Vandana Verma Sehgal discusses building a DevSecOps culture. She outlines both top-down and bottom-up approaches to shifting culture, emphasizing collaboration between teams. Key aspects include establishing training programs, building security champions, embracing automation, and empowering developers to deliver securely. Case studies from ABN Amro and Fannie Mae demonstrate successful DevSecOps journeys. The end goal is for security to be integrated into the development process from the beginning through a shared responsibility model.
You’re probably a believer in the benefits of continuous delivery and DevOps (why else would you be at this meetup?). The rest of your organization... maybe not so much. Maybe you’re getting pushback on changes you believe will make your organization better. Maybe you’re not sure where or how to start to give yourself the best chance of making a change that will work. I’ll give you some tactics to start your journey toward DevOps (or toward any meaningful change, for that matter). I’ll also show how you might apply those tactics to address a specific challenge: adding test automation to a large legacy codebase. The goal is that you walk away with more tools in your “change toolkit” and a little more enthusiasm for shaking things up for the better where you work.
Jeff Gallimore presented tactics for organizations to kickstart their journey toward DevOps. He emphasized starting small with a focus on test automation, using metrics and stories to justify changes, and celebrating early successes. While change can feel difficult, DevOps helps improve productivity and release quality over the long run.
This document discusses DevSecOps in government technology. It uses the analogy of water to represent software and discusses how software runs underneath technology like water runs underneath cities and infrastructure. It promotes adopting a DevSecOps culture that treats code like water by never taking its security for granted. It outlines strategies for securing the human aspect through changing behaviors and culture. The overall message is that a DevSecOps approach requires passion, empathy, and bringing together developers, security engineers, and managers to define secure processes and metrics through a shared understanding.
This document provides a summary of image classification using deep learning. It begins with an introduction to the speaker and their background. It then discusses key concepts in image classification like image types (e.g. raster, vector), feature extraction using convolutional and pooling layers, classification using dense layers and activation functions, and model training. It provides examples of datasets like cats vs dogs and how to balance classes. Finally, it discusses model saving, transformers, and provides homework on modifying the image classification code.
A session in the DevNet Zone at Cisco Live, Berlin. At the moment, this is the DoE: DevOps of Everything. DevOps is about culture first but many people take shortcuts to tools and workflow. They forgot the essence of DevOps which is about people and not only from Dev to Ops. In this session, we will show you how we are currently building a DevOps culture with a focus on continuous improvement.
Secure360 is a great conference in Minnesota every year. We presented how to establish a DevSecOps Program there in 2015.
1) The document discusses how DevSecOps can help organizations achieve safer software sooner by shifting security left through a culture of collaboration, continuous learning, and taking responsibility. 2) It describes how forming a "C.A.T. Team" of diverse skills can help challenge traditional security models and drive innovation. 3) The key is establishing principles like checking egos, removing barriers, and measuring for success as a team in order to gain confidence and question norms.
This document discusses concepts and principles related to agile development. It begins by defining agile and listing some of its core values and principles. It then discusses agile methodologies like Scrum and Extreme Programming (XP). It provides an overview of the Scrum framework and roles in a Scrum team like the Product Owner and Scrum Master. It also covers topics like writing user stories, estimating work using story points, developing sprint backlogs and burn down charts, conducting daily stand-ups and sprint reviews/retrospectives. The document emphasizes adopting an agile mindset and focusing on continuous improvement through rapid feedback loops and reflection.
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
The document discusses shifting organizational culture to DevSecOps. It outlines challenges in integrating security practices into DevOps processes and culture shifts like encouraging a security mindset across teams through collaboration, education and common goals. The security team role evolves to creating security champions in each team. Case studies from ABN Amro and Fannie Mae demonstrate successful DevSecOps journeys. Resources are provided for establishing a DevSecOps culture.
Rolling slides to kick of the event. *** Description of the main talk *** Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today's IT environments.
In this talk, you will hear the best practices from analysts at Gartner, engineers at Heroku, and experiences at VSP distilled down into a top ten list of characteristics that applications ought to have to achieve high availability, scalability and flexibility. Target audience includes developers of APIs and web-based applications, the analysts and architects that design them and the infrastructure teams that support them.
Agile has made it possible to deliver a lot product lines and service lines almost like instant coffee , tea and instant everything. It has created a lot of diverse needs especially the need to keep pace with Dev and Operations and everything is expected to continuous along the pipeline without breaking anything along the way. This would mean features , security , builds , releases and the whole nine yards that go with putting your app or product out there. We shall look at DEVSECOPS along with why everything else associated with this initiative that needs to be continuous . Without this mindset agile shall be a term that shall not have much of relevance let alone deliver a product or feature in the best quality and time frame.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future. Agenda: -DevSecOps Introduction -Key Challenges, Recommendations -DevSecOps Analysis -DevSecOps Core Practices -DevSecOps pipeline for Application & Infrastructure Security -DevSecOps Security Tools Selection Tips -DevSecOps Implementation Strategy -DevSecOps Final Checklist
If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk. This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later. This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them. There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
DevOps as a Service ensures safe application delivery and a significantly shorter time to market. Enterprises that already use DevOps on various cloud platforms can quickly set up virtual machines and deliver applications. However, security is frequently overlooked during this process. For organisations to ensure that mission-critical apps are fortified with military-grade security, a change from DevOps to DevSecOps is necessary. Kaiburr can help you in this regard. For more info visit here: https://www.kaiburr.com/devsecops-as-a-service/
Vandana Verma is a cybersecurity expert who specializes in DevSecOps. She serves on the OWASP Global Board of Directors as Vice-Chair and is a member of several security review boards. Her work focuses on diversity initiatives in information security. She advocates for integrating security practices throughout the entire software development lifecycle from coding to deployment. This includes having developers take ownership of security and empowering them with tools and processes to build more secure applications within their existing workflows.
This document provides an overview of the OWASP Web Security Testing Guide. It categorizes testing as either passive or active, and outlines 11 sections covering different types of security testing for web applications. Each section includes a summary, testing methodology, available tools, and references. Testing areas covered include information gathering, configuration management, identity and authentication, authorization, session management, input validation, error handling, cryptography, business logic, and client-side issues. The goal of the guide is to provide a standard methodology for performing security tests on web applications.
This document outlines how to run an application security (AppSec) program using various open source tools from the Open Web Application Security Project (OWASP). It discusses tools for requirements gathering, threat modeling, source code review, vulnerability testing, defect tracking, defensive controls, training and awareness, and knowledge management. Many of the tools are linked, including the OWASP Security Knowledge Framework, Dependency Check, ModSecurity Core Rule Set, Juice Shop, DevSlop, the OWASP Top 10, and the OWASP Testing guides. The document provides an open source framework for implementing an AppSec program.
The Open Web Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies related to web application security. It has over 93 active projects led by volunteer community members. Some of the major OWASP projects include the OWASP Top Ten project, the Application Security Verification Standard, the Web Security Testing Guide, and security tools like ZAP, Dependency Check, and DefectDojo.
Vandana Verma Sehgal gave a presentation on Zero Trust security models at SACON International 2020 in Bangalore, India. She began by introducing herself and her background in information security. She then discussed the limitations of conventional security models that rely on network perimeter defenses and trusting internal systems and users. She outlined the Zero Trust model which is based on the principles of never trusting any user, device, or network and requiring strict identity verification for all access. Some key aspects of Zero Trust architectures discussed included identity-based access controls, application-level access instead of network access, isolating network infrastructure, advanced threat protection, and treating identity as the new security perimeter.
The document provides an overview of how to get started with the OSCP (Offensive Security Certified Professional) certification. It outlines the required skills like basic Linux usage and programming knowledge. It recommends starting with Hack The Box to practice skills like port scanning and web application testing. The journey involves lab machines to exploit systematically through enumeration, exploitation, and privilege escalation. The exam involves cracking 5 out of 10 machines within 23 hours 45 minutes to pass. Regular breaks, thorough enumeration, and immediately submitting flags are tips for the exam. Overall it recommends perseverance and practicing systematically on similar machines.
This document discusses WebSockets, including what they are, why they are needed, how they can be used, vulnerabilities, and limitations. WebSockets provide bi-directional communication over a single TCP connection and reduce latency compared to HTTP polling. They enable real-time applications and are supported by modern browsers through the HTML5 WebSocket API. Tools like Burp and ZAP can intercept and analyze WebSocket traffic. Vulnerabilities in WebSocket implementations have included denial of service, remote code execution, and bypassing of security restrictions. Limitations include lack of support in all browsers and need for client libraries to handle network issues.
The document discusses the importance of HTTP security headers as the first layer of defense for web applications. It describes several important headers like HSTS, CSP, and features like XSS protection. It outlines how headers help secure the client-side DOM from attacks and help prevent vulnerabilities. The document also discusses HTTP requests/responses, JavaScript vulnerabilities, and tools for analyzing security headers.
The document provides an overview of security audits and compliance based on the ISO 27001:2013 standard. It defines key terms, describes the three pillars of information security and types of audits. It introduces ISO 27001, outlines the framework's 13 control domains and objectives. The document explains how to conduct a security audit from initiation to follow up and closure of nonconformities. It stresses that audits are about improvement, not fault finding, and ensuring unbiased reviews.
The document discusses server-side template injection, where malicious code can be injected through templates used to generate web pages or emails. Templates are widely used by web applications to dynamically generate data. The first step in detecting a server-side template injection is noticing unusual behavior, errors, or mathematical expressions being executed on the server. Ways to detect injections include inserting mathematical expressions into templates. Mitigations include executing users' code in sandboxed environments like Docker containers and validating user input.