AppSec Pipeline - Velcocity NY 2015

•Download as PPTX, PDF•

7 likes•2,017 views

Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.

Technology

Building an AppSec Pipeline:
Keeping your program, and
your life, sane
Aaron Weaver
Protiviti
Matt Tesauro
Pearson

Henry Ford: The sponsor of the
development of the assembly line

The Phoenix Project
3 Ways of DevOps
Strategies for Improving
Operations

#1 - Workflow
Look at your purpose and those
processes which aid it

#2 - Improve Feedback
Open yourself to upstream
and downstream information

#3 - Continual
Experimentation & Learning
Create a culture of innovation
and experimentation

Spending time
optimizing anything
other than the critical resource is
an illusion.

For AppSec
the critical resource is
the people.

Pipeline - Intake
▪ “First Impression”
▪Major categories of Intake
- Existing App
- New App
- Previously tested App
- App to re-test findings
▪Key Concepts
- Ask for data about Apps only once
- Have data reviewed when an App returns
- Adapt data collected based on broad
categories of Apps

Pipeline - Test
▪Inbound request triage
▪Ala Carte App Sec
- Dynamic Testing
- Static Testing
- Re-Testing mitigated findings
- Mix and match based on risk
▪Key Concepts
- Activities can be run in parallel
- Automation on setup, configuration, data
export
- People focus on customization rather than

Pipeline - Deliver
▪Source of truth for all AppSec Activities
▪ThreadFix is used to
- Dedup / Consolidate findings
- Normalize scanner data
- Generate Metrics
- Push issues to bug trackers
▪Report and metrics automation
- REST + tfclient
▪Source of many touch points with external
teams

Application Security Tools Orchestration
Automate Security Tooling

Integrating into the DevOps Pipeline
DevOps Pipeline AppSec Pipeline

Dev & AppSec Tool Integration
OWASP ZAP
Proxy
BuildManageCode Store
RAPTOR
Deploy
OWASP ZAP
Proxy
*Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.

Bag of Holding
aka BoH
github.com/PearsonEducation/bag-of-holding

What does BoH do?
▪Manages our Application Security Program
▪Application Repository
▪Engagement Tracking
▪Report Repository
▪Comments on any application, engagement or activity
▪Data Classification and PII data
▪Time taken on secure software activities
▪Historical knowledge of past assessments
▪Credential repository
▪Environment details

Scheduling of Secure Software Activities

Your command line where you have your conversations.

Threadfix Integration
And more:
Create an Application
Get Summary Metrics for
AppSec Program

BOH/Threadfix/Static Integration
Setup recurring static analysis in about 1 minute!

https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

Thanks!
Aaron Weaver
@weavera
aaron.weaver@owasp.org
aaron.weaver2@gmail.com
/in/aweaver
Matt Tesauro
@matt_tesauro
matt.tesauro@owasp.org
mtesauro@gmail.com
/in/matttesauro
github.com/mtesauro

What's hot

Taking AppSec to 11 - BSides Austin 2016

Matt Tesauro

DevOps AppSec Pipeline Velcocity NY 2015

Aaron Weaver

You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work. Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started. The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided. Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline. The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them. If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.

Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...

Matt Tesauro

Building a Secure DevOps Pipeline - for your AppSec Program

Matt Tesauro

OWASP DefectDojo - Open Source Security Sanity

Matt Tesauro

Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.

Continuous Security: Using Automation to Expand Security's Reach

Matt Tesauro

DevOps, CLI, APIs, Oh My! Security Gone Agile

Matt Tesauro

This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give the audience a leg up on starting a DevSecOps program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of DevSecOps quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a DevSecOps journey.

DevSecOps Fundamentals and the Scars to Prove it.

Matt Tesauro

Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls. My talk from Secure Coding Virtual Summit (2021-03-24)

Taking the Best of Agile, DevOps and CI/CD into security

Matt Tesauro

SecDevOps Risk Workflow - v0.6

Dinis Cruz

AppSec is Eating Security

Alex Stamos

OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images. This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.

OWASP WTE - Now in the Cloud!

Matt Tesauro

Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security: Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities Examples of security automation, case situations minimizing risk and driving flexibility for DevOps See how SaaS provider CloudPassage integrates security into its own development and operations workflows

SecDevOps: The New Black of IT

CloudPassage

You’re tasked with ‘doing AppSec’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo can be your one source of truth and become the heart of your AppSec automation program. DefectDojo grew out of a Product Security program 8 years ago and was created by AppSec people for AppSec people. In this talk, you’ll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your one source of truth for discovered security vulnerabilities, report generation, aggregation of over 80 different security tools, inventory of applications, tracking testing efforts and metrics on the AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo.

Intro to DefectDojo at OWASP Switzerland

Matt Tesauro

Automating OWASP Tests in your CI/CD

rkadayam

Succeeding-Marriage-Cybersecurity-DevOps final

rkadayam

Integrating DevOps and Security

Stijn Muylle

Security as Code: DOES15

Ed Bellis

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

Nick Galbreath

"Turning TDD upside down - For bugs, always start with a passing test" - Common workflow on TDD is to write failed tests. The problem with this approach is that it only works for a very specific scenario (when fixing bugs). This presentation will present a different workflow which will make the coding and testing of those tests much easier, faster, simpler, secure and thorough' Presented at LSCC (London Software Craftsmanship Community) http://www.meetup.com/london-software-craftsmanship on sep 2016.

Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)

Dinis Cruz

What's hot (20)

Taking AppSec to 11 - BSides Austin 2016

DevOps AppSec Pipeline Velcocity NY 2015

Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...

Building a Secure DevOps Pipeline - for your AppSec Program

OWASP DefectDojo - Open Source Security Sanity

Continuous Security: Using Automation to Expand Security's Reach

DevOps, CLI, APIs, Oh My! Security Gone Agile

DevSecOps Fundamentals and the Scars to Prove it.

Taking the Best of Agile, DevOps and CI/CD into security

SecDevOps Risk Workflow - v0.6

AppSec is Eating Security

OWASP WTE - Now in the Cloud!

SecDevOps: The New Black of IT

Intro to DefectDojo at OWASP Switzerland

Automating OWASP Tests in your CI/CD

Succeeding-Marriage-Cybersecurity-DevOps final

Integrating DevOps and Security

Security as Code: DOES15

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)

Similar to AppSec Pipeline - Velcocity NY 2015

A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.

Monitoring Application Attack Surface and Integrating Security into DevOps Pi...

Denim Group

Alten calsoft labs enterprise app store framework

Sandeep Vyas

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...

PROIDEA

Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“. AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.

Lessons from DevOps: Taking DevOps practices into your AppSec Life

Matt Tesauro

Wouldn’t it be good to know how your application or service is being used and is performing while its running live? It is essential to have more insights into the running application as the cycle time for delivering new features and releases speed up. We will cover how to detect, triage and diagnose different scenarios and provide the necessary input to quickly and correctly act to resolve situations. The focus is on web applications or services running on-premise or hosted in the cloud.

Performance monitoring in a DevOps World

Solidify

Developing Highly Instrumented Applications with Minimal Effort

Tim Hobson

Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible? The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.

Building an AppSec Pipeline: Keeping your program, and your life, sane

weaveraaaron

Achieve AI-Powered API Privacy using Open Source

Gianluca Brigandi

There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code. This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.

The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...

Denim Group

Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out. Two different interactions are examined: • How can knowledge of code make application scanning better? • How can application scan results be mapped back to specific lines of code? Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...

Denim Group

Splunk Data Onboarding Overview - Splunk Data Collection Architecture

Splunk

[Wroclaw #5] OWASP Projects: beyond Top 10

OWASP

DevOps and Application Delivery for Hybrid Cloud - DevOpsSummit session

Sanjeev Sharma

Process Tempo + Neo4j API Security Brief

Neo4j

Splunk MINT and Stream Breakout

Splunk

This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology. Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams. This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.

Running a High-Efficiency, High-Visibility Application Security Program with...

Denim Group

DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...

BAINIDA

Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0

minseok kim

Far too often application security decisions are made in an ad hoc manner and based on little or no data. This leads to an inefficient allocation of scarce resources. To move beyond fear, uncertainty and doubt, organizations must adopt an approach to application risk management based on a structured process and quantitative data. This presentation outlines such an approach for organizations to enumerate all the applications in their portfolio. It then goes through background information to collect for each application to support further decision-making. In addition, the presentation lays out an application risk-ranking framework allowing security analysts to quantitatively categorize their application assets and then plan for assessment activities based on available budgets. This provides the knowledge and tools required for them to use the approach on the applications they are responsible for in their organization. Please email dan _at_ denimgroup dot com for a template spreadsheet and a how-to guide.

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers

Denim Group

Measuring ROI and Driving Adoption of TAS in an Enterprise

VMware Tanzu

Similar to AppSec Pipeline - Velcocity NY 2015 (20)

Monitoring Application Attack Surface and Integrating Security into DevOps Pi...

Alten calsoft labs enterprise app store framework

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...

Lessons from DevOps: Taking DevOps practices into your AppSec Life

Performance monitoring in a DevOps World

Developing Highly Instrumented Applications with Minimal Effort

Building an AppSec Pipeline: Keeping your program, and your life, sane

Achieve AI-Powered API Privacy using Open Source

The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...

Splunk Data Onboarding Overview - Splunk Data Collection Architecture

[Wroclaw #5] OWASP Projects: beyond Top 10

DevOps and Application Delivery for Hybrid Cloud - DevOpsSummit session

Process Tempo + Neo4j API Security Brief

Splunk MINT and Stream Breakout

Running a High-Efficiency, High-Visibility Application Security Program with...

DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...

Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers

Measuring ROI and Driving Adoption of TAS in an Enterprise

More from Matt Tesauro

You’re tasked with ‘doing DevSecOps’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tool outputs for all your different apps let alone shrink the pile of work already on your plate? In this talk, we’ll discuss the key decision points and requirements to set up a program that moves as fast as it needs to without your team burning out. Learn how to keep moving forward while keeping your sanity. After learning to be nimble from dealing with teams that are doing 75 production deployments per week, the surviving ideas have been distilled into a collection of tenants. We’ll cover: How to handle CI/CD tests versus traditional security assessments? How to best manage SLAs? How to keep data for auditors and regulatory requirements while also doing continuous testing? Understanding health checks versus continuous testing versus manual testing. How to deal with false positives, risk acceptances and the lifecycle of a security issue? By using these tenants, security assessments at one company grew from 44 to 414 in 2 years or 9.4 times all while losing some headcount. Time to turn chaos into calm and distress into success.

Tenants for Going at DevSecOps Speed - LASCON 2023

Matt Tesauro

From LASCON 2022: APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.

Hacking and Defending APIs - Red and Blue make Purple.pdf

Matt Tesauro

From ONUG Fall 2022: "Shift Left'' and automation have turned from ideals to meaningless buzzwords. Instead of riding the hype train, let's get real and cover practical and real-world examples taken from actual product security successes. Not every business is the same, neither will their DevSecOps program. In this talk, I'll cover the fundamentals of common to successful DevSecOps programs as well as a grab bag of useful techniques to consider. These are lessons learned doing AppSec at a wide variety of companies including Rackspace, Pearson, a fortune 500 financial, Duo Security and Cognizant Healthcare. Bruce Lee said "Research your own experience. Absorb what is useful, reject what is useless, add what is essentially your own". The goal of this talk is to provide you with enough examples to build your own pragmatic and practical DevSecOps program or maybe absorb a new technique or two into your existing program.

Practical DevSecOps: Fundamentals of Successful Programs

Matt Tesauro

APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.

Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities

Matt Tesauro

APIs seem simple. It's just one program talking to another program over a network. However, behind that seeming simplicity lies a complex landscape full of landmines, foot guns and sharp edges. How do you navigate the API terrain without exposing yourself to attack? This talk will cover the API landscape and point out where 'there be dragons'. If you don't have a large number of APIs, you will soon enough so do yourself a favor and follow the map provided in this talk.

Landmines in the API Landscape

Matt Tesauro

This is not your normal DevSecOps presentation. We’re going to take on the most difficult aspect of security automation, the dreaded and pitfall prone, dynamic testing. You want to shift left and automate all the things, but DAST specifically has many thorns. How do you ensure what you’re testing matches production? Do devs own the environment? On metal, docker, kubernetes, or docker-compose? Test coverage? Balancing all these elements and more is not easy. Especially if you want to create a single, scalable, standard for your entire org. In this talk, we’ll cover what is needed to start automating your dynamic security testing, how to navigate the trade-offs you’ll have to consider, and finally how best to fit automated DAST testing into your software delivery pipelines. We’ll discuss simple and easy steps to gain efficiency and how to scale to mature pipelines that require little to no human intervention.

The Final Frontier, Automating Dynamic Security Testing

Matt Tesauro

Running FaaS with Scissors

Matt Tesauro

Dev ops hackformers-matt-tesauro

Matt Tesauro

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin

Matt Tesauro

Testing at-cloud-speed sans-app-sec-austin-2013

Matt Tesauro

As the world of system and application deployment continues to change, the sys admin and security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional sys admin and security processes just don’t work. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. Rackspace has been developing a tool to help them design, deploy and security assess complex configurations for customers called Checkmate. This talk will cover the concepts behind and the architecture of Checkmate and how it helps minimize the time to deploy systems and verify they have been created to spec and in a secure state. A discussion of how Checkmate has inspired the concept of Test Driven Security based on the Test Driven Development model familiar to the development world.

DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012

Matt Tesauro

More from Matt Tesauro (11)

Tenants for Going at DevSecOps Speed - LASCON 2023

Hacking and Defending APIs - Red and Blue make Purple.pdf

Practical DevSecOps: Fundamentals of Successful Programs

Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities

Landmines in the API Landscape

The Final Frontier, Automating Dynamic Security Testing

Running FaaS with Scissors

Dev ops hackformers-matt-tesauro

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin

Testing at-cloud-speed sans-app-sec-austin-2013

DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012

Recently uploaded

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Manulife - Insurer Innovation Award 2024

The Digital Insurer

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Data Cloud, More than a CDP by Matt Robison

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Manulife - Insurer Innovation Award 2024

A Year of the Servo Reboot: Where Are We Now?

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Top 10 Most Downloaded Games on Play Store in 2024

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Apidays New York 2024 - The value of a flexible API Management solution for O...

A Domino Admins Adventures (Engage 2024)

Artificial Intelligence: Facts and Myths

Scaling API-first – The story of a global engineering organization

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Exploring the Future Potential of AI-Enabled Smartphone Processors

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

AppSec Pipeline - Velcocity NY 2015

1. Building an AppSec Pipeline: Keeping your program, and your life, sane Aaron Weaver Protiviti Matt Tesauro Pearson

2. Henry Ford: The sponsor of the development of the assembly line

3. Assembly Lines

4. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations

5. #1 - Workflow Look at your purpose and those processes which aid it

6. #2 - Improve Feedback Open yourself to upstream and downstream information

7. #3 - Continual Experimentation & Learning Create a culture of innovation and experimentation

8. AppSec Pipelines

9. Spending time optimizing anything other than the critical resource is an illusion.

10. For AppSec the critical resource is the people.

11.

12. Our Pipeline

13. Pipeline - Intake ▪ “First Impression” ▪Major categories of Intake - Existing App - New App - Previously tested App - App to re-test findings ▪Key Concepts - Ask for data about Apps only once - Have data reviewed when an App returns - Adapt data collected based on broad categories of Apps

14. Pipeline - Test ▪Inbound request triage ▪Ala Carte App Sec - Dynamic Testing - Static Testing - Re-Testing mitigated findings - Mix and match based on risk ▪Key Concepts - Activities can be run in parallel - Automation on setup, configuration, data export - People focus on customization rather than

15. Pipeline - Deliver ▪Source of truth for all AppSec Activities ▪ThreadFix is used to - Dedup / Consolidate findings - Normalize scanner data - Generate Metrics - Push issues to bug trackers ▪Report and metrics automation - REST + tfclient ▪Source of many touch points with external teams

16.

17.

18. Application Security Tools Orchestration Automate Security Tooling

19. Integrating into the DevOps Pipeline DevOps Pipeline AppSec Pipeline

20. Dev & AppSec Tool Integration OWASP ZAP Proxy BuildManageCode Store RAPTOR Deploy OWASP ZAP Proxy *Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.

21. Bag of Holding aka BoH github.com/PearsonEducation/bag-of-holding

22. Minimal Viable Product

23. What does BoH do? ▪Manages our Application Security Program ▪Application Repository ▪Engagement Tracking ▪Report Repository ▪Comments on any application, engagement or activity ▪Data Classification and PII data ▪Time taken on secure software activities ▪Historical knowledge of past assessments ▪Credential repository ▪Environment details

24. Application Repository

25. Application Security Profile

26. Scheduling of Secure Software Activities

27. AppSec ChatOps aka Will

28. Your command line where you have your conversations.

29. AppSec Help

30. AppSec Advice

31. Threadfix Integration And more: Create an Application Get Summary Metrics for AppSec Program

32. BOH/Threadfix/Static Integration Setup recurring static analysis in about 1 minute!

33. https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

34. Thanks! Aaron Weaver @weavera aaron.weaver@owasp.org aaron.weaver2@gmail.com /in/aweaver Matt Tesauro @matt_tesauro matt.tesauro@owasp.org mtesauro@gmail.com /in/matttesauro github.com/mtesauro