (network, AD, virtualization, etc.)
• Optimize the Citrix environment for maximum performance
At the end, we discuss how automated monitoring can help accelerate performance troubleshooting.
According to EMA, most companies use 6 or more monitoring tool for a fragmented, piecemeal approach to monitoring. Riverbed SteelCentral is the only end-to-end performance management platform that blends user experience, infrastructure, application, and network monitoring for a holistic view of performance.
How Citrix Admins can get a Virtual AssistanteG Innovations
By offering a unified place for people to access any app, whether SaaS, web, mobile or virtual digital workspaces have become mission-critical for the new way of work. As digital workspaces evolve in scale, complexity and business importance Citrix Admins need unified visibility and actionable insights to diagnose and resolve performance issues across the entire IT environment—both physical and virtual; both on-premises and cloud.
This requires deep Citrix domain expertise along with end-to-end visibility across Citrix and non-Citrix tiers; which can quickly overwhelm most Citrix administrators. Citrix Admins need a virtual assistant to:
• Proactively monitor digital workspace user experience
• Automatically isolate and remediate performance issues
• Align capacity to changing business and user requirements
• Improve user experience with embedded analytics
Join John Worthington, Director Customer Success and Nanda Kumar, Director Solutions Engineering at eG Innovations, for an action-packed demonstration of how eG Enterprise is the digital assistant every Citrix Admin needs.
Deep Automation and ML-Driven Analytics for Application ServicesAvi Networks
Watch on-demand here https://info.avinetworks.com/webinars/deep-automation-ml-driven-analytics
Do you want to simplify capacity planning, web application security, and continuous delivery? The secret sauce for application delivery automation is deep intelligence and deep automation. Avi Networks’ multi-cloud application services include software-defined load balancing, security, and analytics across on-prem data centers and public clouds.
In this webinar, you will learn:
- The “Deep Automation” framework
- Its application in three use cases: autoscaling, WAF, and CI/CD
- How to apply ML principals and rich analytics to automate application delivery
Bringing SaaS Simplicity to Proactive Support & Live Threat UpdatesAvi Networks
Enterprises find it challenging to provide real-time security, manage tickets and issues efficiently, and achieve simplified operations. How can you enable a SaaS experience in the data centers? VMware NSX Advanced Load Balancer (formerly Avi Networks) PULSE provides turnkey cloud services built to simplify enterprise’s operations, enhance supportability, and provide real-time security threat protection delivered through a friction-less SaaS model.
Learn how to help reduce complexity, management, and cost of your network operations:
• Enhance your operational experience through secure, agile, and programmable cloud services
• Enable proactive support - detect, remediate, collect and notify service failures automatically
• Provide real-time application protection through live security threat intelligence feed for IP reputation, app signatures, and WAF CRS rules
F5 helps organizations improve user experience and simplify management with first integrated SPDY Gateway. F5’s Application Delivery Optimization (ADO) solutions accelerate applications across public and private clouds to better support remote and mobile users.
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...Avi Networks
Watch webinar on-demand here https://info.avinetworks.com/webinars/securing-web-apps-deep-automation
Application security requires a high degree of automation, however making security decisions can be very difficult. Deploying and securing web applications gets further complicated in public clouds for load balancing and web application firewall. We show the importance of applying visibility, end-to-end orchestration and decision automation to different layers of application security. In this webinar, you will learn about:
- AI / ML based analytics for automating decisions
- Automated canary deployments for application security
- VMware NSX Advanced Load Balancer (Avi Networks) use cases
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...Avi Networks
Traditionally hyper-scale applications have been deployed on ultra-high-end, specialized hardware which are statically provisioned. These legacy appliances are not built for the cloud era – rigid to scale, hard to manage and expensive to operate. With Intel’s high-performance CPUs and VMware NSX Advanced Load Balancer (formerly Avi Networks), you can easily deploy and manage capacity for modern applications with an intelligent, elastic load balancing fabric.
During this webinar, learn how to:
- Deliver hyper-scale applications with a software defined architecture on general purpose compute processors
- Scale and load balance elastically to 1 million SSL TPS on 2nd Generation Intel Xeon Scalable processors
- Save $$$ with an elastic application services fabric while providing flexibility and fault tolerance
- Utilize Avi’s platform intelligence to auto scale your application with just right sizing
Finding a cost-effective solution that allows you to rapidly deliver cloud-based applications securely can be challenging. F5 on AWS offers a variety of solutions and licensing options, so organizations can choose the best fit for their business needs. Join our webinar to learn best practices for controlling access for your cloud-based applications.
Watch the F5 and AWS webinar to learn how to strengthen your security using strong access control and application-layer firewall services.
Cloud With DevOps Enabling Rapid Business DevelopmentSam Garforth
My point of view on accelerating business development with improved time to market by using lean principles enabled by devops and cloud. Some of the narrative can be found here http://thoughtsoncloud.com/2014/04/speed-devops-cloud/
VMworld 2013: VMware and Puppet: How to Plan, Deploy & Manage Modern Applicat...VMworld
VMworld 2013
Nigel Kersten, Puppet Labs
Becky Smith, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Examine common application performance problems hiding in plain sight. See how you can quickly remove the noise, pinpoint root cause and fix these problems once and for all. Watch the webinar replay: http://rvbd.ly/1QGxMBs
How to monitor all aspects of Citrix NetScaler usage and performance within t...eG Innovations
Citrix NetScaler / ADC has evolved into a networking powerhouse, supporting a variety of functions including application firewalls, VPN tunnels, caching and acceleration, compression, and ensuring fast delivery of web and desktop applications.
Since it plays a central role, the availability and performance of a Citrix NetScaler / ADC device is crucial. Not only does NetScaler / ADC performance impact the user experience, but more importantly, it is also important for safeguarding the security and sanctity of the IT infrastructure.
eG Enterprise monitors all aspects of Citrix NetScaler usage and performance within the context of any digital service — physical, virtual, cloud, and containers.
Easily View, Manage, and Scale Your App Security with F5 NGINXNGINX, Inc.
Organizations typically use between 200 and 1,000 applications, many of them public facing and a direct gateway to customers and their data. While these apps enable critical functions, they’re also a common target for bad actors. A web application firewall (WAF) is a critical tool for securing apps by providing protection, detection, and mitigation against vulnerabilities and attacks. However, WAFs can be difficult to maintain and manage at scale. In this webinar, we explore how centralized visibility and configuration management of WAFs can decrease risk and save time.
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
Veracode provides the world’s leading Application Risk Management Platform. Veracode's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk.
Virtual Desktop Infrastructure with Novell Endpoint Management SolutionsNovell
With the adoption of virtualization in the end-user computing space, organizations require solutions that go beyond device management and embrace the dynamic nature of end-user environments. This session will introduce you to the Novell VDI solution, enhanced by Novell ZENworks Configuration Management, and its ability to provide a secure, automated and personalized hosted desktop environment. This session will also focus on the Novell endpoint management technologies that enhance virtual desktop infrastructure.
Best Practices for Monitoring Your Cloud Environment and ApplicationsProlifics
Abstract: You have completed the heavy lifting of migrating applications to the cloud. But you are not done yet. What is your monitoring strategy for the cloud? What are the best practices to monitor the cloud infrastructure, deployed applications and end user experience? In this session, we will be answering these questions and explore the various IBM APM and Analytics offerings that will help you in your decision making process. Having a comprehensive monitoring strategy is critical as most customers use a combination of public and private cloud environments and being able to monitor these using a fully integrated and customizable solution is essential to the health, availability and performance of the cloud deployed applications and services.
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...eG Innovations
One of the most challenging tasks for a Citrix administrator is when a user calls in complaining of a Citrix problem: logon is slow, session is getting disconnected, application launch is slow, session itself is slow, etc. So, how does a Citrix admin go about solving these issues? A Citrix infrastructure has many tiers and dependencies. Where do you start looking, what do you analyze, and how do you triage?
Watch this webinar by George Spiers, Citrix CTP and EUC Architect, who shares his real-world experience to help you learn the art of Citrix troubleshooting. You will find out how to:
• Methodically go about finding the scope, magnitude of impact, and source of the problem
• Troubleshoot common Citrix problems like slow logons, slow app/desktop launch, disconnecting sessions, frozen sessions, etc.
• Investigate issues in the supporting infrastructure (network, AD, virtualization, etc.)
• Optimize the Citrix environment for maximum performance
At the end, we discuss how automated monitoring can help accelerate performance troubleshooting.
According to EMA, most companies use 6 or more monitoring tool for a fragmented, piecemeal approach to monitoring. Riverbed SteelCentral is the only end-to-end performance management platform that blends user experience, infrastructure, application, and network monitoring for a holistic view of performance.
How Citrix Admins can get a Virtual AssistanteG Innovations
By offering a unified place for people to access any app, whether SaaS, web, mobile or virtual digital workspaces have become mission-critical for the new way of work. As digital workspaces evolve in scale, complexity and business importance Citrix Admins need unified visibility and actionable insights to diagnose and resolve performance issues across the entire IT environment—both physical and virtual; both on-premises and cloud.
This requires deep Citrix domain expertise along with end-to-end visibility across Citrix and non-Citrix tiers; which can quickly overwhelm most Citrix administrators. Citrix Admins need a virtual assistant to:
• Proactively monitor digital workspace user experience
• Automatically isolate and remediate performance issues
• Align capacity to changing business and user requirements
• Improve user experience with embedded analytics
Join John Worthington, Director Customer Success and Nanda Kumar, Director Solutions Engineering at eG Innovations, for an action-packed demonstration of how eG Enterprise is the digital assistant every Citrix Admin needs.
Deep Automation and ML-Driven Analytics for Application ServicesAvi Networks
Watch on-demand here https://info.avinetworks.com/webinars/deep-automation-ml-driven-analytics
Do you want to simplify capacity planning, web application security, and continuous delivery? The secret sauce for application delivery automation is deep intelligence and deep automation. Avi Networks’ multi-cloud application services include software-defined load balancing, security, and analytics across on-prem data centers and public clouds.
In this webinar, you will learn:
- The “Deep Automation” framework
- Its application in three use cases: autoscaling, WAF, and CI/CD
- How to apply ML principals and rich analytics to automate application delivery
Bringing SaaS Simplicity to Proactive Support & Live Threat UpdatesAvi Networks
Enterprises find it challenging to provide real-time security, manage tickets and issues efficiently, and achieve simplified operations. How can you enable a SaaS experience in the data centers? VMware NSX Advanced Load Balancer (formerly Avi Networks) PULSE provides turnkey cloud services built to simplify enterprise’s operations, enhance supportability, and provide real-time security threat protection delivered through a friction-less SaaS model.
Learn how to help reduce complexity, management, and cost of your network operations:
• Enhance your operational experience through secure, agile, and programmable cloud services
• Enable proactive support - detect, remediate, collect and notify service failures automatically
• Provide real-time application protection through live security threat intelligence feed for IP reputation, app signatures, and WAF CRS rules
F5 helps organizations improve user experience and simplify management with first integrated SPDY Gateway. F5’s Application Delivery Optimization (ADO) solutions accelerate applications across public and private clouds to better support remote and mobile users.
Securing Web Applications with Deep Automation with VMware NSX Advanced Load ...Avi Networks
Watch webinar on-demand here https://info.avinetworks.com/webinars/securing-web-apps-deep-automation
Application security requires a high degree of automation, however making security decisions can be very difficult. Deploying and securing web applications gets further complicated in public clouds for load balancing and web application firewall. We show the importance of applying visibility, end-to-end orchestration and decision automation to different layers of application security. In this webinar, you will learn about:
- AI / ML based analytics for automating decisions
- Automated canary deployments for application security
- VMware NSX Advanced Load Balancer (Avi Networks) use cases
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...Avi Networks
Traditionally hyper-scale applications have been deployed on ultra-high-end, specialized hardware which are statically provisioned. These legacy appliances are not built for the cloud era – rigid to scale, hard to manage and expensive to operate. With Intel’s high-performance CPUs and VMware NSX Advanced Load Balancer (formerly Avi Networks), you can easily deploy and manage capacity for modern applications with an intelligent, elastic load balancing fabric.
During this webinar, learn how to:
- Deliver hyper-scale applications with a software defined architecture on general purpose compute processors
- Scale and load balance elastically to 1 million SSL TPS on 2nd Generation Intel Xeon Scalable processors
- Save $$$ with an elastic application services fabric while providing flexibility and fault tolerance
- Utilize Avi’s platform intelligence to auto scale your application with just right sizing
Finding a cost-effective solution that allows you to rapidly deliver cloud-based applications securely can be challenging. F5 on AWS offers a variety of solutions and licensing options, so organizations can choose the best fit for their business needs. Join our webinar to learn best practices for controlling access for your cloud-based applications.
Watch the F5 and AWS webinar to learn how to strengthen your security using strong access control and application-layer firewall services.
Cloud With DevOps Enabling Rapid Business DevelopmentSam Garforth
My point of view on accelerating business development with improved time to market by using lean principles enabled by devops and cloud. Some of the narrative can be found here http://thoughtsoncloud.com/2014/04/speed-devops-cloud/
VMworld 2013: VMware and Puppet: How to Plan, Deploy & Manage Modern Applicat...VMworld
VMworld 2013
Nigel Kersten, Puppet Labs
Becky Smith, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Examine common application performance problems hiding in plain sight. See how you can quickly remove the noise, pinpoint root cause and fix these problems once and for all. Watch the webinar replay: http://rvbd.ly/1QGxMBs
How to monitor all aspects of Citrix NetScaler usage and performance within t...eG Innovations
Citrix NetScaler / ADC has evolved into a networking powerhouse, supporting a variety of functions including application firewalls, VPN tunnels, caching and acceleration, compression, and ensuring fast delivery of web and desktop applications.
Since it plays a central role, the availability and performance of a Citrix NetScaler / ADC device is crucial. Not only does NetScaler / ADC performance impact the user experience, but more importantly, it is also important for safeguarding the security and sanctity of the IT infrastructure.
eG Enterprise monitors all aspects of Citrix NetScaler usage and performance within the context of any digital service — physical, virtual, cloud, and containers.
Easily View, Manage, and Scale Your App Security with F5 NGINXNGINX, Inc.
Organizations typically use between 200 and 1,000 applications, many of them public facing and a direct gateway to customers and their data. While these apps enable critical functions, they’re also a common target for bad actors. A web application firewall (WAF) is a critical tool for securing apps by providing protection, detection, and mitigation against vulnerabilities and attacks. However, WAFs can be difficult to maintain and manage at scale. In this webinar, we explore how centralized visibility and configuration management of WAFs can decrease risk and save time.
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
Veracode provides the world’s leading Application Risk Management Platform. Veracode's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk.
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
Software development is changing. It is now measured in days instead of months. Microservice architectures are preferred over monolithic centralized app architecture, and cloud is the preferred environment over hardware that must be owned and maintained.
In this webinar, we examine how these new software development practices have changed web application security and review a new approach to protecting assets at the web application layer.
Attendees will learn:
The changes in development models, architecture designs, and infrastructure
How these changes necessitate a new approach to web application security
How development teams can effectively stay secure at the speed of DevOps
5 Challenges of Moving Applications to the CloudtCell
As businesses take the next step in transforming their organization, many struggle to handle the hurdles that come with migrating their applications to the cloud. The major issue when moving applications to the cloud is security. It seems the greatest value of what makes the cloud so attractive to app development is also what makes it so difficult to secure.
Here are 5 main problems when migrating apps to the cloud...
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
Enterprise DevOps is different then DevOps in startups and smaller companies. This session how AWS/CSC address this. How AWS IaaS level automation via CloudFormation, UserData, Console, APIS and some PaaS OpsWorks/Beanstalk is complimented by CSC Agility Platform. CSC Agility adds application compliance and security to the AWS infrastructure compliance and security. CSC Agility allows for the creation of architecture blueprints for predefined application offerings.
we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle.
Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.
Security Automation by integrating SAST(Static Application Security Testing),DAST(Dynamic Application Secuirty Testing) and SIEM (Security Information and Event Management) tools with Jenkins.
By automating Security(SAST,DAST,SIEM) developers can them selves perform VA and monitor on application without going to IT and Security team
Below Tools are used to Automate everything:
SAST - Fortify,CheckMarx
DAST - IBM App Scan,OWASP ZAP,HP Web Inspect
SIEM - Alien Vault
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
In this session, you learn pragmatic steps to integrate security controls into DevOps processes in your AWS environment at scale. Cyber security expert and founder of Alert Logic Misha Govshteyn shares insights from high performing teams who are embracing the reality that an agile security program can enable faster and more secure workload deployments. Joining Misha is Joey Peloquin, Director of Cloud Security Operations at Citrix, who discusses Citrix’s DevOps experiences and how they manage their cyber security posture within the AWS Cloud.
Session sponsored by Alert Logic
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
Clarke Rodgers (CISO, SCOR Velogica)'s presentation on SCOR's journey to SOC2/TYPE2 via AWS at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021VMware Tanzu
Achieving DevSecOps Outcomes with Tanzu Advanced
Speakers:
David Zendzian, Global Field CISCO, VMware Tanzu
James Urquhart, Strategic Executive Advisor, VMware Tanzu
Mike Koleno, Chief Architect, AHEAD
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps.com
Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.
Building a Product Security Practice in a DevOps WorldArun Prabhakar
This is a whitepaper on Product Security that largely focusses on building key security capabilities for products that are developed using DevOps methodology. It also consists of an effort to set up and accomplish the governance of Product Security in the DevOps world.
Similar to Web Application Security for Continuous Delivery Pipelines (20)
DR On Demand At Fraction of the Cost (1).pptxAvi Networks
In today’s business world, successful application delivery and business continuity are often used interchangeably. In the face of unforeseen outages, it is of upmost importance to have a robust, targeted, and well-tested DR plan that minimizes the impact to your business's bottom line and enable enterprises globally to securely deliver applications with resiliency, availability, and reliability.
In this ever-increasing application economy, IT administrators and cloud architects are constantly looking at simpler and more efficient ways to:
Gain Application Performance Visibility
Stop Blame Game among Network, Server & Developer Teams
Empower App Developers to Deploy Apps in Minutes
Manage and maintain Load balancing services with minimum effort
Top 4 Reasons to Migrate From NSX Load Balancing to NSX Advanced Load BalancerAvi Networks
There are many reasons to move from NSX native load balancing to NSX Advanced Load Balancer. First, and foremost, NSX native load balancing is going away in the future. But, there are positive reasons to make the transition to NSX ALB now. It will simplify operations and help manage your multi-cloud and container environments. NSX ALB provides advanced application and context aware services needed to deliver the resiliency, elasticity and security that today's applications require through server load balancing, global server load balancing, web application firewall, and rich analytics. A migration tool has been created to assist with the transition from NSX native load balancing to the next generation NSX ALB solution.
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptxAvi Networks
vCD is a solution of choice for Cloud Providers seeking to provide secure, efficient, and flexible cloud resources to many enterprises and IT teams worldwide. The simplicity of the solution allows Cloud Providers to quickly set up infrastructure and application platform-level services for customers and enterprises, as it is service-ready from Day-0.
With the integration of NSX ALB, Cloud Providers can enhance the solution's simplicity and facilitate digital transformation for their customers by providing application awareness.
Many customers have discovered that with a modern load balancing architecture, they can unleash the power of full automation, on-demand elasticity, and simplified operations. Things you will learn from these slides:
* Avoid capacity management challenges and stop overprovisioning
* Manage traffic spikes with elastic autoscaling
* Ensure application availability everywhere by deploying GSLB
One And Done Multi-Cloud Load Balancing Done Right.pptxAvi Networks
Did you know that on average, it takes organizations more than three months using legacy load balancers to scale their load balancing capacity? That includes tedious policy management, expensive over-provisioning (or even more expensive under-provisioning), and the risk of supply-chain delays.
Join us for an eye-opening discussion of application delivery done right. By following the guiding principles of a cloud operating model, your team can get operational simplicity, multi-cloud consistency, pervasive analytics, holistic security and full life-cycle automation. This means less time spent on manual, repetitive tasks and troubleshooting, freeing up more time to proactively manage and automate your load balancers.
Virtualize Application Security Today - Hardware is No Longer Needed.pptxAvi Networks
IT security has been hardware-dependent due to the computational requirements to perform advanced security tasks like encryption and content inspection. But virtual compute resources have improved to the point that hardware-specific products are no longer necessary. The reliance on customized encryption chips and content scanning silicon limits one's ability to use cloud technologies and move to a modern application/containerized architecture. Physical appliances block the agility and elasticity that IT practitioners want from their virtual environments. Virtualized security technologies can be deployed without compromising the performance and protection of the applications and data. Attend this webinar to:
Understand how today's technology have made virtualized security possible
Discover how security features like TLS/SSL encryption can be scaled in virtual networks
Learn about virtual security solutions that provide comprehensive protection for your applications
VMware NSX-T Data Center delivers a complete L2-L7 networking and security virtualization platform. It enables your virtual cloud network to connect and protect applications across your data center, multi cloud, bare metal, and container infrastructure. With the acquisition of Avi Networks last year, VMware now offer enterprise-grade load balancing and WAF capabilities for VCF and NSX-T environments. The VMware NSX Advanced Load Balancer (formerly Avi Networks) delivers software load balancing, WAF, and Kubernetes application networking services. Digital, app-centric companies are replacing traditional appliance-based load balancers that cause over-provisioning, don’t support automation, and don’t work for cloud use cases.
As Enterprises increasingly span their workloads across on-premises data centers and cloud environments, it is becoming significantly complex for IT teams to enable better workload portability and create consistent application delivery and networking services.
In this webinar, you will learn how VMware NSX Advanced Load Balancer facilitates seamless application delivery and provides choices to deploy your applications across on-premises data centers and Oracle Cloud Virtual Services (OCVS) while enabling:
Modern Application Delivery: Consider consistency, elastic scalability, cloud-native automation, and built-in end-to-end observability when choosing load balancing across hybrid environments.
Data-center Extension: Ensure continuous operations while providing elastic L4-L7 load balancing, security, and real-time application analytics for VMware-based apps running in Google Cloud.
Lift-and-Shift: When migrating to OCVS from an on-premises data center, operationalize uninterrupted enterprise-grade features, including GSLB and WAF.
Delivering Turnkey Load Balancing in VMware Cloud with Day 0 Automation Avi Networks
Bring modern, advanced load balancing to VMware Cloud (VMC) on AWS in a matter of minutes. EasyAvi is a new VMware Fling and enables day 0 automation and quick consumption of public cloud.
Working From Anywhere with Advanced Load Balancing and VMware Horizon VDI Avi Networks
In this webinar, you will learn how to:
- Simplify your infrastructure and operations to deliver virtual desktops and apps
- Troubleshoot end-user experience issues with point and click simplicity
- Eliminate costly over-provisioning of load balancers and save costs for VDI deployments
- Deploy load balancing consistently for virtual desktops in any cloud environment
Deploying Elastic, Self-Service Load Balancing for VMware NSX-TAvi Networks
The VMware NSX Advanced Load Balancer (formerly Avi Networks) delivers software load balancing, web application firewall (WAF), and Kubernetes ingress services across your data centers, multi-cloud, bare metal, and container infrastructure. With the integration with VMware NSX-T, Avi now offers enterprise-grade load balancing and WAF capabilities for VMware Cloud Foundation (VCF) and NSX-T environments on a complete L2-L7 networking and security virtualization platform. Digital, app-centric companies are replacing traditional appliance-based load balancers that are not built for cloud use cases and cause over-provisioning, partial automation and little visibility.
In this webinar you will learn how to deliver complete automation and self-service by:
Managing load balancers centrally across any environment
Creating new virtual services in just minutes
Scaling load balancing capacity dynamically based on traffic patterns
Troubleshooting application issues without TCP dumps/log exports
Avi v20.1 — What’s New in Scalable, Multi-Cloud Load BalancingAvi Networks
VMware just announced the next version of the Avi Platform v20.1 The software includes several enhancements for cloud-scale networking, security, modern applications, and unique new support services.
Enterprise-Grade Load Balancing for VMware Cloud on AWS (VMC)Avi Networks
Multi-Cloud is a reality for modern applications that are deployed everywhere – from data centers to the clouds. VMware NSX Advanced Load Balancer (by Avi Networks) is a full-featured L4-7 load balancing software solution that is agnostic to the underlying environments. We talked about how to separate fact from fiction and accelerate public cloud migration in AWS, Azure and Google Cloud.
In this webinar, we will focus on:
- Hybrid cloud deployments with VMC on AWS
- Seamless migration of VMware workloads to AWS
- Use cases including fast Horizon VDI deployments with VMC on AWS
Multi Cloud Load Balancing 101 and Hands On LabAvi Networks
This 90-minute introduction workshop includes a hands-on lab.
Learn modern load balancing with interactive Q&A (30 mins)
Experience the hands-on lab environment and explore use cases (1 hour):
Learn from an expert:
- Why a new way of software-defined application delivery is needed
- What the architecture should be for modern load balancing and application services
- How to create highly automated and consistent deployments across data centers and public clouds
- How to troubleshoot and garner application insights without TCPdumps
Multi Cloud Load balancing 101 and Hands-on LabAvi Networks
Register for the next one https://info.avinetworks.com/workshops
Part 1 (30 mins): A virtual workshop to showcase the dramatic shift in modern load balancing.
Part 2 (1 hour): Experience our hands-on lab environment and explore Avi Networks use cases.
During the workshop, you'll learn from an expert:
- Why a new way of software-defined application delivery is needed
- What the architecture should be for modern load balancing and application services
- How to create highly automated and consistent deployments across data centers and public clouds
- How to troubleshoot and garner application insights without TCPdumps
Multi-Cloud Load Balancing 101 and Hands-On LabAvi Networks
Sign up for the next one here https://info.avinetworks.com/workshops
Part 1 (30 mins): A virtual workshop to showcase the dramatic shift in modern load balancing.
Part 2 (1 hour): Experience our hands-on lab environment and explore Avi Networks use cases.
During the workshop, you'll learn from an expert:
- Why a new way of software-defined application delivery is needed
- What the architecture should be for modern load balancing and application services
- How to create highly automated and consistent deployments across data centers and public clouds
- How to troubleshoot and garner application insights without TCPdumps
Enabling Remote Employees with Horizon VDI and Avi NetworksAvi Networks
Watch webinar on-demand https://info.avinetworks.com/webinars/vmware-load-balancer-horizon-bt
Enterprises are rushing to enable their remote workforce with virtual desktops and applications need a robust load balancing solution to deliver VDI quickly in any data center or cloud. Waiting to procure appliance-based load balancers or compromising with limited virtual load balancers is not an option for business continuity.
Avi Networks, Now a part of VMware offers The NSX Advanced Load Balancer which is a full-featured, multi-cloud, software-defined platform that delivers distributed load balancing with on-demand elasticity and pinpoint application and end-user analytics.
With Avi, VMware Horizon customers can deliver VDI in record time while simplifying their operations, reducing troubleshooting time, and saving costs.
Learn how to:
- Simplify your infrastructure and operations to deliver virtual desktops and apps
- Troubleshoot end-user experience issues with point and click simplicity
- Eliminate costly over-provisioning of load balancers and save costs for VDI deployments
- Deploy load balancing consistently for virtual desktops in any cloud environment
Multi-Cloud Load Balancing – Separating Fact from FictionAvi Networks
Watch webinar on-demand here https://info.avinetworks.com/webinars/multi-cloud-lb-fact-fiction
Multi-cloud is not a trend, it’s a reality. Applications are deployed anywhere across on-premises data centers and public clouds. Application services including load balancing, web application firewall (WAF) and analytics need to be infrastructure agnostic, portable to containers and fully automatable. Avi Networks, now part of VMware, offers the only software-defined platform that truly delivers multi-cloud.
In this webinar, we will describe how to separate fact from fiction with vendor claims:
- Central control: a single orchestrator with consistent policies vs. a centralized dashboard with pretty UI
- Elastic scale: workload bursting across clouds vs. static capacity overprovisioned at low utilization
- Multi-cloud: enterprise load balancing with GSLB vs. siloed products for heterogeneous environments
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
2. AppSec DefenderEngineer at heart
Christian Treutler
Interested in
(sometimes scared by)
Security Automation,
IoT security, Big Data
security, AI security
implications.
Security evangelist
3. Agenda
1. Mission statement
2. CICD Introduction
3. Demo: Rolling out a new version
4. How to build application security into a CICD
pipeline from a WAF perspective?
5. Demo: Pipeline with enabled WAF
6. Demo: Security with ”infra as code”
4. Mission Statement:
Including AppSec into CICD environments
can be achieved with the right tools.
Teams must work together closely to allow this kind of automation to succeed.
5. Continuous Delivery Introduction
“Continuous Delivery is a software development discipline where you build software in such a way that the software can be
released to production at any time.” – Martin Fowler
“Our goal is to make deployments—whether of a large-scale distributed system, a complex production environment, an
embedded system, or an app—predictable, routine affairs that can be performed on demand.” - Jez Humble
Continuous Delivery involves automation and integration of all stages of software
development including – development, build, test, acceptance, configuration management,
infrastructure, provisioning and ultimately release!
6. Running a successful CICD
The very short version. For detailed information, please see references at the end of the slide deck.
Goals
Predictable, reliable, fast and better quality!
Business – Sales, PM and Customers love this!
Operations
Organizational
Success metrics
How to express the Pass / Fail decision?
Use Normalized metrics
Metrics measuring Quality is more important than Quantity
Benchmark your application!
Process Develop
Build
Test
Deploy
Monitor /
Validate
In-Service /
Out-of-service
Feedback delay
as small as
possible
Deployment
Application config
as code
Check
Apply
Updates
Validate &
Record
Continuous
Integration
Software Build
Integration
Tests
Sandbox Production
Deployment Automation
8. Demo Environment
Application: vulnerable application Hackazon
Application lifecycle includes security scanning and iWAF Protection
All parts use “infrastructure as code”
Kubernetes: a cluster of 3 nodes + dashboard
Service Mesh: Avi with iWAF module
CICD: Concourse
Gitea: local GIT repository
Docker registry
OWASP ZAP scanner
All services run on Kubernetes in Docker containers
12. CICD in an application security context
Which parts of AppSec can be applied?
DAST, SAST, Vulnerability management
(Black and white box testing)
Trusted solutions
Usually automatable in test/staging through APIs
Success metric: vulnerabilities within expected numbers
Misc.
DDoS Protection – part of ADC/LB requirements
Transport Security – TLS encryption – ADC
Virus/Malware scanning – application or agent based
Success metric: depends on requirements
RASP
Runtime Application Self-Protection
Built into the application / tool chain
Essentially part of the application
Success metric: application test is green
WAF
Application protection (usually proxy based)
WAF policy needs to be part of application or infra code
Must deployed in all environments (dev, test ,production)
Success metric: application test is green
13. Challenges of AppSec vs Dev
High level view
Infrastructure does not support
security requirements
Vendor/product X does not support security
requirement foo.
Security is a first class feature
Should be part of company DNA
Security education
Every employee needs to be educated about the
implications if security best practices are not met.
Features vs. Security
When planned and designed correctly security is
part of a feature and not something that competes
for the same resources.
Team Silos
Security is a team effort and will fail it not all
teams take their share of the responsibility.
15. Legacy WAF challenges with CICD
Elasticity, Scalability, Programmability, Automation, Management as code
PROPRIETARY
HARDWARE
Costly Refresh Cycle
Tied to Environment
MANAGE EACH DEVICE
No central management
No central monitoring
NO AUTOMATION
Incomplete REST API
No plug-n-play automation
NO TELEMETRY
LBs are black boxes
No analytics or insights
STATIC CAPACITY
Requires overprovisioning
No cloud like elasticity
16. CICD example: WAF – properties for a working solution
An overview
Mindset
• Application developer, security networking all work together
• Application developer accepts WAF as a additional security layer to protect the application
• Application developer uses WAF analytics for application behavior analysis
• Security team defines security requirements and risk assessments
• Security team provides oversight and guidance
Infrastructure
• Pure software solution that supports deployment anywhere with the application
• Integration into a Load Balancer or Web Server
• Automation (APIs, SDK, integrations)
• Orchestration integration (Cloud, Container, Scalable)
• Insights, metrics
Process
• WAF is part of all stages of the development process
• WAF policy is owned by application developer and kept with the application source code
• WAF policy changes are tracked within the source code repository with ticket management
• Security audit process: security team can monitor and approve policy changes if needed (pull requests)
• Every application uses the default security policy (for that specific application type, risk profile)
17. CICD workflow with WAF – development
Sample integration of a WAF into a CICD workflow:
Develop
Build
Test
Deploy
Monitor /
Validate
In-Service /
Out-of-service
Develop
WAF is part of the development process.
If needed WAF policy is updated by the developer.
Security team approves the changes to the WAF
policy.
WAF policy is part of the application code and will
be rolled out with application build.
18. CICD workflow with WAF – build
Sample integration of a WAF into a CICD workflow:
Develop
Build
Test
Deploy
Monitor /
Validate
In-Service /
Out-of-service
Build
WAF has no part in the build process, since it does
not directly influence the application code.
19. CICD workflow with WAF – test
Sample integration of a WAF into a CICD workflow:
Develop
Build
Test
Deploy
Monitor /
Validate
In-Service /
Out-of-service
Test
All tests are run with the new build.
Test environment uses stored WAF policy.
Any test failures or unexpected WAF findings can
trigger a new ticket for the developer to investigate
and fix.
Tests include unit, functional and ideally end-to-
end tests.
Caveat: Simulated test traffic is usually inferior to
real world traffic.
20. CICD workflow with WAF – deploy
Sample integration of a WAF into a CICD workflow:
Develop
Build
Test
Deploy
Monitor /
Validate
In-Service /
Out-of-service
Deploy
WAF gets deployed alongside application code.
21. CICD workflow with WAF – monitor / validate
Sample integration of a WAF into a CICD workflow:
Develop
Build
Test
Deploy
Monitor /
Validate
In-Service /
Out-of-service
Monitor / Validate
WAF metrics will provide necessary insight into the
health and expected WAF behavior to measure.
22. CICD workflow with WAF – in-service / out-of-service
Sample integration of a WAF into a CICD workflow:
Develop
Build
Test
Deploy
Monitor /
Validate
In-Service /
Out-of-service
In-Service / Out-of-service
According to the success criteria the new
application code is put in-service and the old
application code is taken out-of-service.
WAF metrics can have a direct impact on the cut
over if they degrade. It is one part of the success
criteria.
24. ●1. Continuous Delivery transcends technical, cultural,
process and business aspects of any team.
●2. Deployment decisions can be automated –
provided metrics are wisely used.
●3. If possible make your applications elastic and set
it up such that it can scale-out and scale-in during the
deployment evaluation.
●4. Modern tools for CI, configuration management,
deployment pipeline automation, ONF (SDN), public
and private cloud programmability allows complex
applications to be easily deployed.
●1. As Continuous Delivery is introduced the security
strategy of a company is a key factor for success.
●2. Application security process is required.
●3. Any WAFs that supports the infrastructure
requirements can be used for CICD.
●4. A WAF needs to provide metrics (via API) for
evaluation of successful deployment and operations.
●5. Change management is crucial and auditing must be
possible (trace of configuration changes).
Summary: Continuous Delivery with and without Application Security focus
25. Thank You!
Christian Treutler, Avi Networks
christian@avinetworks.com
Next Steps
1. Learn about GDPR and WAF
https://info.avinetworks.com/webinars/secure-web-
applications-and-achieve-compliance
2. Schedule a demo
https://info.avinetworks.com/schedule-a-demo
3. Get your hands “dirty”
https://github.com/avinetworks/devops/tree/master/an
sible/deployment_pipeline
26. References
Jez Humble, https://continuousdelivery.com
Martin Fowler, https://martinfowler.com/delivery.html
Chen, Lianping, Paddy Power. Continuous Delivery: Huge Benefits, but Challenges Too. IEEE Software. 32.
10.1109/MS.2015.27
Demo code is available at github
Download Avi Solution from www.avinetworks.com
https://github.com/avinetworks/devops/tree/master/ansible/deployment_pipeline