Це буде огляд підходів до побудови програми безпеки програмного забезпечення в команді розробки або кампанії загалом, доповнений висновками з мого власного досвіду виконання практичних та консультаційних проектів в сфері Application Security.
We know we need to identify and protect critical assets. But how? If your company develops a multitude of hardware and software products in a global environment it is very challenging. This session will describe how we approached the design and building of a Secure Development Environment (SDE), giving you a jump start your own SDE using our lessons learned to help balance security and productivity. (Source : RSA Conference USA 2017)
Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.
Managing application and host security issues at scale. how to scale application security in the SDLC. Using the edgescan SaaS to achieve this. Presented at DaggerCon 2015, Dublin Ireland.
Dan Glass, CISO of American Airlines, presented on developing rugged systems through an approach called Rugged DevOps. The presentation outlined four focus areas - Rugged Systems, Operational Excellence, Actionable Intelligence, and Defensible Platforms. For each area, Glass provided 3-4 sentences on how American Airlines will ensure systems can withstand hostile environments, adapt to changes, meet enterprise standards, maintain reliability through standardization, harvest and analyze data to enable quick decisions, and develop platforms that are hardened and can withstand attacks. The presentation concluded by answering questions on how to discuss products with vendors, changing mindsets, and balancing automation, legacy systems, and accountability.
Presented on November 7, 2018 at Triangle DevOps (https://www.meetup.com/triangle-devops/). With the continuing evolution of the shift to the cloud and automation, this talk explores what the future might look like for security and operations. Will security and operations be abstracted away, resulting in only developers having jobs?
This document summarizes a presentation about how security teams can adapt to DevOps and continuous deployment models. It discusses how code deployment has shifted to near-instantaneous changes, security is no longer a gatekeeper, and workarounds will happen if security causes delays. To embrace agility, security must decentralize and provide visibility into the development process for all teams, not just security, by surfacing security data. The key lessons are that embracing DevOps actually helps rather than harms security when done with visibility across rapid iterative changes.
The document outlines seven habits that DevOps teams can adopt to increase application security. The habits are: 1) Increase trust and transparency between development, security, and operations teams. 2) Understand the probability and impact of specific security risks. 3) Discard detailed security roadmaps in favor of incremental improvements. 4) Use continuous delivery pipelines to incrementally improve security practices. 5) Standardize and continuously update third-party software. 6) Govern with automated audit trails. 7) Test security preparedness through "security games". Adopting these habits helps integrate security across the development lifecycle to reduce vulnerability discovery and remediation time.
This is my talk on building security at scale from Black Hat USA 2014. In it I outline the lessons I've learned from six months as Yahoo's CISO and share ideas for how the security industry can better address problems at web scale.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations. The “Sec” of DevSecOps introduces changes into the following: • Engineering • Operations • Data Science • Compliance
This document provides an overview of a session on security chaos engineering. The session will cover combating complexity in software, chaos engineering, resilience engineering and security, security chaos engineering, open source chaos tools, and a product demo from Verica. The presenters from Verica will be Casey Rosenthal, CEO and founder, and Aaron Rinehart, CTO and founder. Casey Rosenthal helped create the discipline of chaos engineering at Netflix and built their chaos automation platform. Aaron Rinehart has experience leading security engineering strategies and pioneered the area of security chaos engineering. Chaos engineering involves experimenting on distributed systems to build confidence in their ability to withstand turbulent conditions. It is used to combat the increasing complexity
Presented on August 23, 2017 at the League of Women in Cyber Security meetup (https://www.meetup.com/League-of-Women-in-Cybersecurity/events/242071337/). his talk will provide an intro to honeypots and their benefits, an intro to deception in cyber security, and an overview of HoneyPy and HoneyDB.
Slides from our talk @Devoxx MA 2018. We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.
This document summarizes a presentation on chaos engineering and security chaos engineering. It discusses how systems have become too complex for humans to fully understand and that failures are the normal condition. Chaos engineering experiments intentionally introduce failures to build confidence in a system's resilience. Security chaos engineering uses the same principles to continuously validate security controls and reduce uncertainty. The document provides examples of chaos experiments and introduces ChaoSlingr, an open source tool for automating security chaos experiments.
This document discusses the benefits of joining OWASP Russia, an open community dedicated to improving web application security. It notes that OWASP provides free security tools, best practices, projects to contribute to, and opportunities for career growth and networking. The author highlights several popular OWASP projects and tools. OWASP Russia started in 2012 and provides translations, meetups, and experience sharing to support the global OWASP community. The document encourages volunteering or participating in discussions, events, and projects like the OWASP Secure Configuration Guide to help harden systems against misconfiguration issues.
Learn why bug bounties are great tools in application security, why they can be difficult, and how you can utilize them to start finding more critical vulnerabilities.
Presentation delivered to the Minnesota Counties Computer Cooperative (http://mnccc.org/) on October 30, 2019. The talk was given by SecurityStudio's CEO, Evan Francen and focused on how local governments play a role in protecting all of us.
The document discusses how to properly invest in software security. It argues that fully securing software is impossible and unnecessary, and that the optimal approach is to find and fix bugs through practices like threat modeling, developer training, security testing, and bug bounties. The key is to train developers to write code that minimizes bugs and to have skilled hackers find and help remediate any issues.
This document provides an overview of Jay Tymchuk's career journey in information security. It discusses his education background in mathematics from Brock University and the Network and Enterprise Security Administration program from Mohawk College. It then outlines his various roles in tier 1, 2, and 3 security analysis and the skills and certifications he gained in each role. The document also provides recommendations for skills development, such as obtaining certifications, participating in labs, blogging, and networking in the information security community.
Presentation deck delivered to the Rochester ISSA chapter members as part of the SecurityStudio Roadshow on November 7th, 2019. This presentation explains the language problem we're fighting in the information security industry and contains a realistic call to action for all of us.
The document discusses the Secure Software Development Life Cycle (SSDLC) and provides recommendations for developers to integrate security into their processes. It recommends that developers understand common threats, perform penetration testing, implement logging of abnormal activity, secure all inputs and outputs, and consider security requirements throughout the entire development cycle from design to deployment. The document emphasizes that software security is important and is everyone's responsibility.
This document provides information about a secure web application development training course offered by Pivotal Security LLC. The training is customized for each client's development needs and covers topics like common vulnerabilities, authentication, authorization, cryptography, input handling, error handling, and logging. The course aims to help developers design and build secure applications. It is led by experts with experience at Microsoft and Honeywell and receives positive feedback from attendees.
guidance on required skills and industry certification to become successful information security professional
First presented at Cloud Security World in Boston on June 15th, 2016. Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
This is a presentation I have delivered to under graduate students who are interested in cyber security and want to know the strategy to get into cyber security by preparing themselves while studying their under graduation.
This document discusses network security and compares different generations (Gens) of security products. Gen V security is defined as being effective, efficient, and everywhere. Check Point is presented as providing Gen V security through real-time prevention innovations, an unparalleled sense of urgency in responding to vulnerabilities, proven security with third-party tests, no security shortcuts, and an efficient software-based architecture that allows security everywhere. Check Point is said to have the best security through these factors and fighting FUD with facts.
This document discusses common problems with how application security is implemented. It argues that software developers often lack security knowledge and focus on functionality over security. Security teams also lack development experience and focus on compliance over practical security. As a result, security is treated as an afterthought through ineffective practices like sole reliance on penetration testing. The document recommends a proper Secure Development Lifecycle approach involving security training, secure coding practices, testing and ongoing improvements.
ESET is a global cybersecurity company protecting over 180 countries with over 900 employees located across multiple headquarters and technology/research centers. ESET has seen continual growth in end user revenue and was ranked the 5th largest provider of endpoint security by worldwide revenue in 2011 and 2012. ESET's vision is to enable a secure digital world where everyone can enjoy technology to its full potential.
This document provides information for someone interested in becoming a security consultant. It describes the role of a security consultant as assessing software, networks, and systems for vulnerabilities while also recommending practical fixes. It recommends gaining experience in areas like web application security, network security assessment, or binary reverse engineering. The document provides many resources for learning such as books, online courses, capture the flag exercises, conferences, and recommends following security news on Twitter and Reddit. It encourages gaining hands-on experience and networking in the local security community.
This document discusses organizations operating with limited security resources, referred to as "living below the security poverty line." Key points include: - Organizations below the security poverty line have little IT expertise, cannot follow through on long-term security recommendations, and prioritize outages over maintenance. - They are dependent on third-party vendors and have limited control over configuration, architecture, and risk management decisions. - Technical debt accrues as they rely on workarounds and default settings rather than proper configuration. Resources are shared between vendors, servers, code, and data. - The business is often reluctant to invest in security until an attack occurs, leading security teams to take a "cover your ass"
What would you say if your boss came up to you and asked, "How secure are we?" It’s an apparently simple question, yet extremely difficult to answer. We posed this question to attendees of the Tenable ISE VIP Welcome Reception with T.E.N. the night before the launch of the RSA Conference 2015. Check out their answers here, or in video format at: http://bit.ly/how-secure --- Security professionals featured in this slideshare: Chris Egaaen Jennifer Graham Jay Schwitzgebel Steven Lodin Rhonda Simmon Tony Zirnoon Christina Critzer David Rooker John Graham Bill Olson Alex Hutton Kenneth Haertling David Mortman Greg Press Ron Gula
Lviv IT Arena is a conference specially designed for programmers, designers, developers, top managers, inverstors, entrepreneur and startuppers. Annually it takes place on 2-4 of October in Lviv at the Arena Lviv stadium. In 2015 conference gathered more than 1400 participants and over 100 speakers from companies like Facebook. FitBit, Mail.ru, HP, Epson and IBM. More details about conference at itarene.lviv.ua.
The document discusses security as an important metric for businesses, products, and development lifecycles. It summarizes an upcoming security meetup in Lviv, Ukraine on November 14, 2015 focused on topics like securing web and mobile applications, hacking REST and JavaScript apps, investigations, reverse engineering, social engineering, and physical hacking. The meetup will include hands-on labs, collaboration, competitions, and talks from elite hackers and industry experts.
This deck goes through challenges with software security today, how we got to this position and best ways of addressing these challenges through the lens of 'positive security'.